 |
|
|
|
SERVICES SECURITY
|
Windows NT Configuration Guidelines
This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team) and details common Microsoft Windows NT 4.0 configuration problems that have been exploited by intruders and recommends practices for deterring several types of break-ins. We encourage system administrators to review all sections of this document and modify their systems accordingly to fix potential weaknesses.
II. Patches III. Computer Virus Prevention IV. Network Configurations V. Passwords VI. File System and Shares VII. Registry VIII. Audit Logs References I. Installation GuidelinesA minimum installation for NT servers includes NT 4.0, the latest Service Packs, recommended patches and relevant security Hotfixes released by Microsoft. It is not recommended to install more than one copy of Windows NT on the same computer, however if you must, we recommend that the second copy of Windows NT has no users except for the local Administrator and that a strong password be set on this account. There are cases where ACLs created by one of the copies are not protected when another copy is active. When installing Windows NT do not copy the entire root directory and a few other files from one computer to another as each NT installation receives a unique system ID which makes its accounts and group ID's also unique. Making such copies may compromise the entire network's security. Check for ROLLBACK.EXE on the hard disc and if present remove it. ROLLBACK can destroy critical system information including the registry, user account information. To recover from the ROLLBACK.EXE damage the entire system has to be restored from the backup tape, if one is available. Note that Microsoft inadvertently distributed ROLLBACK.EXE with some Windows NT 4.0 releases. II. PatchesThe CERT®/CC and AusCERT continuously receive reports about sites that have been compromised because they have not applied the latest patches. One of the most important tasks of a systems administrator is to keep the most current patches for an operating system and for software installed on a system. Many of these patches fix security vulnerabilities that are well known to intruders.There are two types of patches from Microsoft; Service Packs and Hotfixes. Installing these patches in order is important. Service Packs must be installed before the Hotfixes. These fixes can be found at:
Extensive information about installing the Service Pack can be
found in the readme.htm
file.
Before you install these fixes on critical systems or install them on a large number of devices, test hotfixes to ensure that there is not a conflict with other third party drivers. Details about the order to install hotfixes can be found in the
postspX.txt file, where `X' is the number of the service pack you have
installed. As an example, for Service Pack 5 the file is postsp5.txt.
III. Computer Virus PreventionComputer viruses spread easily through floppy disks, email, or programs downloaded from the Internet. Potential problems range from changing data to reformatting your hard drive. Once created, viruses can spread without help from their creators. You can get them from computers at the office, from using computers at school, or from a document emailed to you by a friend. To protect your systems, we recommend that you install a virus scanning/detecting/cleaning program. Our Computer Virus Resources document links to information about computer viruses, hoaxes, and chain letters. http://www.auscert.org.au/Information/Sources/virus.html Once you start using a virus detection/prevention program, it is very important to keep it up-to-date. New viruses are created continuously, and vendors of virus detection software offer updates to detect them. To get the latest updates, check the manuals or the vendor web page. Some virus detection software allows you to get the updates automatically via the Internet. Make sure you setup the software to schedule these updates at least once a week. We recommend that computers, at the very least, do a quick scan when the system is booted, as programs are loaded into memory, and when new data is detected (from email, removable media). Computers should get a full system scan periodically which can be scheduled to run when the users are away for the evening. Prior to making software available to many machines on a network install it on a stand-alone device and scan it for computer viruses. There have been reports that installation media contained a virus, but was not detected by the software company that distributed the media. Computers that act as servers keep in mind that many files from a wide variety of users pass through it such as email and file/directory sharing. Because of this consider performing frequent scans of areas that users have read and write access to, perform full virus scans before backups, and implement mail and gateway scanning. A good method to prevent large outbreaks of computer viruses in an
organization is user education. This may include having policies and
procedures for downloading software, the transfer of software between
internal machines, how to deal with email attachments (executables, and
documents that may have macros), how and when to run anti-virus
software, and what to do when a virus is detected.
Disable unneeded network protocols and services.
Disable inbound and outbound traffic to your external connections for
TCP and UDP ports 135, 137, 139 and UDP port 138. Blocking these ports
prevents potential intruders from gathering useful information such as
computer names, usernames, and services running on those computers. This
list, from Microsoft Knowledgebase Article Q150543, describes services
available on these ports.
