Windows NT Security Guide

This document provides a list of configuration changes which enhance the security of a Windows NT 4 system.


Auditing

  1. Enable auditing. Launch the User Manager application. Select Audit... from the Policies menu. Select the following events for auditing: 

    Event                                Success        Failure
Logon and Logoff                        X              X
File and Object Access                  X              X
Use of User Rights                      X              X
User and Group Management               X              X
Security Policy Changes                 X              X
Restart, Shutdown, and System           X              X
Process Tracking                        X              X

  2. Configure log parameters. Launch the Event Viewer. Select Log Settings... from the Log menu. Make the following changes:

    Change Settings for: Security Log
    Maximum Log Size: 8192 kbytes
    Event Log Wrapping: Overwrite Events as Needed

  3. Enable encryption of the SAM database with the SYSKEY command:

    syskey -l

    See KB Article Q143475 for more details.


    4. Registry Settings

    Many of the Registry settings can be controlled through the System Policy Editor which is much friendlier than the Registry Editor. The System Policy Editor actually sets up a policy file (rather than directly changing the Registry) and that file can be applied throughout the domains you manage. The settings are shared automatically if you name the file NTCONFIG.POL and place it in the NETLOGON share directory in the primary and backup domain controllers.

    The ntsg.reg file contains items 1-11, 18, and 20.

    Microsoft has released a tool that installs tighter permissions on three sets of registry values. The default permissions could allow a malicious user to gain additional privileges on a machine that they can interactively log onto.

    1. The name of a valid user could be useful to intruders who see it displayed on the logon screen.

      Set the Registry value of DontDisplayLastUsername to 1. 

      Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key: \Microsoft\Windows NT\Current Version\Winlogon
Name: DontDisplayLastUsername
Type: REG_STRING
Value: 1

      Also in the same location in the Registry, delete the entry DefaultPassword if it is present.

    2. Set the logon message to warn unauthorized users. Edit the string LegalNoticeCaption with a short caption and the string LegalNoticeText with the notice itself. 
      Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key: \Microsoft\Windows NT\Current Version\Winlogon
      LegalNoticeCaption: 
      WARNING

      LegalNoticeText: 

      To protect the system from unauthorized use and to ensure that the
system is functioning properly, activities on this system are monitored and
recorded and subject to audit. Use of this system is expressed consent to such
monitoring and recording. Any unauthorized access or use of this Automated
Information System is prohibited and could be subject to criminal and civil
penalties.
      Source: CIAC-2317 Windows NT Network Security: A Manager's Guide

    3. Disable caching of logon credentials. Set the CachedLogonsCount key to 0. 
      Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key: \Windows NT\Current Version\Winlogon
Name: CachedLogonsCount
Type: REG_DWORD
Value: 0
    4. Secure the event logs. Set the RestrictGuestAccess key to 1. 
      Hive: HKEY_LOCAL_MACHINE\System
Key: \CurrentControlSet\Services\EventLog\[LogName]\RestrictGuestAccess
Name: RestrictGuestAccess
Type: REG_DWORD
Value: 1
    5. Restrict anonymous logon. Set the RestrictAnonymous key to 1. 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: \CurrentControlSet\Control\LSA
Name: RestrictAnonymous
Type: REG_DWORD
Value: 1
    6. Ensure server responds to clients with message signing only. Set the RequireSecuritySignature key to 1. 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: \CurrentControlSet\Services\LanManServer\Parameters
Name: RequireSecuritySignature
Type: REG_DWORD
Value: 1
    7. Set client so it can only communicate with servers that support message signing. Set RequireSecuritySignature key to 1. 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: \CurrentControlSet\Services\Rdr\Parameters
Name: RequireSecuritySignature
Type: REG_DWORD
Value: 1
    8. Disable LanManager password Hash Support. Set LMCompatibilityLevel key to 2. 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: \CurrentControlSet\Control\LSA
Name: LMCompatibilityLevel
Type: REG_DWORD
Value: 2
    9. Audit use of the Scheduling service. Set the Submit Control key to 1. 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: \CurrentControlSet\Control\LSA
Name: Submit Control
Type: REG_DWORD
Value: 1
    10. Enforce strong passwords. Add PASSFILE to the Notification Packages entry. 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Control\LSA
Name: Notification Packages
Type: REG_MULTI_SZ 
Value: PASSFILT

      You will need to use regedt32 to make this change. Remove the data 'FPNWCLNT' if it is present.

      Passwords must contain characters from at least three (3) of the following four (4) classes:

      1. English upper case letters A, B, C, ... Z
      2. English lower case letters a, b, c, ... z
      3. Westernized Arabic numerals 0, 1, 2, ... 9
      4. Non-alphanumeric ("special characters") such as punctuation symbols

      Passwords may not contain your user name or any part of your full name.

