Security and Windows NT

Windows NT is an operating system that has security as one of its basic premises. It is possible to secure a Windows NT host such that it is fairly resistant to cracker attack.   What follows is my check list of the standard basic tasks that should be followed to configure a secure Windows NT system.  This is a basic list, there are more items that can be done for even more enhanced security, but this list makes a fairly secure system.

I am assuming Windows NT, version 4, service pack 4 or later.  I am also assuming the system may be connected to the Internet.

  1. Disable the guest account.
  2. Make sure all accounts have reasonable passwords.
  3. Make sure the operating system is on an NTFS partition.
  4. Lock-down the OS files according to the following:
    5. Directory

    Permissions
    \WINNT and all subdirectories under it.

    Administrators: Full Control
    CREATOR OWNER: Full Control
    Everyone: Read
    SYSTEM: Full Control
  5. Apply these exceptions to the standard security:
    6. Directory

    Permissions
    \WINNT\REPAIR

    Administrators: Full Control
    \WINNT\SYSTEM32\CONFIG

    Administrators: Full Control
    CREATOR OWNER: Full Control
    Everyone: List
    SYSTEM: Full Control
    \WINNT\SYSTEM32\SPOOL

    Administrators: Full Control
    CREATOR OWNER: Full Control
    Everyone: Read
    Power Users: Change
    SYSTEM: Full Control
  6. Also apply these exceptions to the standard security:
    7. \WINNT\COOKIES

    \WINNT\FORMS

    \WINNT\HISTORY

    \WINNT\OCCACHE

    \WINNT\PROFILES

    \WINNT\SENDTO

    \WINNT\Temporary Internet Files

    Administrators: Full Control

    CREATOR OWNER: Full Control

    Everyone: Special Directory Access – Read, Write and Execute, Special File Access – None

    System : Full Control
  7. Several critical operating system files exist in the root directory of the system partition on Intel-based systems. For added security, you might want to assign the following permissions to these files:
    8. File

    C2-Level Permissions
    \Boot.ini, \Ntdetect.com, \Ntldr

    Administrators: Full Control
    SYSTEM: Full Control
    \Autoexec.bat, \Config.sys

    Everybody: Read
    Administrators: Full Control
    SYSTEM: Full Control
    \TEMP directory

    Administrators: Full Control

    SYSTEM: Full Control

    CREATOR OWNER: Full Control

    Everyone: Special Directory Access – Read, Write and Execute, Special File Access – None

  8. Change the default permissions on the following registry keys so that "Everyone" has "Read" access only:
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce
       HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall
  9. Using the Control Panel, Services, Bindings, unbind the "NetBIOS", "Server", and "Workstation" services from the WINS Client(TCP/IP) for the adapter that is connected to the Internet.  This will disable Windows File and Printer networking from the adapter that is connected to the Internet.
  10. Disable any unnecessary services. In particular, be careful with the default FTP server that ships with Windows NT version 4.   This service, if enabled, should use a special account for anonymous access and should be configured with a home directory that is an entirely separate disk partition.  I refer to the following information from Microsoft's Securing Windows NT Installation whitepaper.

    Securing Windows NT Installation

    October 23, 1997

    Microsoft Corporation

    FTP Service

    Windows NT also comes with another standard Internet service called file transfer protocol (FTP). A common use of FTP is to allow public file access via anonymous log on. When configuring FTP server, the administrator assigns the server a user account for anonymous log ons and a default home directory. The default anonymous user account for FTP is GUEST. This should be changed to a different user account and should have a password. Also, this account should not be member of any privileged groups so that the only default group that shows up in the security token during log on is Everyone. The account should not be allowed "Logon on Locally" user right to restrict "insider attacks".

    The home directory parameter should be configured carefully. FTP server exports entire disk partitions. The administrator can only configure which partitions are accessible via FTP but not which directories on that partition. Therefore, a user coming via FTP can move to directories "above" the home directory. Therefore, in general it is recommended that if FTP service needs to run on a system, it is best to assign a complete disk partition as the FTP store, and to make only that partition accessible via FTP.

 

Copyright © 1998 Randy Day
Last modified: September 14, 2001