| VID |
28044 |
| Severity |
20 |
| Port |
139,445 |
| Protocol |
TCP |
| Class |
SMB |
| Detailed Description |
The Windows system is configured not to clear the system page file during shutdown, which might allow sensitive information to be recorded.
The Pagefile is the temporary swap file Windows NT/2000 uses to manage memory and improve performance. However, some 3rd party programs may store unencrypted passwords in memory, and there may be other sensitive data cache as well. This file should be cleared upon shutdown if required by your security policy.
* Warning: This security feature on the Windows 2000 platform prevents the pages from being read by another process. Changing this value can degrade the performance of your computer.
* Note: This check requires an account with Guest or upper privileges which can access the registry of the remote host to scan. Absence of these condition will result in the check not being performed and a False Negative for all vulnerable hosts.
* References:
http://support.microsoft.com/default.aspx?scid=kb;[LN];182086
http://www.labmice.net/articles/securingwin2000.htm
* Platforms Affected:
Windows 2000 Any version
Windows NT Any version |
| Recommendation |
Configure the system to clear the paging file at shutdown. In Windows NT, this requires an edit to the registry. In Windows 2000, set the "Clear virtual memory pagefile when system shuts down" option. Follow the steps below appropriate for your system.
For Windows NT:
1. Open the Registry Editor. (From the Windows NT Start menu, select Run, type regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management registry key.
3. Change the value of the ClearPageFileAtShutdown entry to 1 (DWORD).
For a Windows 2000 domain:
1. Start Microsoft Management Console (From the DOS prompt, type "mmc").
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options.
6. Set the "Clear virtual memory pagefile when system shuts down" option to the desired setting.
For a stand-alone Windows 2000 computer:
1. From the DOS prompt on the affected computer, start gpedit.msc. The focus is local computer by default.
2. Traverse the following path:
Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Option.
3. Set the "Clear virtual memory pagefile when system shuts down" option to the desired setting. |
| Related URL |
CVE-1999-0595 (CVE) |
| Related URL |
(SecurityFocus) |
| Related URL |
216 (ISS) |
|
