Protect KnownDLL Lookup Table

by Wayne Maples [Published on 20 April 2004 / Last Updated on 20 April 2004]

NT creates a lookup table for system DLLs so that they are only loaded into memory once. Normal users can edit this list which means that the system will any arbitrary DLL (perhaps a trojan - perhaps destructive) instead of a system DLL. The DLLs are executed in the security context of the calling process. When an admin or other power account runs the replaced DLL, the hacker could easily gain admin access. To block this hack, set the ProtectMode=1.

Hive: HKEY_LOCAL_MACHINE
Key: System\CurrentControlSet\Control\Session Manager
Name: ProtectionMode
Type: REG_DWORD
Value: 1

You will see Session Manager with space and SessionManager. Its the one with the space. Microsoft's original security bulletin pointed to wrong sub-key. Microsoft's updated bulletin announces a hot-fix and recommends using the hot-fix rather than this registry change. If you read the security bulletin issue section carefully, it becomes apparent that the exposure should be addressed by workstation support and environments with server pools services by individuals with console access but at various access levels (i.e. account operators, server operators, backup operators). I strongly recommend applying the hot-fix in that kind of server environment. For others I would recommend waiting for the hot-fix to get integrated into a Service Pack. This is the kind of thing they are paying you BIG bucks for, study the issue and make your own call. Read the "Issue" section of the security alert to get the best writeup on the issue.

See Also

Featured Links