COMMAND

    SP4

SYSTEMS AFFECTED

    Microsoft Windows NT 4.0 with Service Pack 4

PROBLEM

    Following  is  based  on  MS  Security  Bulletin.   The Windows NT
    Security Account Manager (SAM) database stores the hashed password
    for each user account in two forms: an "NT hash" form that is used
    to authenticate users on Windows NT clients, and an "LM hash" form
    that is used to authenticate users on Windows 95, Windows 98,  and
    downlevel  clients  such   as  DOS,  Windows   3.1,  Windows   for
    Workgroups, OS/2 and Macintosh.  When a user changes  his password
    via a Windows NT,  Windows 95 or Windows  98 client, both the  "NT
    hash" and "LM hash" forms of the password are updated in the  SAM.
    However,  when  the  user  changes  his  password  via a downlevel
    client, only the "LM hash" form of the password is stored; a  null
    value is stored in the "NT hash" field. This is normal operation.

    When  a  user  attempts  an  interactive  logon or a network share
    connection   from   a   Windows   NT   system,   the   Windows  NT
    authentication process uses  the "NT hash"  form of the  password.
    If the "NT hash"  is null, the "LM  hash" of the password  is used
    for verification.  (Windows  95, Windows 98 and  downlevel clients
    always use only the "LM hash" for verification.)  The logic  error
    in Service Pack 4 incorrectly allows a null "NT hash" value to  be
    used for authentication  from Windows NT  systems.  The  result is
    that if  a user  account's password  was last  changed from a DOS,
    Windows 3.1, Windows for  Workgroups, OS/2 or Macintosh  client, a
    user can logon into that account from a Windows NT system using  a
    blank password.  By far the most likely machines to be affected by
    this vulnerability would be domain controllers running Windows  NT
    4.0 SP 4,  in networks that  contain any of  the downlevel clients
    listed above.  However, any server or workstation running  Windows
    NT 4.0 SP  4 that contains  a SAM database  with active users  who
    communicate from  downlevel clients  would be  vulnerable to  this
    problem.  For example, a workgroup of Windows NT 4.0 SP 4 systems,
    one of which is accessed by Windows for Workgroups clients,  would
    be affected by  this vulnerability.   It is worth  reiterating the
    following points:

    - Even on an affected  network, a user whose most  recent password
      change was performed  via Windows NT,  Windows 95 or  Windows 98
      workstations will  have a  non-null "NT  hash" value,  and hence
      will not be at risk.
    - Customers who are affected by the vulnerability need only  apply
      the patch  to machines  that contain  SAM databases  with active
      user accounts.
    - There is no need for  users to update or change their  passwords
      after applying the  patch. Even in  vulnerable systems, the  SAM
      database entries  are valid;  the problem  lies in  the way  SP4
      processes them.  The  patch corrects the authentication  process
      logic in SP4  without changing the  SAM database entries  in any
      way.

SOLUTION

    Microsoft  has  posted  the  following  hot  fixes to address this
    problem:

    - Fix for x86 version:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP4/Msv1-fix/msv-fixi.exe
    - Fix for Alpha version:
        ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP4/Msv1-fix/msv-fixa.exe