Article ID: 184017 - View products that this article applies to.
This article was previously published under Q184017
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
(http://support.microsoft.com/kb/256986/ )Description of the Microsoft Windows Registry
A program is available on the Internet that allows a local Administrator, with full control of a Windows NT system, to use APIs published in the Win32 software development kit (SDK) for Windows NT to display the contents of security information stored by the Local Security Authority (LSA) in a form called LSA Secrets. LSA Secrets are used to store information such as the passwords for service accounts used to start services under an account other than local System.
This is by design. Members of the local Administrators groups are trusted users that have the ability to access any information that can also be accessed by the operating system itself.
Note that the fix listed below does not change the behavior in which LSA secrets are available to local administrators. Administrators have access to data including LSA secrets. This fix provides improved protection for LSA secrets against attacks noted below that do not involve accounts with administrative priviledges.
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734The updates in this Windows NT 4.0 hotfix provide the following additional protection for the LSA Secret data:
(http://support.microsoft.com/kb/152734/ )How to Obtain the Latest Windows NT 4.0 Service Pack
Before You Apply The HotfixBecause this hotfix makes a modification to the on-disk storage of the LSA data information, Microsoft does not recommend that it be uninstalled. Perform the following steps to ease the transition back to a pre-LSA2-fix configuration in case you experience problems with the hotfix:
(http://support.microsoft.com/kb/154087/ )Access violation in Lsass.exe due to incorrect buffer size
(http://support.microsoft.com/kb/174205/ )LSASS may use a large amount of memory on a domain controller
129457This hotfix has been posted as Lsa2fixi.exe (x86) and Lsa2fixa.exe (Alpha).For your convenience, the English version of this post-SP3 hotfix has been posted to the following Internet location. However, Microsoft recommends that you install Windows NT 4.0 Service Pack 4 to correct this problem.
(http://support.microsoft.com/kb/129457/ )RestrictAnonymous Access enabled lets anonymous connections obtain the password policy
Note An updated version of this hotfix was posted on July 20, 1998 and provides an additional security level to systems running Windows NT 4.0 Service Pack 3.
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lsa2-fix/Note The above link is one path; it has been wrapped for readability.
If you run Systems Management Server on systems where this hotfix is applied, the SNMP Event Log Extension Agent (Snmpelea) generates the following Event ID 3007 error:
The SNMP Event Log Extension Agent requires an update to manage the security event log. For additional information about how to resolve the SNMP Event Log Extension Agent problem, click the following article number to view the article in the Microsoft Knowledge Base:
Error opening event log file Security.
Log will not be processed.
Return code from OpenEventLog is 1314.
(http://support.microsoft.com/kb/183770/ )Snmpelea unable to open security event log
Windows NT 3.51A hotfix for Windows NT 3.51 is not available at this time.
If you experience problems with this hotfix, perform the following steps to restore the system to its original configuration before applying the hotfix:
Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.
Article ID: 184017 - Last Review: November 1, 2006 - Revision: 3.3