Windows NT Security Check Part I

by slash
tcsh@b0f.i-p.com

Introduction
------------

What do you do when you face the task of evaluating the security of a Windows NT system? 
The only thing You can do is to manually evaluate the security of a system. Although this 
can be a daunting task, you will find it a little easier if you follow the steps provided here. 
This discussion provides quick steps for analyzing the basic security of a server.


Short Tips
----------

The following settings can serve as the basis for building a very secure system even if they 
don't necessarily apply to a network server. 

- All drives on the system must be formatted for the NT File System, not the FAT file system. 
  To check drive status in Windows NT 4.0, right-click on the drive and choose Properties. 

- The Security Log should not overwrite old events. To check this, open the Event Viewer and      
  choose Log Settings from the Log menu. The option called "Do Not Overwrite Events (Clear Log
  Manually)" should be enabled. 

- Check Your logs daily. They tell a lot if an intruder tried to brake in.

- Do not allow blank passwords. It allows a hacker to get into the system and easily gain 
  administrator privileges. To check this, open the User Manager for Domains and choose  
  Account from the Policies menu and disable Permit Blank Passwords in the Minimum Password
  Length field. This will require that you choose the "At Least x Characters" field and specify 
  a value for x. 

- Disable the Guest account. In the User Manager, double-click on the Guest account and put 
  a check mark on the item called "Account Disabled." Having a Guest account means getting 
  hacked. Leave it only if that's absolutely necessary.

- Disable NetBIOS over TCP/IP network bindings where ever you can.

- Block all non-essential TCP/IP ports, especially UDP 137 and 138 and TCP 139. This may save 
  You from some DoS attacks.


Logging Options
---------------

Another good thing is to enable the Account Lockout option to prevent unauthorized users from 
attempting to access the system by guessing passwords or brute forcing it. For optimum 
security, never run the server with this option disabled. Set the following options as 
appropriate: 

- Lockout after x bad logon attempts. Set x to 3 to 4.

- Reset Count After x minutes Set to approximately 20 minutes to avoid unnecessary lockouts. 

- Forcibly disconnect remote users from server when logon hours expire Set this option to 
  prevent after-hours activities or disconnect systems that were left on 

- User must log on in order to change password Set this option to prevent users whose passwords 
  have expired from logging on. The administrator must change the password. 


User Accounts
-------------
 
After You setup the domain account, check the status of each user account and group 
in the User Manager. Check these options as follows: 

- It's a good thing to check the password options. Should the user be able to change the 
  password? Does the password never expire? Is this account disabled? If it is disabled, 
  has the user left the company? If so, consider removing the account. 

- Click the Groups button to determine which groups the user belongs to. Is membership in these 
  groups appropriate for the user? What rights and permissions does the user obtain from the
  groups? What access does the group have to other domains? 

- Click the Hours button to evaluate the times that the user can access the network. Make sure
  no one can log on after hours if that is your policy. 

- Click the Logon To button to evaluate which computers the user can log on to. Make sure 
  that no one can log on from a computer in an unsupervised area. 

- Check for old user accounts and remove them.

- When setting up temporary accounts be sure to set an expiration date for the account, and 
  assign rights and permissions carefully.


Conclusion
----------

In this issue I explained how to improve security by taking care of user accounts and logging
options. Follow them step by step to help secure Your server. If You don't take care of Your
system, who will ? In the next issue I'm planing to explain user rights on a NT system, give 
You some short tips about user groups and help You to setup the Administrators account for best 
performance and security. Feel free to discuss any of these topics on Default webboard (http://net-security.org/webboard.htm).

More to come in Part II of "Windows NT Security Check"



Default newsletter (http://default.net-security.org)