How to obtain help and support for this security update
For home users, no-charge support is available by calling 1-866-PCSAFETY in the United States and Canada or by contacting your local Microsoft subsidiary. For more information about how to contact your local Microsoft subsidiary for support issues with security updates, visit the Microsoft International Support Web site:
North American customers can also obtain instant access to unlimited no-charge e-mail support or to unlimited individual chat support by visiting the following Microsoft Web site:
After you apply this security update, applications such as Microsoft SQL Server or Internet Information Services (IIS) may fail when they make local NTLM authentication requests.
Cause
This problem occurs because of the way that NT LAN Manager (NTLM) treats different naming conventions as remote entities instead of as local entities. A local authentication failure might occur when the client calculates and caches the correct response to the NTLM challenge that is sent by the server in local "lsass" memory before the response is sent back to the server. When the server code for NTLM finds the received response in the local "lsass" cache, the code does not honor the authentication request and treats it as a replay attack. This behavior leads to a local authentication failure.
Resolution
To resolve this problem, you must disable reflection protection so that the affected systems can be authenticated.
For more information about how to do this, click the following article number to view the article in the Microsoft Knowledge Base:
896861
(http://support.microsoft.com/kb/896861/
)
You receive error 401.1 when you browse a Web site that uses Integrated Authentication and is hosted on IIS 5.1 or IIS 6
887993
(http://support.microsoft.com/kb/887993/
)
Users experience authentication issues when they access a Web page in IIS 6.0 or query Microsoft SQL Server 2000 after you install Windows Server 2003 Service Pack 1
926642
(http://support.microsoft.com/kb/926642/
)
Error message when you try to access a server locally by using its FQDN or its CNAME alias after you install Windows Server 2003 Service Pack 1: "Access denied" or "No network provider accepted the given network path"
How to disable NTLM reflection protection
Important
This section, method, or task contains steps that tell you how to change the registry. However, serious problems might occur if you modify the registry incorrectly. Therefore, make sure that you follow these steps carefully. For added protection, back up the registry before you modify it. Then, you can restore the registry if a problem occurs. For more information about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:
322756
(http://support.microsoft.com/kb/322756/
)
How to back up and restore the registry in Windows
To disable NTLM reflection protection, you must modify a registry key on the client computer. To do this, follow these steps on the client computer:
Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following subkey in the registry:
On the Edit menu, point to New, and then click DWORD Value.
Type DisableLoopbackCheck for the name of the DWORD, and then press ENTER.
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 1, and then click OK.
Exit Registry Editor, and then restart the computer.
Note You must restart the computer for this change to take effect.
The effect of disabling NTLM reflection protection
Because the NTLM reflection protection is part of the fix for this SMB vulnerability, disabling NTLM reflection protection on an affected system by setting DisableLoopbackCheck to 1 returns the system to a vulnerable state. Therefore, we strongly recommend that you use the BackConnectionHostNames registry key if needed.
How to re-enable NTLM reflection protection
To re-enable NTLM reflection protection, you must modify a registry entry on the client computer. To do this, follow these steps on the client computer:
Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following subkey in the registry:
Right-click DisableLoopbackCheck, and then click Modify.
In the Value data box, type 0, and then click OK.
Exit Registry Editor, and then restart the computer.
Note You must restart the computer for this change to take effect.
How to disable NTLM reflection protection for a particular SPN
You can disable NTLM reflection protection for a particular Service Principal Name (SPN) that is causing the corresponding authentication to break.
To do this, follow these steps on the client computer:
Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following subkey in the registry:
On the Edit menu, point to New, and then click Multi-String Value.
Type BackConnectionHostNames for the name of the Multi-String Value, and then press ENTER.
Note If the BackConnectionHostNames registry entry exists as a REG_DWORD, you must delete the BackConnectionHostNames registry entry.
Right-click BackConnectionHostNames, and then click Modify.
In the Value data box, type the CNAME or the DNS alias that is used for the local shares on the computer, and then click OK.
Note You must type each host name on a separate line.
Exit Registry Editor, and then restart the computer.
Note You must restart the computer for this change to take effect.
The effect of disabling NTLM reflection protection for a particular SPN
Because NTLM reflection protection is part of the fix for this SMB vulnerability, disabling NTLM reflection protection on an affected system will return the system to a vulnerable state for the particular SPN for which the reflection protection was disabled.
How to re-enable NTLM reflection protection for a particular SPN
To do this, follow these steps on the client computer:
Click Start, click Run, type regedit in the Open box, and then click OK.
Locate and then click the following subkey in the registry:
The English (United States) version of this software update installs files that have the attributes that are listed in the following tables. The dates and times for these files are listed in Coordinated Universal Time (UTC). The dates and times for these files on your local computer are displayed in your local time and with your current daylight saving time (DST) bias. Additionally, the dates and times may change when you perform certain operations on the files.
For all supported editions of Microsoft Windows 2000 Service Pack 4
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
Mrxsmb.sys
5.0.2195.7174
416,016
27-Aug-2008
16:29
x86
Msv1_0.dll
5.0.2195.6926
125,200
07-Apr-2005
23:21
x86
Netlogon.dll
5.0.2195.7011
366,864
07-Apr-2005
23:24
x86
Rdbss.sys
5.0.2195.7174
170,800
27-Aug-2008
16:28
x86
Sp3res.dll
5.0.2195.7151
6,276,608
29-Feb-2008
13:26
x86
Windows XP and Windows Server 2003 file information notes
The files that apply to a specific milestone (RTM, SPn) and service branch (QFE, GDR) are noted in the "SP requirement" and "Service branch" columns.
