Sie sind auf Seite 1von 2

Celerra Response to Microsoft Security Bulletin MS04-011.

Page 1 of 2

"Celerra Response to Microsoft Security Bulletin MS04-011."


ID: Domain: Usage Count: Class: Conflicts: emc85270 GS Primus Database 34 3.X Compatibility 0 Status: Audience: Owner: Product: Author: Date Created: Modified By: Date Modified: Shared: RCA Status: RCA Cause: Review Frequency: ETA: Bug Tracking Number: NGOE Product/Version: Approved Customer CORP\cadorj (Cadorette, John - E 11/20/00) Celerra File Server, Celerra Network Server CORP\cadorj (Cadorette, John - E 11/20/00) 4/19/2004 CORP\ercolp (Ercolani, Pam - E 8/21/00) 1/19/2010 Yes Not Required None Medium None None None

Goal
Celerra Response to Microsoft Security Bulletin MS04-011.

Fact
Product: Celerra File Server (CFS) Product: CLARiiON CX600 OS: Microsoft Windows 2000 OS: Microsoft Windows XP Protocol: Common Internet File System (CIFS) EMC SW: NAS Code 5.1.20.401 EMC SW: NAS Code 4.1.xx.x EMC SW: NAS Code 4.0.xx.x EMC SW: NAS Code 5.2.x EMC SW: NAS Code 4.x EMC SW: NAS Code 5.x

Symptom
SASSER WORM Virus. There may be System event errors: 3034 (MRxSmb "The redirector was unable to initialize security context or query context attributes.") in Windows System Event Log.

Change
After applying security patch lost access to Celerra. The local Security Policies were changed to use NTLM V2 only.

Cause
Celerra DART does not provide native NTLMv2 support until NAS 5.3.17.x, NAS 5.4 and higher. Additionally, NAS versions 5.1.24.0, 5.2.12.0, and 5.3.4.0 can provide session/passwd NTLMv2 responses to DC's. Prior to these versions, a 'logoff' request would be returned to the Celerra when it tries to negotiate with anything other than NTLM V2.

Fix
On the Windows Client set the policy to use NTLM instead of NTLMV2 [or in Domain Security Policy]: \Start\Programs\Administrative Tools\Local Security Policy\Settings\Security Options\LAN Manager

mhtml:file://D:\EMC\January 2011\Cases\Celerra support for NTLMv2 authentication.... 5/24/2011

Celerra Response to Microsoft Security Bulletin MS04-011.

Page 2 of 2

Authentication Level

and set to NTLM

Allow the machine to negotiate both NTLM and NTLMv2: 1. 2. 3. Start>Run: "Secpol.msc" or Programs>Administrative Tools>Local Security Policy. Expand to "Local Policies" and select the "Security Options" container. Edit the "LAN Manager Authentication Level" value as follows: Change from "Send NTLMv2..." to "Send LM & NTLM responses" NOTE: If this is set somewhere else, such as in the Registry or Domain Policy, it needs to be changed there as well. Open a command prompt and type: "secedit /refreshpolicy machine_policy /enforce" (Windows 2000) -or"gpupdate /force" (Windows XP/2003) Wait for the App.evt SCECli event indicating the policy refresh. Test & Verify

4.

5. 6.

Note
Also see emc84880 CERT Technical Cyber Security Alert TA04104A emc84880 CERT Technical Cyber Security Alert TA04-104A See this solution for related information: emc94062. Celerra now supports the password length of NTLMV2 if a client uses such a password, the Server can forward to the DC for authentication. See AR44353 and AR41591 for more information on patch development to address the issues brought forth with the application of MS04-011 in Windows environments that contain Celerra Servers. SLS Support

mhtml:file://D:\EMC\January 2011\Cases\Celerra support for NTLMv2 authentication.... 5/24/2011