Evaluating the security of a NT system. Includes security tips, logging options, and more.
a0766d9e54d84ea3d83a5bb9053d2b3629b6c1e62ee62709fb52e33c6679ae23
Windows NT Security Check Part I
by slash
tcsh@b0f.i-p.com
Introduction
------------
What do you do when you face the task of evaluating the security of a Windows NT system?
The only thing You can do is to manually evaluate the security of a system. Although this
can be a daunting task, you will find it a little easier if you follow the steps provided here.
This discussion provides quick steps for analyzing the basic security of a server.
Short Tips
----------
The following settings can serve as the basis for building a very secure system even if they
don't necessarily apply to a network server.
- All drives on the system must be formatted for the NT File System, not the FAT file system.
To check drive status in Windows NT 4.0, right-click on the drive and choose Properties.
- The Security Log should not overwrite old events. To check this, open the Event Viewer and
choose Log Settings from the Log menu. The option called "Do Not Overwrite Events (Clear Log
Manually)" should be enabled.
- Check Your logs daily. They tell a lot if an intruder tried to brake in.
- Do not allow blank passwords. It allows a hacker to get into the system and easily gain
administrator privileges. To check this, open the User Manager for Domains and choose
Account from the Policies menu and disable Permit Blank Passwords in the Minimum Password
Length field. This will require that you choose the "At Least x Characters" field and specify
a value for x.
- Disable the Guest account. In the User Manager, double-click on the Guest account and put
a check mark on the item called "Account Disabled." Having a Guest account means getting
hacked. Leave it only if that's absolutely necessary.
- Disable NetBIOS over TCP/IP network bindings where ever you can.
- Block all non-essential TCP/IP ports, especially UDP 137 and 138 and TCP 139. This may save
You from some DoS attacks.
Logging Options
---------------
Another good thing is to enable the Account Lockout option to prevent unauthorized users from
attempting to access the system by guessing passwords or brute forcing it. For optimum
security, never run the server with this option disabled. Set the following options as
appropriate:
- Lockout after x bad logon attempts. Set x to 3 to 4.
- Reset Count After x minutes Set to approximately 20 minutes to avoid unnecessary lockouts.
- Forcibly disconnect remote users from server when logon hours expire Set this option to
prevent after-hours activities or disconnect systems that were left on
- User must log on in order to change password Set this option to prevent users whose passwords
have expired from logging on. The administrator must change the password.
User Accounts
-------------
After You setup the domain account, check the status of each user account and group
in the User Manager. Check these options as follows:
- It's a good thing to check the password options. Should the user be able to change the
password? Does the password never expire? Is this account disabled? If it is disabled,
has the user left the company? If so, consider removing the account.
- Click the Groups button to determine which groups the user belongs to. Is membership in these
groups appropriate for the user? What rights and permissions does the user obtain from the
groups? What access does the group have to other domains?
- Click the Hours button to evaluate the times that the user can access the network. Make sure
no one can log on after hours if that is your policy.
- Click the Logon To button to evaluate which computers the user can log on to. Make sure
that no one can log on from a computer in an unsupervised area.
- Check for old user accounts and remove them.
- When setting up temporary accounts be sure to set an expiration date for the account, and
assign rights and permissions carefully.
Conclusion
----------
In this issue I explained how to improve security by taking care of user accounts and logging
options. Follow them step by step to help secure Your server. If You don't take care of Your
system, who will ? In the next issue I'm planing to explain user rights on a NT system, give
You some short tips about user groups and help You to setup the Administrators account for best
performance and security. Feel free to discuss any of these topics on Default webboard (http://net-security.org/webboard.htm).
More to come in Part II of "Windows NT Security Check"
Default newsletter (http://default.net-security.org)