Abstract
This chapter helps you strengthen your out-of-the-box security with Windows NT systems. Although it doesn’t contain everything you could possibly consider, it does serve as a great way to get started. Performing the recommended actions presented here will definitely leave you with a much safer NT system. This checklist was compiled by Rob Davis with the help and advice of several other people, as well as information found on Microsoft’s Web site.
INTRODUCTION
As you know, Microsoft’s Windows NT operating system provides several security features. However, the default out-of-the-box configuration is highly relaxed, especially on the Workstation product, and you really should tighten it further upon installation.
As you have learned in this book, one particular installation’s security requirements can differ significantly from another. Therefore, you should evaluate your particular environment and requirements before implementing a security configuration. Remember here that implementing security settings can affect system configuration. Certain applications installed on Windows NT may require more relaxed settings to function properly because of the nature of the product. You are therefore advised to carefully evaluate any recommendations in the context of your system configurations and usage.
If you install a Windows NT machine as a Web server or a firewall, you should definitely tighten up the security on that box. A system exposed to an untrusted network, such as the Internet, is more likely to be attacked than those that are not.
Although this checklist cannot be implemented in its entirety on all systems, it does offer some sound advice in a consolidated resource for many system configurations. Let’s begin by going over some physical security items to check, and then proceed to harden the operating system itself.
Reminder: After you’ve finished securing your system, be sure to update your Emergency Repair Disk(s) in case you need them.
PHYSICAL SECURITY CONSIDERATIONS
Let’s start with physical security, because it’s equally important in the grand scheme of things. With physical security issues, use common sense and take the same precautions you take with any other piece of valuable equipment.
Use Locks and other Forms of Protection
Protect your network and its components against casual theft. This step can include locking the computer room when it’s not in use or attaching a lockable cable to the unit and securing it to a wall. You might also establish procedures for moving or repairing the computer so that the computer or its components cannot be taken under false pretenses.
Next, consider using a surge protector or power conditioner to protect the computer and its peripherals from power spikes. Perform regular disk scans and defragmentation to isolate bad sectors and to maintain the highest possible disk performance.
You may want to keep unauthorized users away from the power and reset switches on the computer, particularly if your computer’s rights policy denies them the right to shut down the computer. The most secure computers (other than those in locked and guarded rooms) expose only the computer’s keyboard, monitor, mouse, and (when appropriate) printer to users. The CPU and removable media drives can be locked away where only specifically authorized personnel can access them. Use long extension cables so the video, keyboard, and mouse cables can be passed into a less-secure area for proper system access.
Make Backups
Regular backups protect your data from hardware failures and honest mistakes as well as providing virus recovery abilities.
Obviously, files must be read to be backed up, and they must be written to be restored. Therefore, backup privileges should be limited to administrators and backup operators — people whom you trust with Read and Write access on all system files.
Contain Networks
Containing the network completely in a secure building minimizes the risk of unauthorized taps. If the cabling must pass through unsecured areas, use optical fiber links rather than twisted-pair wiring. This step helps foil attempts at tapping the network cables to collect data.
Restrict the Boot Process
Most personal computers today can start a number of different operating systems. For example, even if you normally start Windows NT from the C drive, someone could start another version of Windows from another drive, including a floppy or CD-ROM drive. If so, security precautions you have taken with your normal version of Windows NT could be circumvented.
In general, you should install only those operating systems that you know you need. For example, don’t load Windows 95 on the same system as Windows NT, because you don’t need both, and loading both compromises security. The same logic holds true for multiple copies of NT on the same system.
For a highly secure system, consider removing the floppy drives and CD-ROM. In some computers, you can disable booting from the floppy drive by setting switches or jumpers on the system motherboard.
If the CPU is in a locked area, away from the keyboard and monitor, nobody can add drives or change or hardware settings to make it possible to boot from another operating system. Another great way to limit access is to edit the boot.ini file so that the boot timeout is 0 seconds — it is then a little more difficult to boot to another system, but not impossible.
On many hardware platforms, the system can be protected using a power-on password. A power-on password prevents unauthorized personnel from booting any operating system without the correct password. Power-on passwords are a function of the computer hardware, not the operating system software itself. Therefore, the procedure for setting up the power-on password depends on the type of computer, but you can usually find it in the system BIOS settings.
HARDENING YOUR NT OPERATING SYSTEM
This section explains how to further secure the operating system itself after installation. Be sure to use caution when performing changes to the registry, because mistakes can lead to an unbootable system.
A checklist for each of these tasks is at the end of this Appendix. Where a task includes several subtasks, a shorter checklist incorporating each subtask is included in the text.
Install Latest Service Packs and Hot-Fixes
Install the latest recommended Microsoft Service Pack for the NT operating system if at all possible. Once you have done this, install the necessary hot-fixes as well. In some cases, not all hot-fixes are necessary, but if you are not sure, load them all. Remember that the order in which hot-fixes are installed is very important — later hot-fixes sometimes supersede earlier hot-fixes. Be sure to pay attention to the date and time stamps on the files listed on Microsoft’s FTP site (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes) and install them in chronological order.
Protect Files and Directories
NTFS provides more security features than the FAT system; therefore, you should use NTFS whenever security is a concern. The only reason to use FAT is for the boot partition of an ARC-compliant RISC system such as a DEC Alpha. A little-known fact is that a system partition using FAT can be secured in its entirety using the Secure System Partition command on the Partition menu of the Disk Administrator utility.
Among the files and directories you need to protect on any partition are those that make up the operating system software itself. The standard set of permissions on system files and directories provides a reasonable degree of security without interfering with the computer’s usability. For high-level security installations, however, you might also set directory permissions to all subdirectories and existing files as shown in the following list immediately after Windows NT is installed. Be sure to apply permissions to parent directories before applying permissions to subdirectories.
Several critical operating system files exist in the root directory of the system partition on Intel 80486- and Pentium-based systems. In high-security installations, you should seriously consider assigning permissions as follows:
To view these files in File Manager, choose the By File Type command from the View menu, then select the Show Hidden/System Files check box in the By File Type dialog box.
Reviewing the permissions on various partitions to ensure that they have been properly secured, per your changes, is extremely important. To check the permissions, use Explorer or a specialized tool such as Somarsoft’s DumpACL.
Limit Access to Services and NetBios from the Internet
For a standalone Web server or firewall system, consider the guidelines in this section for NT services.
You should not start the services in this table (click here).
Special Note: After you stop Workstation and Server services, you cannot perform most administrative functions. Install these two services and start them up when you need them, but be certain to stop and disable them before the system is used openly on the network. Also note that some applications (such as Raptor’s EagleNT Firewall) may require that the Workstation and/or Server service be running. In this case you may also need a network protocol associated with the service, so be certain not to choose TCP/IP — use NETBIOS instead.
Reconsider Using Alerter and Messenger Services
The Alerter and Messenger services let a user (or a service, such as a printer service) send messages to administrators or other users to alert them to problems; these messages appear in a window on the user’s desktop. These services may be an unnecessary risk because they have been used in social engineering attacks, such as requesting a user’s password. Don’t laugh, it happens! Some users actually respond to a request to change their password, create a share, or otherwise open holes in the network. A side effect of running this service is that it causes the name of the current user to be broadcast in the NetBIOS name table, which gives an attacker a valid user name to use in brute-force intrusion attempts.
Unbind Unnecessary Services
Disable the NetBIOS Interface, Server, and Workstation network bindings from the "WINS Client (TCP/IP)" unless the service is required for a specific application. Whenever possible, use the Bindings feature in the Network application in Control Panel to unbind any unnecessary services from any network adapter cards connected to the Internet. For example, you might use the Server service to copy new images and documents from computers in your internal network, but you might not want remote users to have direct access to the Server service from the Internet. In this case, you may require the Server service to work correctly on your private network, but not on the public network side. Therefore, you should disable the Server service binding to any network adapter cards connected to the Internet or other public (or untrusted) networks.
By removing the NetBIOS binding to the TCP/IP protocol, the native file-sharing services (using the Server and Workstation services) will not be accessible via TCP/IP network and the Internet. Other NetBIOS-related services are accessible via other protocols if any are installed and already bound to NetBIOS.
Obscure the Administrative Accounts
It’s a great idea to disable the built-in Administrator account, because this account is incredibly dangerous to leave available for use. The best practice is to assign Administrative-level permissions and rights to an account that is a member of the Administrators group, and then remove all rights and permissions from the built-in Administrator account. Do this using the User Manager and Explorer.
The reason for disabling the Administrator account is that any intruder worth his salt knows that this account exists by default on all NT systems. Therefore, it’s a likely target of attack. Intruders may spend days, weeks, or even months trying to gain access to that account, but if you cripple it, even a successful break-in gives them access only to a useless account.
Besides obscuring administrative accounts, consider the following changes:
Remove the "Log on from the network" right from the Administrator’s group as a whole
Add the "Log on from the network" right for individual accounts that require administrative access
Adjust user account policies to lock out users after more than three failed logon attempts
Require passwords be exactly seven characters in length for maximum strength (because of to the algorithm Microsoft uses to encrypt NT passwords, this length is the hardest to crack)
Display Legal Notices at Logon
Windows NT can display a message dialog box with the text of your choice when a user logs on. Many organizations use this message box to display a warning message that notifies users that they can be held legally liable if they attempt to use the computer without proper authorization. The absence of such a notice could be construed as an invitation, without restriction, to enter and browse the system. Consult with your attorney as to the best wording.
You can use the logon notice in special scenarios, such as when NT serves as an information kiosk. In this case, users might need instructions for supplying a user name and password for the appropriate account. This message dialog box could supply that information in addition to legal notices.
To display a legal notice on your NT system, use the Registry Editor to create or assign the following registry key values:
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\WindowsNT\
Current Version\Winlogon
Name: LegalNoticeCaption
Data Type: REG_SZ
Value: Title shown on the logon notice dialog box
Hive: HKEY_LOCAL_MACHINE
Key: Software\Microsoft\WindowsNT\
Current Version\Winlogon
Name: LegalNoticeText
Data Type: REG_SZ
Value: Text shown in the logon notice dialog box
Here’s a sample notice:
You have reached the XYZ Corporation Network
This system is for the use of Authorized Users only. Activity on this network may be monitored and recorded.
If you do not agree to be monitored and recorded, or if this act illegal in your place of origin, you must log off immediately.
Order Your SQL Fundamentals CD Today! Learn how to use SQL Server, understand Office integration techniques and dive into the essentials of SQL Express and Visual Basic with this free SQL Fundamentals CD.
You've Deployed SharePoint...Now What? This one-day free online conference delivers the technical knowledge needed to kick MOSS up a notch. In one information-packed day, independent SharePoint experts will present practical, real-world information and provide take-away, ready-to-use solutions
What Would You Do If You Ran Microsoft? ITTV's 2008 inaugural video contest, "If I Ran Microsoft..." is your chance to tell it like it is. Be goofy or be serious, but don"t miss this chance to have fun, win prizes, and go viral in a major way.
Maximize Your SharePoint Investment This web seminar discusses how true bi-directional replication of SharePoint content from one server to another enables branch offices to maintain access to current SharePoint content.
Windows IT Pro
Register
