NT creates a lookup table for system DLLs so that they are only loaded into
memory once. Normal users can edit this list which means that the system will
any arbitrary DLL (perhaps a trojan – perhaps destructive) instead of a system
DLL. The DLLs are executed in the security context of the calling process. When
an admin or other power account runs the replaced DLL, the hacker could easily
gain admin access. To block this hack, set the ProtectMode=1.
Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Control\Session
Manager
Name: ProtectionMode
Type: REG_DWORD
Value: 1
You will see Session Manager with space and SessionManager. Its
the one with the space. Microsoft’s original security bulletin pointed to wrong
sub-key. Microsoft’s updated bulletin
announces a hot-fix and recommends using the hot-fix rather than this registry
change. If you read the security bulletin issue section carefully, it becomes
apparent that the exposure should be addressed by workstation support and
environments with server pools services by individuals with console access but
at various access levels (i.e. account operators, server operators, backup
operators). I strongly recommend applying the hot-fix in that kind of server
environment. For others I would recommend waiting for the hot-fix to get
integrated into a Service Pack. This is the kind of thing they are paying you
BIG bucks for, study the issue and make your own call. Read the “Issue” section
of the security alert to get the best writeup on the issue.
