Downgrade Attack

[Hugo Leijtens]

Dear all,

4 days before deploying Windows XP over the entire
company we get a problem (big company...). Actually quite
a big one. On one of the machines we get a 40960 and a
40961 error. It tells me that a "downgrade attack" has
been attempted and the users account has been
automatically locked out.
This by itself is not that big a problem. Unlock the user
account and we are ready to roll.
The problem is the following. After unlocking the user
account everything was normal except for one thing. The
content of a share to a member server (which also has an
open application pointing to that share) is not visible.
All other content of every other share, also on the same
server is visible.

Logging off is not the solution and restarting the
netlogon server also. A reboot is the only thing as far
as we know.

My question is actually not why I can't see the shares. I
think it is because something went wrong in the
authentication process and the session to that share was
corrupted.

My question is how can I stop the "downgrade attack". I
do not know what a downgrade attack is, and therefor I
cannot stop it. The user account should not be locked.

I hope anyone can help. I you want more information you
can always email me directly!

With kind regards,

Hugo Leijtens
System Engineer

MCSE NT
MCSE W2K
Windows XP certified
etc, etc, etc...

 

[Rob Schneider]

I don't know what a "downgrade attack" is, but being curious I searched
Google Groups for these words "downgrade attack xp" and found where this
discussed before. Perhaps this can help you figure out what the
root-cause is.

http://groups.google.com/groups?num...-8&oe=utf-8&q=downgrade+attack+xp&sa=N&tab=wg

 

[Hugo Leijtens]

Thanks for the reply.
As for your reply, it has been usefull. Downgrade attacks
occure (also) with SMB signing.

Could it be possible that due to an incorrect signing
(for example explicit secure signing) a timeout occures
and due to the long time windows the server thinks that
it's being spoofed, and therefor the connection blocks
and the account locks.

Another question arises, could it be solved with NOT
digitally signing the SMB packets (Within the GPO).

I know there was a problem with Windows XP SP1 and W2k
SBS with SP3 with the secure signing which made that the
XP machines lost their network connections. The solution
for that was to disable digitally signing SMB.

Looking forward to your vision on this.

With kind regards,

Hugo Leijtens

 

[Rob Schneider]

Hugo,

Sorry, I have no "vision", nor knowledge and/or experience of these
issues. I would suggest, though, that you might get more assistance on a
newsgroup focusing on networking. Although maybe the same experts hang
out here also and you won't have to cross post.

Good luck. I hope you can sort it. I can appreciate the pressure you
are under to sort this.

 

[Roger Abell]

Hi Hugo,

I believe you are now on the right track. The issue you
mentioned as affecting SBS2k at SP3 with XP Sp1 clients
actually affected any W2k pre-Sp4 with XP Sp1 clients
(without further patches). You should make sure that the
target server policies on SMB signing, secured communications,
and schannel, can be met with the policies set on the XP client.
Also, be careful about changing the XP client to use of FIPS
compliant cryptographic algorithms, and make sure that the
timesync is working correctly forestwide (althought that one
would show as a Kerberos error).