Logon Security Auth

Known Issues With lsa2-fix

Originally Reported May 2, 1998 by Alan Ramsbottom ([email protected]) on NTBugTraq

Systems Affected

Windows NT

Situation:

A new security related hotfix "lsa2-fix" is available at:
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/lsa2-fix/

This includes the older "lsa-fix" changes, adds extra protection to "LSA secrets" and a fix to ensure account lockouts get recorded in the domain controller event log.

According to Philip C. Cox of CIAC ([email protected]), on May 2, 1998:
Just an FYI. Applying this fix will (at least in all my tests) prevent you from using cached domain logons. If your computer cannot contact a domain controller, you cannot login. I have been trying to find the fix/workaround for this, but to no avail yet. If anyone knows differently, please let me know.

François Normant ([email protected] reported on May 5, 1998:
Yes, you are right. Microsoft removed the fix today.
Another problem I experienced is that if you create a user account and check the box User Must Change Password at Next Logon, then when the user logs on and tries to change his/her password, he/she gets the following message: The system cannot change your password now because the DOMAIN is not available. It happens even if the account is a local one.
Conclusion: stay away from this fix !

Marvin Nipper ([email protected]) reported on May 8, 1998:
After making the mistake of applying that last hotfix, a little too soon, on a brand new laptop I had built out, I made the mistake of uninstalling it after realizing that the cached profiles wouldn"t work. The uninstall went smoothly, and seems to have put the old files back (as it should have). However, the next time the laptop was rebooted, it got up to the NT Logo point in time (prior to the Ctrl-Alt-Delete pop-up), and then offered up an error saying that The Procedure Entry Point LsallndicatedSamStateChange could not be located in the Dynamic Link Library LSASRV.DLL. Selecting the OK button (the only choice) resulted in no further activity on the laptop.

According to Phil Cox, on May 8, 1998:
The problem with the hotfix uninstall is that it does not remove the msaudite.dll it installed when applying the hotfix. IF you can get to a state where you can remove the msaudite.dll OR do it right before you uninstall the hotfix, all will work fine (At least this was my experience on 3 machines I applied the hotfix to).

To learn more about new NT security concerns, subscribe to NTSD.

Credit:
Reported by: Alan Ramsbottom ([email protected])
Posted here at NTSecurity.Net
Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish