This article was previously published under Q184017
This article has been archived. It is offered "as is" and will no longer be updated.
Important This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:
256986 Description of the Microsoft Windows Registry
A program is available on the Internet that allows a local Administrator,with full control of a Windows NT system, to use APIs published in theWin32 software development kit (SDK) for Windows NT to display the contentsof security information stored by the Local Security Authority (LSA) in aform called LSA Secrets. LSA Secrets are used to store information such asthe passwords for service accounts used to start services under an accountother than local System.
This is by design. Members of the local Administrators groups are trustedusers that have the ability to access any information that can also beaccessed by the operating system itself.
Note that the fix listed below does not change the behavior in which LSA secrets are available to local administrators. Administrators have access to data including LSA secrets. This fix provides improved protection for LSA secrets against attacks noted below that do not involve accounts with administrative priviledges.
To resolve this problem, obtain the latest service pack for Windows NT 4.0 or Windows NT Server 4.0, Terminal Server Edition. For additional information, click the following article number to view the article in the Microsoft Knowledge Base:
152734 How to Obtain the Latest Windows NT 4.0 Service Pack
The updates in this Windows NT 4.0 hotfix provide the following additionalprotection for the LSA Secret data:
Additional encryption for the LSA Secrets, which provides protection for this information when stored on backup tapes, the Emergency Repair Disk, or other registry backups. For maximum protection, you should also enable the System Key option. For additional information about System Key (Syskey.exe), click the following article number to view the article in the Microsoft Knowledge Base:
143475 Windows NT system key permits strong encryption of the SAM
The value of the LSA private data is not returned to remote clients over the network.
Calls to the Win32 APIs will not return LSA private data used for service accounts and other system components to unauthorized applications (non-system components).
This update includes a change to the privilege needed to open the Security Event log. Applications that open this log on systems running with this update installed fail unless the security privilege (SE_SECURITY_NAME) is enabled.For additional information about this change, click the following article number to view the article in the Microsoft Knowledge Base:
188855 The Security permission must be granted to view the Security event log
Before You Apply The Hotfix
Because this hotfix makes a modification to the on-disk storage of the LSAdata information, Microsoft does not recommend that it be uninstalled.Perform the following steps to ease the transition back to a pre-LSA2-fixconfiguration in case you experience problems with the hotfix:
Perform a Full System Backup.
Run Rdisk /s. Using the /s command-line switch with Rdisk.exe causes the Sam._ and Security._ databases to be copied to the %Systemroot%\Repair folder.
Create a temporary folder under the %Systemroot% folder called Lsabackout.
Copy the following files from the %Systemroot\System32 folder to the %Systemroot%\Lsabackout folder as they are updated by LSA2-fix:
This hotfix has been posted as Lsa2fixi.exe (x86) and Lsa2fixa.exe(Alpha).For your convenience, the English version of this post-SP3 hotfixhas been posted to the following Internet location. However, Microsoftrecommends that you install Windows NT 4.0 Service Pack 4 to correct thisproblem.
Note An updated version of this hotfix was posted on July 20, 1998 andprovides an additional security level to systems running Windows NT 4.0Service Pack 3.
Note The above link is one path; it has been wrapped for readability.
If you run Systems Management Server on systems where this hotfix isapplied, the SNMP Event Log Extension Agent (Snmpelea) generates thefollowing Event ID 3007 error:
Error opening event log file Security. Log will not be processed. Return code from OpenEventLog is 1314.
The SNMP Event Log Extension Agent requires an update to manage thesecurity event log. For additional information about how to resolve the SNMP Event Log Extension Agent problem, click the following article number to view the article in the Microsoft Knowledge Base:
Copy the original versions of these system files from the \%Systemroot%\Lsabackout folder to the %Systemroot%\System32 folder.
Restart the computer using the installation disks and select the option to repair the system.
Deselect all options except Inspect Registry Files and then continue.
Press the ESC key to indicate you wish to use the on-disk repair information.
Press ENTER to repair.
Click only Security (security policy) and SAM (user accounts database).
Warning If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.
Start Registry Editor (Regedt32.exe) and delete the key from:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Hotf
Note The above registry key is one path; it has been wrapped for readability.
Microsoft has confirmed that this is a problem in Windows NT 4.0 and Windows NT Server 4.0, Terminal Server Edition. This problem was first corrected in Windows NT 4.0 Service Pack 4.0 and Windows NT Server 4.0, Terminal Server Edition Service Pack 4.