Integrity Checking on Secure Channels with Domain Controllers

This article was previously published under Q183859
This article has been archived. It is offered "as is" and will no longer be updated.


IMPORTANT: This article contains information about editing the registry.Before you edit the registry, make sure you understand how to restore it ifa problem occurs. For information on how to do this, view the "Restoringthe Registry" online Help topic in Regedit.exe or the "Restoring a RegistryKey" online Help topic in Regedt32.exe.
Symptoms
When a Windows NT system joins a domain, a machine account is created.Thereafter, when the system boots, it uses the password for that account tocreate a secure channel with the domain controller for its domain. Requestssent on the secure channel are authenticated, and sensitive information(such as passwords) is encrypted, but the channel is not integrity checked.

Lack of integrity checking means that it is possible for an attacker whocan intercept and modify requests to modify information in requests orresponses undetected.

Use of such an attack to modify group membership information could allow anattacker who has interactive logon access to a workstation to becomeadministrator on that workstation.
Resolution
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in theMicrosoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack

More information
A fix to Windows NT 4.0 Netlogon service has been designed that will allowfor integrity checking. After applying this fix, the following Registryvalues can be used to modify the behavior of the secure channel between theclient and domain controller. All of the following values can be found inthe registry under the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters


WARNING: Using Registry Editor incorrectly can cause serious problems thatmay require you to reinstall your operating system. Microsoft cannotguarantee that problems resulting from the incorrect use of Registry Editorcan be solved. Use Registry Editor at your own risk.

For information about how to edit the registry, view the "Changing Keys AndValues" online Help topic in Registry Editor (Regedit.exe) or the "Add andDelete Information in the Registry" and "Edit Registry Data" online Helptopics in Regedt32.exe. Note that you should back up the registry beforeyou edit it.

   SignSecureChannel      Value Type: REG_DWORD - Boolean      Valid Range: 0 (FALSE) or 1 (TRUE)      Default: TRUE      Description: This parameter specifies that all outgoing secure                   channel traffic should be signed. If SealSecureChannel                   is also TRUE, it will override any setting for this                   parameter and force it to TRUE.   SealSecureChannel      Value Type: REG_DWORD - Boolean      Valid Range: 0 (FALSE) or 1 (TRUE)      Default: TRUE      Description: This parameter specifies that all outgoing secure                   channel traffic should be encrypted.   RequireSignOrSeal      Value Type: REG_DWORD - Boolean      Valid Range: 0 (FALSE) or 1 (TRUE)      Default: FALSE      Description: This parameter specifies that all outgoing secure                   channel traffic must be either signed or sealed. Without                   this parameter, this is negotiated with the Domain                   Controller. This flag should only be set if ALL of the                   domain controllers in ALL the trusted domains support                   signing and sealing. If this parameter is TRUE,                   SignSecureChannel is implied to be TRUE.				
Status
Microsoft has confirmed this problem could result in some degree ofsecurity vulnerability in Windows NT version 4.0. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.
4.00
Properties

Article ID: 183859 - Last Review: 10/25/2013 23:12:00 - Revision: 3.0

  • Microsoft Windows NT Workstation 4.0 Developer Edition
  • Microsoft Windows NT Server 4.0 Standard Edition
  • kbnosurvey kbarchive kbhotfixserver kbqfe kbbug kbfix KB183859
Feedback