Fixing the LM authentication security hole is as easy as applying the lm-fix hotfix. But no one said that applying the hotfix was easy. Until recently, you could download lm-fix from Microsoft's Web site to turn off LM authentication. However, Microsoft removed the hotfix from its Web site because lm-fix demonstrated compatibility problems with distributed component object model (DCOM). Microsoft replaced the lm-fix download with the following note: The lm-fix hotfix has been temporarily removed from distribution. During complete regression testing, we determined that under certain limited configurations there is a problem with this hotfix and certain DCOM features. We are investigating the extent of this interaction and will issue an updated hotfix as soon as it is available. Customers that have already deployed this hotfix do not need to remove it if they are not seeing DCOM connection errors after installing this hotfix. We have had no customers actually report a problem to us, but rather this is a proactive step until we complete additional tests. Once these tests are complete, we will reissue this hotfix.
Microsoft's claim that no customers reported problems is strange. I have seen numerous DCOM-related errors in my servers' Registries since I installed lm-fix. And, if the fix was so terrible that Microsoft removed it from public access, why didn't anyone complain? Just to be safe, I'm uninstalling this version of lm-fix and waiting for the next revision.
If you haven't downloaded lm-fix, you must wait to implement this security measure until Microsoft re-releases the hotfix or includes it in Service Pack 4 (SP4). If you've already installed the hotfix, examine your event logs for reports of DCOM errors, then decide whether you need to remove the hotfix.
Don't install lm-fix on networks running Exchange 4.0 or Exchange 5.0. Enabling this hotfix can cause problems with connections to Exchange Server 4.0 and Exchange Server 5.0 systems that rely on LM authentication.
by Sean Daily