List of Ports Used by Windows NT version 4.0 services: Function Static ports -------- ------------ Browsing UDP:137,138 DHCP Lease UDP:67,68 DHCP Manager TCP:135 Directory Replication UDP:138 TCP:139 DNS Administration TCP:139 DNS Resolution UDP:53 Event Viewer TCP:139 File Sharing TCP:139 Logon Sequence UDP:137,138 TCP139 NetLogon UDP:138 Pass Through Validation UDP:137,138 TCP:139 Performance Monitor TCP:139 PPTP TCP:1723 IP Protocol:47 Printing UDP:137,138 TCP:139 Registry Editor TCP:139 Server Manager TCP:139 Trusts UDP:137,138 TCP:139 User Manager TCP:139 WinNT Diagnostics TCP:139 WinNT Secure Channel UDP:137,138 TCP:139 WINS Replication TCP:42 WINS Manager TCP:135 WINS Registration TCP:137 For additional protection, block ports on individual NT systems using the advanced options in the protocol properties. Start -> Setting -> Control Panel -> Network -> Protocols -> TCP/IP -> Advanced -> Enable Security -> Configure. This could be useful if you have an NT server that is only used as a public web server. You can then block out all TCP ports except 80 (HTTP) and IP protocols 6 (TCP) and 17 (UDP). If you need to run the Internet Information Server (IIS), make sure that you block known vulnerabilities and we recommend IIS runs on a stand-alone machine. The Windows NT Remote Access Service (RAS) allows remote computers to connect to Windows NT RAS servers across a telephone connection or using PPTP protocol over an intranet. If your site requires this service make sure you:
V. PasswordsTo increase the level of security for user accounts, implement password policies. Password policies are set in the User Manager and enable you to change the following:
In Service Pack 2 and higher, better password protection is offered through passfilt.dll. To enable the enhanced password policies, refer to the following Microsoft article:
passfilt.dll imposes the following additional restrictions on passwords:
Use SYSKEY. Syskey enables the private password data stored in the registry to be encrypted using a 128-bit cryptographic key. This is a unique key for each system. For further information on configuring and using syskey, see the following Microsoft Knowledgebase article.
By default, the administrator account is never locked out, so it is generally a target for brute force logon attempts of intruders. It is possible to rename the account in User Manager, but you may wish to lockout the administrator account after a set number of failed attempts over the network. The NT resource kit provides an application called passprop.exe which enables Administrator account lock out except for interactive logons on a domain controller. Another alternative to avoid all accounts belonging to the Administrator group being locked over the network is to create a local account which belongs to the Administrator group, but is not allowed to logon over the network. This account may then be used at the console to unlock the other accounts. Make sure the Guest account is disabled. If this account is enabled, anonymous connections can be made to NT computers. Secure the Emergency Repair Disk as it contains a copy of the entire
Security Access Manager (SAM) database. If a malicious user has access
to the disk he/she may be able to launch a crack attack against it.
Always use NTFS. With NTFS it is possible to define access control to
files and directories.
There are File/Directory ACLs (Access Control Lists) and Share ACLs.
When files are accessed remotely, the most restrictive of the two types
of ACLs is used. For example, if the ACL on a file is set to be READ,
but the share permissions are set for FULL CONTROL the resulting
permission will be READ access. To ensure that both local and remote
connections have the correct ACLs we recommend using NTFS ACLs.
Ensure that Windows NT is the only operating system installed on
machines intended to be servers. The presence of a secondary operating
system may allow NT's security features to be bypassed. Do not install more than one copy of Windows NT on a computer unless
absolutely essential. There are cases where ACLs created by one copy of
the OS do not provide protection when a different copy of the OS is
active.
If you want to prevent sharing on an NT device, do not start the
Server service and Computer Browser service automatically. You can still
browse to other devices if these services are not started, but they
prevent your device from offering file and print sharing services to
others.
If you are sharing directories or printers, make sure that the
permissions are what you expect. By default, when a share is enabled, it
gives Everyone Full Control on the share.
Even if you have proper NTFS file permissions and enable sharing on
directories, replace the share permission for the Everyone group with
the USERS and/or ADMINISTRATORS groups instead.
Be careful of the FULL CONTROL permission for non administrator and
system accounts. The files in a directory can be deleted regardless of
what the file permissions are if users have FULL CONTROL on the
directory. This happens because there is a hidden 'delete child'
permission that is part of the FULL CONTROL permission that allows a
user to delete a file even if the user does not have delete permission
on the file. To prevent this, use any other combination of permissions.
This batch file exemplifies various NTFS permissions that would
better secure the base file system of a standard NT install. It does not
factor in specific applications.
VII. RegistryThis list gives registry settings that administrators may find useful for enhancing the security of an NT system.
ISS has a utility called Any key with TREE next to it means all of the keys that are below it should also have the ACLs set.
VIII. Audit LogsThere are 3 areas where security auditing can be enabled. By default, all security auditing is disabled. All of the logs are viewed through the Event Viewer (Start -> Programs -> Administration Tools -> Event Viewer). The file where the information is stored is located at %systemroot%/winnt/system32/config/security.The audit logs can be configured to take certain actions when the logs are full. One setting enables you to overwrite old events when the log is full. This could result in lost information, but is easy to maintain. Another option is to overwrite the logs after so many days. The third option is to not overwrite any events. This ensures that you do not lose any logging data, but could also be a denial of service issue since once the logs are full the system will not perform any actions that need to be logged. In the last case the logs need to be cleared manually. Keep in mind that not all applications log to the Event Viewer so make sure you know where all the logs are being stored. One example of this is Microsoft Internet Information Server which stores logs in the c:\winnt\system32\logfiles directory.
Type: REG_DWORD Value: 1 By default not all privileges are audited. The following registry setting will also enable auditing of backups and restores, debug programs, traverse checking, and replacing of process level tokens. During backup and restores this will cause a large number of events in the audit logs.
Type: REG_DWORD Value: 1 In high security development environments auditing of base objects should be enabled. After setting this registry value, use User Manger to begin this type of auditing.
Type: REG_DWORD Value: 1
References
This document is available from: http://www.cert.org/tech_tips/win_configuration_guidelines.html Copyright 2000 Carnegie Mellon University
Copyright © 2001-04 Business Network Solutions. All rights reserved. |
