At 02:52 PM 4/16/2001 -0700, Mark Klink wrote:
>Could someone please explain what is meant by
>
>"If the value FPNWCLNT already exists, then edit the value and add
>PASSFILT under FPNWCLNT"
>
>The current binary value of "Notification Packages" is "FPNWCLNT" followed
>by two null bytes.
>
>Thanks,
>Mark.

FPNWCLNT.dll is a notification package used by File and Print Services for
Netware ( turns your NT box in a Netware File and Print Server) or
Directory Services for Netware ( synchonizes Netware passwords with NT4
passwords). If you don't use these products get rid off this value, it's a
security hole.

Remember that notification packages are passed the user credentials in
clear-text ! Notification packages are loaded into the LSA and called each
time a password is changed or reset by an admin. So, if somebody is able to
copy a trojan file named fpnwclnt.dll in your system32, he can get the
clear-text password of any user who change his password or all passwords
reset by administrators. Writing such a DLL takes just a few dozen lines of
code ( i wrote myself several customized password filters).

Actually the Notification Packages value is a multi string value
(REG_MULTI_SZ) i.e you could add as many strings that you want but for the
reasons explained above, you should carefully ckeck why you would add
notifications packages. The only two reasons that make sense are password
filtering or password synchonization with a foreign operating system.

BTW never edit REG_MULTI_SZ values with Regedit because it does not support
this data type, can corrupt the registry (strings are not terminated
correctly) and makes your system unbootable (.e.g. the
HKLM\CurrentControlSet\Control\SessionManager\Subsystems\Required )

Cheers,

Bertrand

• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]