Service Pack 3 is Really Security Pack 3

Microsoft recently released Windows NT 4.0 Service Pack 3 (SP3), which includes more than 180 fixes for known problems. After examining SP3, I call it Security Pack 3, because it adds five strong new security features to NT, including a neat password-filtering tool for enhancing overall security. (This password filtering tool, passfilt.dll, first came with SP2, but almost no one knew it was there. I want to make sure everybody knows about this tool now that it's also in SP3.) The five security-related changes to NT Workstation and Server are

1. Server Message Block (SMB) signing
2. Password filtering
3. Anonymous user restrictions
4. System keys
5. CryptoAPI 2.0

Let's look at each new feature in detail.

Crash Course on SMB Signing
SMB signing is incredibly useful and overdue. Microsoft, IBM, and Intel jointly developed the SMB protocol, which defines program-level commands for obtaining or providing remote file services in a network environment. A new version of the SMB authentication protocol, the Common Internet File System (CIFS) file-sharing protocol, comes with SP3. This subset of SMB is tuned for use on the Internet. Microsoft has submitted the CIFS specifications to the Internet Engineering Task Force (IETF) as an Internet Draft for ratification as an industry standard. For simplicity, I'll refer to SMB and its subset protocols as SMB. The SMB protocols let systems transparently access files that reside on remote systems. These protocols transparently share any item, such as a printer, that is mapped into the file space.

Some background on TCP/IP network traffic will help you understand SMB signing: TCP/IP network traffic consists of packets. Each packet contains a header that carries information such as a source and destination IP address. Each time you connect to a shared resource, such as a server's disk drive, you generate and transmit packets to the server for action. The server sends packets back to your system for an action such as mapping a drive and displaying its contents. This connection and packet exchange process is an SMB session.

In the past, SMB sessions (e.g., sharing resources) did not ensure the authenticity of the SMB packets sent and received. When users tried to connect to a shared resource, they were successful if their permissions allowed the connection. From that point, all SMB session traffic passed between the client and server without validation. The security risk lies in non-validated packets, which make it possible for someone to create and insert rogue packets into the network traffic stream to launch a messaging attack. In fact, someone on the network between you and the server could intercept the entire SMB session, mounting a man-in-the-middle attack. Or someone could completely hijack the SMB session.

After you implement the new SMB signing feature, client and server can use a strong mechanism to mutually authenticate SMB sessions, packet by packet: client and server agree that they will digitally sign each packet to ensure its authenticity. Then both client and server inspect every packet to ensure that the packet came from the system it was supposed to come from, thus eliminating the possibility of attacks. This approach adds overhead to the systems, but the security is worth the sacrifice, and you might not even notice the difference.

Installing SP3 introduces SMB signing to your NT Workstation and NT Server systems. On NT Server, SMB signing is disabled by default, but on NT Workstation, it's enabled by default. You need to edit the Registry to use SMB for communications with NT Server. You can configure SMB signing in two ways: enabled and required. Enabled means that if a client system has SMB signing enabled, it will be the preferred communications method. Required means that all clients must use SMB signing to communicate with the NT system.

You need to enable SMB signing to use it on NT Server. If you turn on RequireSecuritySignature by setting its value to 1, while SMB is enabled, NT Server must use the signing technique for all connections. (For information about turning on RequireSecuritySignature, see, "SMB Signing.") Clients that don't use SMB signing won't be able to communicate via SMB with the NT system (e.g. sharing won't work).

You need the updated service packs for Windows 95 and other Microsoft client systems that will participate in SMB signing with an NT system. The current incarnations of non-NT OSs know nothing about this new authentication technique and won't work with your NT systems if you require SMB signing. If you only enable SMB signing, the non-NT OSs continue to work with NT; however, they'll be vulnerable to SMB attacks. Take the time to upgrade your non-NT OSs; it's worth the effort.

Samba, a freeware UNIX-based SMB server, does not support this new SMB signing functionality. (For information about Samba, see "Samba," March 1997). Adjust your Registry entries accordingly (i.e., don't require SMB signing) on NT systems that need to communicate with non-Microsoft SMB servers such as Samba, HP's HP/X, or LAN Manager for UNIX.