Ensuring Server SecureNT

• 07/28/1998

Windows NT was designed with security in mind from the start. However, not all the features are activated out of the box. Depending on your environment, you may want to make NT more secure. Here are some suggestions for hardening the security on your NT server.

THE BASICS
The three most important thing about security are backup, backup and backup. It's not enough just to make a backup, you need to test your backups. The best time to find out if your tape drive heads are working properly is not during the restore of critical data. To test your tape drive, backup a directory, restore it to a new directory and compare the results. It's the only way to be sure.

Your server requires power. Investing in an uninterruptable power supply can prevent damage to your server and down time. While this is not often thought of as a security issue, it can be critical for continued operation of your system.

PHYSICAL ACCESS
Your server is a valuable asset. It ought to be in a safe area as any other item of value. People lock up band aids and aspirin and leave the device their business depends on someone's desk in an open cubicle. If your system's case has a lock, use it. Don't leave they key taped to the case. Don't forget to secure that the server is connected to the rest of the network. Watch access to the network cables and hub.

True anecdote: I was asked to help troubleshoot an NT firewall that suddenly stopped working. Packets were going nowhere, undelivered mail and all sorts of problems. The firewall software was reinstalled about 10 times and all sorts of other fixes were attempted. Finally, I discovered that the two Ethernet cables (one for the internal network and one for the Internet) had been switched right at the back of the server so nothing was being routed properly. We ordered an enclosure with locking doors that afternoon. The culprit was never discovered.

CONTROL THE BOOT
NT server is probably most vulnerable before the operating system is running. NT can't protect itself with restrictions when it's not yet running. Floppy disks are on every machine and newer machine supporting removable bootable media such as CD ROM and ZIP drives, protecting the boot process is becoming more important. Usually boot sequences can be controlled in the BIOS. Check your BIOS to see if it's looking to floppies or other removable media before the hard drive. Securing this one setting can stop many threats from users who can make boot diskettes. Don't forget to use the password protection in your BIOS to prevent changes.

Another threat is multiple operating systems on a single machine. Never install another OS on a critical machine. Most other PC based operating systems do not feature the security of NT and can compromise your critical files. If you must have multiple systems, consider changing the default timeout setting in boot.ini to zero. This will boot your default OS immediately and make it harder to select another system.

THE FILE SYSTEM
For a secure system, NTFS is the only file system to use. There is no way to protect the FAT system from anyone with a boot diskette. Many people believe that having your boot partition formatted FAT will save time during a crash recovery. Possibly, but if system software is corrupt, you'll still have to boot NT from an emergency repair diskette and replace system files. FAT partitions aren't worth the security risk. It only takes sixty seconds to reboot from a DOS diskette and erase the system directory, crippling your server.

Also, make your boot partition NTFS during installation. The installation programs will set correct protections on all the system files. If you install your boot partition as FAT, then convert it later, protections on these very important files will not be set correctly.

LOGIN TIPS
NT can display a warning notice before users login describing the dire consequences to those who use the system without proper authorization. This notice is useful for warning the unauthorized that they are liable for problems they cause. To create the notice, create the registry key

and set the value to title of the warning box such as "Unauthorized use is prohibited." Define the

key and set the value to whatever warning you want for the content of the box. Both keys are type REG_SZ. Reboot your server to implement your changes.

You can also hide the user name of the last person who logged on to the server. By default, NT displays the name of the last user to login successfully in the logon dialog box. The usually can save time, but it also exposes account names. Define the registry key

and set the value to 1 to hide the name.

PROTECT THE REGISTRY
All the important configuration settings for your server are in the registry. Most changes to the registry are done through the Control Panel or software installation programs. However, the registry may be changed directly from with the Registry Editors, REGEDIT and REGEDT32. You can prevent remote changes to the registry by defining the key

HKEY_LOCAL_MACHINE\CurrentControlSet\Control\SecurePipeServers\winreg.

You may want to restrict access to the Registry Editor executables themselves. By default, execute permission on these files is given to the Everyone group. REGEDIT is located in the %SystemRoot% directory (usually \WINNT) and REGEDT32 is in the %SystemRoot%\System 32 directory.

For more security, you can assign permissions on individual registry keys. For instance, you can lock out the Everyone group from installing software by restricting. In REGEDT32, call up the

key and select Security, Permission from the menu. For the Everyone group, leave only the Query Value, Enumerate Subkeys, Notify and Read Control permissions. Be careful not to apply these change to the entire subtree. Some software may not run correctly.

CLEAR THE PAGE FILE
The system page file is generally very well protected while NT is running. If you are on a machine that boots multiple operating systems, you may want to physically wipe the page file to prevent access from another OS. To wipe the page file at system shutdown, define the key

with a value of 1 and a type of REG_DWORD. Of course, this only works during a controlled shutdown.

STRONG PASSWORDS
Service Pack 2 and 3 allow you to enforce very strong passwords with a new DLL called pasfilt. This new filter requires that passwords become stronger by forcing the following requirements: passwords cannot include the user name or any part of the full name; passwords must be at least six characters long; passwords must include characters from at least three of four possible types. The types are upper case letters, lower case letters, numerals and non-alphanumeric characters, such as punctuation.

To enable strong passwords, install Service Pack 3 (it's the latest) and modify the registry key

This key will already have a value that must be preserved. Add the string "PASSFILT" to the value, but do not modify the existing value.

C2 SECURITY
NT has been tested to the National Computer Security Center's Trusted Computer System Evaluation Criteria (TCSEC) C2 security rating, generally the highest level of protection available in off the shelf software. The C2 criteria are pretty complete and if you are interested in making NT C2 compliant, you can use the C2CONFIG utility include in the NT Server Resource Kits. C2CONFIG tests about 20 different parameters on your system and reports on their status. For example, if you haven't disabled the Guest account, it tells you and offers the option of disabling it. It's a useful tool for a quick security tuneup.

You can't really set the proper level of security until you determine what your site needs. Turning all the security features on may not be the answer. There's no point in making security so restrictive that users actively look for ways to circumvent protections just to make their jobs easier. You don't want users writing down hard to remember passwords or using co-workers logins because they can't get access to the files they need.