Paging file not cleared at shutdown

nt-clearpage (216)

Low Risk

Description:

The Windows NT paging file is not cleared at shutdown. This file can contain sensitive information, and should be cleared upon shutdown if required by your security policy. Some versions of the Novell NetWare authentication module store the username and password in plaintext, and this information can be extracted from the paging file.

Consequences:

Obtain Information

Remedy:

Configure the system to clear the paging file at shutdown. In Windows NT, this requires an edit to the registry. In Windows 2000, set the Clear virtual memory pagefile when system shuts down option. Follow the steps below appropriate for your system.

For Windows NT:

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

1. Open the Registry Editor. (From the Windows NT Start menu, select Run, type regedt32, and click OK.)
2. Go to the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\Memory Management registry key.
3. Double-click the ClearPageFileAtShutdown value to display the DWORD Editor.
4. Change the Data value to 1 and click OK.

CAUTION: Use Registry Editor at your own risk. Any change using Registry Editor may cause severe and irreparable damage and may require you to reinstall your operating system. Internet Security Systems cannot guarantee that problems caused by the use of Registry Editor can be solved.

For a Windows 2000 domain:

1. Start Microsoft Management Console (MMC).
2. Add Group Policy Snap-in.
3. Browse Group Policy Objects.
4. Select the Domain Policy of interest.
5. Traverse the following path:
   Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Options, Clear virtual memory pagefile when system shuts down.
6. Set the Clear virtual memory pagefile when system shuts down option to the desired setting, according to your administration policy.

For a stand-alone Windows 2000 computer:

1. On the computer of interest, start gpedit.msc. The focus is local computer by default.
2. Traverse the following path:
   Computer Configuration, Windows Settings, Security Settings, Local Policies, Security Option, Clear virtual memory pagefile when system shuts down.
3. Set the Clear virtual memory pagefile when system shuts down option to the desired setting according to your administration policy.

References:

• Microsoft Knowledge Base Article 182086: How to Clear the Windows NT Paging File at Shutdown.
• CVE-1999-0595: A Windows NT system does not clear the system page file during shutdown, which might allow sensitive information to be recorded.

Platforms Affected:

• Microsoft Windows 2000
• Microsoft Windows 2003 Server
• Microsoft Windows NT 4.0
• Microsoft Windows XP

Reported:

Not available

The information within this database may change without notice. Use of this information constitutes acceptance for use in an AS IS condition. There are NO warranties, implied or otherwise, with regard to this information or its use. Any use of this information is at the user's risk. In no event shall the author/distributor (IBM Internet Security Systems X-Force) be held liable for any damages whatsoever arising out of or in connection with the use or spread of this information.

For corrections or additions please email xforce@iss.net

Return to the main page