Anonymous Connections May Be Able to Obtain the Password Policy

• Microsoft Windows NT Workstation version 4.0 Service Pack 3
• Microsoft Windows NT Server version 4.0 Service Pack 3

SYMPTOMS

Windows NT 4.0 with Service Pack 3 (SP3) installed provides the capability to restrict anonymous users from obtaining system information. For more information, please see the following article in the Microsoft Knowledge Base:

   ARTICLE-ID: Q143474
   TITLE     : Restricting Information Available to Anonymous Logon Users

Anonymous access to the password policy information is used by Windows NT to provide end-users detailed error information under specific circumstances. If the user is required to change their password at the next logon, and the user enters a new password that is rejected because of the password policy, Windows NT can tell the user why the password was rejected. The password policy is obtained by the system before the user has completed the logon and therefore uses an anonymous connection.

For example, assume there is a password policy that requires a minimum password length of 8 characters and a history that remembers the last 5 passwords. If the user chooses a new password of 6 characters, or enters a previous password, they see a detailed error message with the following information:

   Your password must be at least 8 characters long. Your new password
   cannot be the same as any of your previous 5 passwords.

RESOLUTION

Microsoft has a fix available that disables anonymous access to password policy information when the RestrictAnonymous access is enabled. When the hotfix is applied and RestrictAnonymous is enabled, anonymous connections cannot obtain password policy information.

Microsoft recommends installing the hotfix on all domain controllers that have Service Pack 3 installed.

This fix should have the following time stamp:

   xx/xx/xx  xx:xx               xxx,xxx xxxxxxx.xxx

STATUS

Microsoft has confirmed this to be a problem in Windows NT version 4.0. A supported fix is now available, but has not been fully regression-tested and should be applied only to systems experiencing this specific problem. Unless you are severely impacted by this specific problem, Microsoft recommends that you wait for the next Service Pack that contains this fix. Contact Microsoft Technical Support for more information.

MORE INFORMATION

If the user performs the same steps outlined in the example above after the hotfix is installed, they receive the following error message:

   Your new password does not meet the minimum length or password history
   requirements of the domain.