Integrity Checking on Secure Channels with Domain Controllers
A fix to NTs Netlogon service has been designed that will allow for integrity checking of secure channels.
When a Windows NT system joins a domain, a machine account is created.
Thereafter, when the system boots, it uses the password for that account to
create a secure channel with the domain controller for its domain. Requests sent
on the secure channel are authenticated, and sensitive information (such as
passwords) is encrypted, but the channel is not integrity checked. A fix to
Windows NT 4.0 Netlogon service has been designed that will allow for integrity