    11. Disable the CD AutoRun feature which launches an application from a CD when it is first inserted into the drive: 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Services\Cdrom
Name: AutoRun
Type: REG_DWORD 
Value: 0

    12. Restrict non-Administrators write access for the command key in the NT registry: 
      Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key: Classes\regfile\shell\open\command 
Security Permissions: Restrict non-Administrators write access

    13. Restrict remote registry access: 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Control\SecurePipeServers\winreg
Security Permissions: Restrict access for the Everyone group

    14. Restrict access to the scheduler key which can be used to raise the Server Operator's access level to Administrator: 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Services\Schedule
Security Permissions: Remove write access for Server Operator

    15. Remove Server Operator write access to the winlogon key which can be used to raise a System Operator's access level to Administrator: 
      Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key: Microsoft\Windows NT\CurrentVersion\Winlogon
Security Permissions: Remove Server Operator write access

    16. Disable the OS/2 subsystem which can allow a process to persist across logins by deleting: 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Control\Session Manager\SubSystems
Name: Os2

    17. Disable the POSIX subsystem which makes it possible to create a file with a lower case name which will be found in a search prior to a file with an upper case name by deleting: 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Control\Session Manager\SubSystems
Name: Posix

    18. Clear the pagefile at shutdown to remove any sensitive information: 
      Hive: HKEY_LOCAL_MACHINE\SYSTEM
Key: CurrentControlSet\Control\Session Manager\Memory Management
Name: ClearPageFileAtShutdown
Type: REG_DWORD 
Value: 1

    19. Remove interactive user write access to the DCOM RunAs value: 
      Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key: Classes\AppID
Security Permissions: Remove INTERACTIVE Set, Create, and Write permissions.
Select the option to replace permisisons on existing subkeys.

    20. Disable DCOM which can be used to execute commands remotely: 
      Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key:  Microsoft\Ole
Name: EnableDCOM
Type: REG_SZ
Value: N

    21. Restrict access to the performace monitor: 
      Hive: HKEY_LOCAL_MACHINE\SOFTWARE
Key:  Microsoft\Windows NT\CurrentVersion\Perflib
Security Permissions: Allow read/write for Administrators and System only.

    22. Disable the administrative shares such as C$ and ADMIN$: 
      Hive: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Serivices\LanManServer
Key:  Parameters
Name: AutoShareServer
Type: REG_DWORD
Value: 0

Hive: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer
Key:  Parameters
Name: AutoShareWks
Type: REG_DWORD
Value: 0

      Source: NTBugTraq

File Permissions

Format the C: drive for NTFS. Change permissions on \WINNT, all its subdirectories, and the files in the root directory to: 
           Admin: Full Control
        Everyone: Read
          System: Full Control
   Creator/Owner: Full Control

A FAT partition can be converted to NTFS using the following command: 

    convert drive /fs:ntfs


Services

  1. Disable all non-essential services from the Services Control Panel.

  2. Disable all non-essential shares such as C$.

  3. Install the latest Service Pack and Security Fixes for all installed services.

  4. If the SNMP service is required, the following steps to control access to SNMP information. These settings are available with SP4 and later.

    To configure the SNMP service go to: 

       "Control Panel" -> "Network" -> "Services" -> "SNMP Service"

    - From this window, select the "Security" tab. Once within the security tab, the security settings of each community name can be configured. It is recommended that each community name be configured READ ONLY unless otherwise required.

    The permissions on the SNMP registry key allow "Everyone" access by default. This access allows any system user to obtain the community names utilized by the SNMP service. The permissions on this registry key should also be set more strictly by the Administrator. Ensure that only Administrator and other authorized users can access the contents of the following registry key:

    Hive : HKEY_LOCAL_MACHINE
Key  : System\CurrentControlSet\Services\SNMP\Parameters

    Ensure that the community name is changed from the default "public" community name to a more obscure name.

    Source: NAI Security Advisory #30

    User Accounts

    1. Verify that the Guest account is disabled.

    2. In User Rights, remove the following items from the listed resource:

      Item(s)Resource
      All except AdministratorsLogon locally
      Everyone, Guests, UsersShut down the system
      Everyone, GuestsAccess this computer from the Network

    3. Add Backup Operators to Access this computer from the Network.

    Time Synchronization

    1. Download the XNTP release for Windows NT.

    2. Unzip the package and execute the install.bat script.

    3. Use the services control panel to make NTP autostart and either reboot or manually start it.


    Resources

    Windows NT Auditing Tools

    Microsoft Security Advisor

    Microsoft Windows NT Server Support

    Navy Secure Windows NT Installation and Configuration Guide

    NSA Windows NT Security Guidelines

    NTBugTraq Hotfix Database

    SANS Windows NT Security: Step-by-Step

    Microsoft Internet Information Server 4.0 Security Checklist