Microsoft Product Support Services   All Products  |   Support  |   Search  |   microsoft.com Home  
microsoft.com
  Support Home  |   Self Support  |   Assisted Support  |   Custom Support  |

OFF2000: No Prompt Opening Web Folder with Internet Explorer Security Set for Logon Prompt


The information in this article applies to:
  • Microsoft Office 2000
  • Microsoft Windows 2000 Server
  • Microsoft Windows 2000 Advanced Server
  • Microsoft Windows 2000 Professional
  • Microsoft Windows Millennium Edition


SYMPTOMS

When you open a Web folder or a Network Place to a location on the Internet or an intranet, there is no logon prompt that requests your user name and password. This happens even though you configure your Microsoft Internet Explorer security settings to prompt for your user name and password.


CAUSE

This problem occurs when the following conditions are true:

  • You create a Web folder or a Network Place to an Internet location or intranet location.


  • Microsoft Internet Explorer version 5.x is installed on your computer.


  • In Internet Explorer, you click Internet Options on the Tools menu, and then click the Security tab to set the Logon under User Authentication to Prompt for user name and password.


  • One of the following is true:


    • Office 2000 is installed on your computer, and you are using Web folders.

      -or-


    • Your computer is running Microsoft Windows 2000 or Microsoft Windows Millennium Edition (Me).



RESOLUTION

Microsoft has released a patch that eliminates a security vulnerability in a component that is included with Microsoft Office 2000, Windows 2000, and Windows Me. Download and install the appropriate patch, according to your situation listed later in this article.

If an Office 2000 Family Product Is Installed on Your Computer

To correct this problem, download and install the Web Client Security Update for Office 2000.

For additional information about how to obtain and install this update, click the article number below to view the article in the Microsoft Knowledge Base:
Q285338 OFF2000: Web Client Security Update for Office 2000 Available

If Your Operating System Is Windows Millennium Edition Without an Office 2000 Family Product Installed

To correct this problem, follow these steps to download and install the Web Extender Client (WEC) Security Update for Windows Me from the Microsoft Download Center:
  1. Click the following file name to download the file:


  2. [GRAPHIC: ]Download 282132usam.exe now
  3. When prompted, save 282132usam.exe to your Desktop folder.


  4. After 282132USAM.EXE is downloaded, double-click 282132usam.exe. Click Yes to agree to the license agreement. Click OK after installation of the patch is complete.


For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.

If Your Operating System Is Windows 2000 Without an Office 2000 Family Product Installed

To correct this problem, follow these steps to download and install the Windows 2000 Security Patch from the Microsoft Download Center:
  1. Click the following file name to download the file:


  2. [GRAPHIC: ]Download Q282132_w2k_sp2_x86_en.exe now
  3. When prompted, save Q282132_w2k_sp2_x86_en.exe to your Desktop folder.


  4. After Q282132_w2k_sp2_x86_en.exe is downloaded, double-click Q282132_w2k_sp2_x86_en.exe. Click Yes to agree to the license agreement. Click OK after installation of the patch is complete.


For additional information about how to download Microsoft Support files, click the article number below to view the article in the Microsoft Knowledge Base:
Q119591 How to Obtain Microsoft Support Files from Online Services
Microsoft used the most current virus detection software available on the date of posting to scan this file for viruses. Once posted, the file is housed on secure servers that prevent any unauthorized changes to the file.


STATUS

Microsoft has confirmed this to be a problem in the Microsoft products listed at the beginning of this article. This problem has been fixed in the Microsoft Web Client Security Updates.


MORE INFORMATION

The Web Extender Client (WEC) is a component that is included with Office 2000, Windows 2000, and Windows Me. WEC allows Internet Explorer (IE) to view and publish files via Web folders, similar to viewing and adding files in a directory through Windows Explorer. Due to an implementation flaw, WEC does not respect the IE Security settings regarding when NTLM authentication is to be performed. Instead, WEC performs NTLM authentication with any server that requests it. If a user establishes a session with a malicious user's Web site, either by browsing to the site or by opening an HTML e-mail that initiates a session with it, an application on the site could capture the user's NTLM credentials. The malicious user could then use an offline brute force attack to derive the password, or, with specialized tools, could submit a variant of these credentials in an attempt to access protected resources.

The vulnerability would only provide the malicious user with the cryptographically protected NTLM authentication credentials of another user. It would not, by itself, allow a malicious user to gain control of another user's computer or to gain access to resources to which that user has authorized access. In order to leverage the NTLM credentials (or a subsequently cracked password), the malicious user would have to be able to remotely log on to the target system. However, best practices dictate that remote logon services be blocked at border devices, and if these practices are followed, they would prevent an attacker from using the credentials to log on to the target system.

For more information about the Web Client Security Update for Office 2000, please browse to the following Microsoft Security Bulletin:

http://www.microsoft.com/technet/security/bulletin/ms01-001.asp

An Example of the Problem

  1. If your operating system is Microsoft Windows 98, Windows 95, or Windows NT 4.0 Workstation with Office 2000 installed, follow these steps to add a Web folder:

    1. On the Desktop, double-click My Computer.


    2. Double-click Web Folders.


    3. Double-click Add Web Folder.


    4. Type the name of an intranet Web folder, click Next, and then click Finish.


    If your operating system is Windows Me or Windows 2000, follow these steps to add a Web folder:

    1. On the Desktop, double-click My Network Places.


    2. Double-click Add Network Place.


    3. Type the name of an intranet Web folder, click Next, and then click Finish.




  2. Start Microsoft Word, and save a document to the Web folder that you created in the previous step.


  3. Start Microsoft Internet Explorer.


  4. Click Internet Options on the Tools menu.


  5. Click the Security tab.


  6. Click Local Intranet, and then click Custom Level.


  7. Click Prompt for User Name and Password under Logon of User Authentication (at bottom of list), and then click OK.


  8. Click Yes when you are prompted to change the security settings for that zone, and then click OK.


  9. Close Internet Explorer, and the focus should return to the Web Folders folder or Network Places folder.


  10. Double-click the Web folder or Network Place that you created in step 1, and then open the document created in step 2.


  11. You can open the Word document from the Web folder without any logon prompt. You should be prompted to log on to the Web folder before opening the Word document.

How to Determine That the Patch Is Installed

Note that the Fp4awec.dll file in the Program Files\Common Files\Microsoft Shared\Web Server Extensions\40\bin folder is updated to version 4.0.2.4715 after the Web Client Security Update for Office 2000 is installed. Right-click the Fp4awec.dll file from Windows Explorer, and then click the Version tab to confirm the version information.

Additional query words: front page pra OFF2000

Keywords : kbdta
Issue type : kbbug
Technology : kbwin2000AdvServ kbwin2000AdvServSearch kbwin2000S kbwin2000Ssearch kbwin2000Search kbwin2000ProSearch kbwin2000Pro


Last Reviewed: January 29, 2001
© 2001 Microsoft Corporation. All rights reserved. Terms of Use.


Article ID: Q282132

Last Reviewed:
January 29, 2001

Send to a friend

Provided by
Microsoft Product Support Services


Did the information in this article help answer your question?

Yes
No
Did not apply

Please provide additional comments about this information.
(255 character max)