MS08-068: vulnerabilities in SMB may allow remote code execution

Microsoft has published a security notice MS08-068. To view the complete security bulletins, visit one of the following Microsoft websites:

• Home users:

  Http://www.microsoft.com/china/protect/computer/updates/bulletins/200811.mspx

  Skip details:Download updates from the Microsoft Update Website for your home computer or laptop:

  Http://update.microsoft.com/microsoftupdate

• IT professionals:

  Http://www.microsoft.com/china/technet/security/bulletin/MS08-068.mspx

Back to Top

How to obtain help and support for this Security Update

: For domestic users, you can call 1-866-pcsafety in the United States or Canada or contact your local Microsoft subsidiary for free. For more information about how to contact a local Microsoft subsidiary to solve security update support problems, visit the Microsoft international support website:

Http://support.microsoft.com/common/international.aspx? Rdpath = 4

North American customers can access the following Microsoft websites to immediately receive unlimited free email support or unlimited personal chat support:

Http://support.microsoft.com/oas/default.aspx? & Amp: PRID = 7552

Enterprise customers can obtain security update support through common support contact information.

Back to Top

Known symptoms of this security update

After this security update is applied, applications such as Microsoft SQL Server or Internet Information Services (IIS) may fail to send local NTLM authentication requests.
Cause

This problem occurs because nt lan Manager (NTLM) treats naming conventions as remote entities rather than local entities. When the client executes the computation and caches the correct response to the NTLM question, local authentication may fail, before sending the response back to the server, the server sends this question in the local "LSASS" memory. When the NTLM server code finds the received response in the local "LSASS" cache, the Code does not implement the authentication request and regards it as a reply attack. This behavior causes local authentication to fail.
Solution

To resolve this issue, you must disable reflection protection to authenticate the affected system. For more information about the specific operation method, click the following article number to view the article in the Microsoft Knowledge Base:

896861 when the website you browse uses integrated authentication and is hosted on IIS 5.1 or IIS 6, you will receive the 401.1 Error

887993 after Windows Server 2003 Service Pack 1 is installed, the user will encounter authentication problems when accessing the webpage in IIS 6.0 or querying Microsoft SQL Server 2000.

926642 after Windows Server 2003 Service Pack 1 is installed, if you attempt to access the server locally using the server's FQDN or alias, an error message is displayed: "Access Denied" or "No network provider accepts the given network path"

How to disable NTLM reflection Protection

Important informationThis section, method, or task contains steps that guide you on how to change the registry. However, if you modify the Registry by mistake, serious problems may occur. Therefore, make sure that you perform these steps correctly. For additional protection, back up the registry before modifying it. Then, you can restore the Registry when the problem occurs. For details about how to back up and restore the registry, click the following article number to view the article in the Microsoft Knowledge Base:

322756 how to back up, edit, and restore the Registry in Windows XP and Windows Server 2003

To disable NTLM reflection protection, you must modify the registry key on the client computer. To do this, follow these steps on the client computer:

1. Click Start", "Run"In "open"Enter Regedit in the dialog box, and click OK".
2. Locate the following subitem in the Registry and click:

   HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA

3. In "edit"On the menu, point to "new"And then click "DWORD Value".
4. Type disableloopbackcheck as the DWORD name, and then press Enter.
5. Right-clickDisableloopbackcheckAnd then click"Modify".
6. In "value data"Box, type 1, and then click OK".
7. Exit Registry Editor and restart the computer.

Note:: To make this change take effect, you must restart the computer.
Disable NTLM reflection Protection

As NTLM reflection protection is part of the SMB vulnerability fix, disabling NTLM reflection protection on affected systems will return the system to a vulnerable state. Therefore, if you want to disable this function, we recommend that you use the backconnectionhostnames registry key.
How to re-enable NTLM reflection Protection

To enable NTLM reflection protection again, you must modify the registry key on the client computer. To do this, follow these steps on the client computer:

1. Click Start", "Run"In "open"Enter Regedit in the dialog box, and click OK".
2. Locate the following subitem in the Registry and click:

   HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA

3. Right-clickDisableloopbackcheckAnd then click"Modify".
4. In "value data"Enter 0, and then click OK".
5. Exit Registry Editor and restart the computer.

Note:: You must restart the computer to make the change take effect.
How to disable NTLM reflection protection for special SPNs

You can disable NTLM reflection protection for the main names of Special Services (SPNs), resulting in corresponding authentication failure. To do this, follow these steps on the client computer:

1. Click Start", "Run"In "open"Enter Regedit in the dialog box, and click OK".
2. Locate the following subitem in the Registry and click:

   HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA \ msv1_0

3. On the "edit" menu, point to "new" and click "Multi-string value ".
4. Type backconnectionhostnames as the name of the Multi-string value, and then press Enter.
   Note:: If the backconnectionhostnames registry key exists as REG_DWORD, you must delete the backconnectionhostnames registry key.
5. Right-click backconnectionhostnames and click Modify ".
6. In the value data box, type the cname or DNS alias that is shared locally on the computer, and click OK ".
   Note:: You must enter each host name on a separate line.
7. Exit Registry Editor and restart the computer.

Note:: You must restart the computer to make the change take effect.
Disable NTLM reflection protection for special SPNs

As NTLM reflection protection is part of the SMB vulnerability fix, disabling NTLM reflection protection on affected systems will return the system to a vulnerable state, the reason is that the reflection protection of the Special Service main name (SPNs) has been disabled.
How to re-enable NTLM reflection protection for special SPNs

To do this, follow these steps on the client computer:

1. Click Start", "Run"In "open"Enter Regedit in the dialog box, and click OK".
2. Locate the following subitem in the Registry and click:

   HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA \ msv1_0

3. Right-click backconnectionhostnames and click Modify ".
4. In the value data box, type the cname or DNS alias that is shared locally on the computer, and click OK ".
   Note:: You must enter each host name on a separate line.
5. Exit Registry Editor and restart the computer.

Note:: You must restart the computer to make the change take effect.

Back to Top