A Serious New Registry Security Vulnerability

A New Security Vulnerability
On March 10, Microsoft posted a patch that eliminates a serious Registry security vulnerability. Any user who can log on interactively to a Windows NT 4.0 server or workstation; a BackOffice system; or a Windows NT Server 4.0, Terminal Server Edition (TSE) workstation can exploit this security hole to gain unauthorized privileges. The privileges let a malicious user run code in the local system context, run code when another user logs on to the same computer, and disable the security protection for an older vulnerability that lets the user cover his or her tracks after the exploit.

Microsoft Support Online article Q250625 documents the vulnerability. Because the patch is a security fix, it’s available for public download. You can find the Intel version, q250625i.exe, or the Alpha version, q250625a.exe. For a more detailed description of the vulnerability, see the Microsoft Security Bulletin. Because of the potential for extensive damage, I recommend that you apply this patch to all servers and workstations in your enterprise as soon as you have tested it thoroughly.

Far East SP5 Print Problems
Several versions of Service Pack 5 (SP5) for NT won’t print or will generate a print spooler access violation (Dr. Watson) error when you select the "Hold mismatched documents" check box on the Scheduling tab in the printer's properties. The problem is specific to the Japanese, Pan Chinese, Simplified Chinese, Traditional Chinese, and Korean versions of NT. Microsoft Support Online article Q250390 describes the printing problem and indicates that you must call Microsoft Support to get a new version of rasddui.dll to eliminate the print spooler problem. The updates aren’t available for public download.

Microsoft Cluster Server and Replacement Hard Disks
Microsoft Cluster Server (MSCS) relies on a hard disk’s disk signature for proper operation. When you replace a hard disk or change the SCSI ID associated with an existing disk, MSCS might fail at startup, and you’ll see a record with Event ID 1034 from ClusDisk with the message, "The disk associated with cluster disk resource could not be found. The expected signature of the disk was ." The problem is that when you replace a failed disk with a new one, the new disk doesn’t have a disk signature. Also, MSCS associates a disk signature with a specific SCSI ID, so when you change the SCSI ID of an existing hard disk, the disk signature no longer matches.

Microsoft Support Online article Q243195 provides a 20-step procedure you must follow after you replace a hard disk to ensure proper MSCS operation. In addition to shutting down node 2, you must make several adjustments to node 1, including setting the Clusdisk and Cluster services to start manually, running Disk Administrator to label new partitions, and running the Microsoft Windows NT Server 4.0 Resource Kit utility ftedit.exe to record the disk signature for the hard disk you replaced or whose SCSI ID you changed. The procedure appears to be highly order sensitive, so read the article carefully before you replace a hard disk. And avoid changing the SCSI ID on existing drives if possible—you’ll save yourself quite a bit of work and several potentially large headaches.

IIS 4.0 Password Access Violation
This situation unusual, but Internet Information Server (IIS) 4.0 will generate an access violation if you set the PasswordChangeFlags value to 4 or greater and the number of days that a user's password will expire is less than the PasswordExpirePrenotifyDays value. When the PasswordChangeFlags value is 4 or higher, the function that IIS calls to determine whether it needs to redirect the client to the Password Expired page returns null instead of a pointer to a string containing the URL. IIS incorrectly attempts to use the pointer to check the string to determine whether it’s empty without first checking to determine whether it has a valid pointer. The obvious workaround is to set the PasswordChangeFlags to a greater value than PasswordExpirePrenotifyDays, but if this approach doesn’t work for you, call Microsoft Support Online for the IIS 4.0 bugfix. The bugfix updates seven DLLs dated November 15, 1999: asp.dll, infocomm.dll, iwrps.dll, ssinc.dll, spifilt.dll, w3svc.dll, and wam.dll. See Microsoft Support Online article Q246391 for more information.

Updated Ntbackup Supports Seagate Scorpion DAT Drives
Microsoft released a new version of Ntbackup for NT on March 2 that properly initializes and recognizes Seagate Scorpion DAT drives. The solution applies specifically to a Seagate Scorpion 40 with compression and no host control set with all switches but 2 and 10 set to On. Microsoft Support Online article Q256306 documents the new version release, which you must call Microsoft Support to obtain.

More Ndis Bugs
The ndis.sys module might generate yet another blue screen with a Stop code of 0xA when a network adapter card reinitializes at the same time that a device closes operation. Microsoft Support Online article Q254993 doesn’t identify specific network adapters that cause the problem, so I assume the crash can occur with any network adapter card type. You must contact Microsoft Support directly for the latest version of ndis.sys, which Microsoft released on February 25. By my count, this is the seventh or eighth ndis.sys release in the last couple of years—this code must be difficult to debug.

Don’t Mix Encryption Versions with SP6/6a
If you’re running a stable SP5 and are considering updating to SP6a, be aware that you can’t install the low-encryption version of SP6a on a high-encryption NT system. SP6a upgrades low encryption from 40- to 56-bit, and if you attempt to install the low encryption version on a 128-bit encrypted OS, SP6a’s setup utility will shut down. Before SP6a, you could get away with installing a low-encryption version on a high-encryption system. See Microsoft Support Online article Q249135 for more information.