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. QFE service branches contain hotfixes in addition to widely released fixes.
In addition to the files that are listed in these tables, this software update also installs an associated security catalog file (KBnumber.cat) that has a Microsoft digital signature.
For all supported x86-based versions of Windows XP
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
SP requirement
Service branch
Mrxsmb.sys
5.1.2600.3467
453,632
24-Oct-2008
11:10
x86
SP2
SP2GDR
Mrxsmb.sys
5.1.2600.3467
455,936
24-Oct-2008
11:25
x86
SP2
SP2QFE
Mrxsmb.sys
5.1.2600.5700
455,296
24-Oct-2008
11:21
x86
SP3
SP3GDR
Mrxsmb.sys
5.1.2600.5700
455,936
24-Oct-2008
11:41
x86
SP3
SP3QFE
For all supported x64-based versions of Windows Server 2003 and of Windows XP Professional x64 edition
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
SP requirement
Service branch
Mrxsmb.sys
5.2.3790.3206
786,944
08-Sep-2008
16:17
x64
SP1
SP1GDR
Mrxsmb.sys
5.2.3790.3206
786,944
08-Sep-2008
16:18
x64
SP1
SP1QFE
Mrxsmb.sys
5.2.3790.4369
786,944
08-Sep-2008
16:24
x64
SP2
SP2GDR
Mrxsmb.sys
5.2.3790.4369
786,944
08-Sep-2008
16:17
x64
SP2
SP2QFE
For all supported x86-based versions of Windows Server 2003
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
SP requirement
Service branch
Mrxsmb.sys
5.2.3790.3206
437,248
05-Sep-2008
12:43
x86
SP1
SP1GDR
Mrxsmb.sys
5.2.3790.3206
438,272
05-Sep-2008
12:59
x86
SP1
SP1QFE
Mrxsmb.sys
5.2.3790.4369
438,784
05-Sep-2008
15:29
x86
SP2
SP2GDR
Mrxsmb.sys
5.2.3790.4369
438,784
05-Sep-2008
13:42
x86
SP2
SP2QFE
For all supported IA-64-based versions of Windows Server 2003
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
SP requirement
Service branch
Mrxsmb.sys
5.2.3790.3206
1,170,944
08-Sep-2008
16:17
IA-64
SP1
SP1GDR
Mrxsmb.sys
5.2.3790.3206
1,171,968
08-Sep-2008
16:17
IA-64
SP1
SP1QFE
Mrxsmb.sys
5.2.3790.4369
1,171,968
08-Sep-2008
16:21
IA-64
SP2
SP2GDR
Mrxsmb.sys
5.2.3790.4369
1,172,480
08-Sep-2008
16:17
IA-64
SP2
SP2QFE
Windows Vista and Windows Server 2008 file information notes
The files that apply to a specific product, milestone (RTM, SPn), and service branch (LDR, GDR) can be identified by examining the file version numbers as shown in the following table.
Collapse this tableExpand this table
Version
Product
Milestone
Service branch
6.0.600
0.16xxx
Windows Vista
RTM
GDR
6.0.600
0.20xxx
Windows Vista
RTM
LDR
6.0.600
1.18xxx
Windows Vista SP1 and Windows Server 2008 SP1
SP1
GDR
6.0.600
1.22xxx
Windows Vista SP1 and Windows Server 2008 SP1
SP1
LDR
Service Pack 1 is integrated into the release version of Windows Server 2008. Therefore, RTM milestone files apply only to Windows Vista. RTM milestone files have a 6.0.0000. xxxxxx version number.
GDR service branches contain only those fixes that are widely released to address widespread, critical issues. LDR service branches contain hotfixes in addition to widely released fixes.
The MANIFEST files (.manifest) and the MUM files (.mum) that are installed for each environment are listed separately. MUM and MANIFEST files, and the associated security catalog (.cat) files, are critical to maintaining the state of the updated component. The security catalog files (attributes not listed) have a Microsoft digital signature.
For all supported x86-based versions of Windows Server 2008 and of Windows Vista
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
Mrxsmb10.sys
6.0.6000.16738
211,456
26-Aug-2008
01:11
x86
Mrxsmb10.sys
6.0.6000.20904
211,968
27-Aug-2008
00:48
x86
Mrxsmb10.sys
6.0.6001.18130
212,480
27-Aug-2008
01:05
x86
Mrxsmb10.sys
6.0.6001.22252
212,480
27-Aug-2008
00:52
x86
For all supported x64-based versions of Windows Server 2008 and of Windows Vista
Collapse this tableExpand this table
File name
File version
File size
Date
Time
Platform
Mrxsmb10.sys
6.0.6000.16738
271,872
26-Aug-2008
01:37
x64
Mrxsmb10.sys
6.0.6000.20904
271,872
27-Aug-2008
01:08
x64
Mrxsmb10.sys
6.0.6001.18130
272,896
27-Aug-2008
01:26
x64
Mrxsmb10.sys
6.0.6001.22252
272,896
27-Aug-2008
01:25
x64
For all supported IA-64-based versions of Windows Server 2008
Back to the top
