For buffer0verfl0w security
written by slash
tcsh@b0f.i-p.com
http://www.b0f.com



      Windows NT Security Check Part II
      =================================


Introduction
------------

In Part I of "Windows NT security Check" I explained some basic things about User accounts
and Logging options. In this part I'll try to explain varius Groups and User rights. Please
note that any of the topics provided in these articles can be discussed on our webboard
located at http://net-security.org/webboard.htm

Groups
------

The membership of groups should be carefully evaluated. A group that is granted 
permissions to sensitive files might contain users that should not have that access. 
Open each group listed in the User Manager and inspect its members. 

- Carefully evaluate the members of management groups such as Administrators, Server 
  Operators, Account Operators, Backup Operators, and Print Operators. Remove all 
  unnecessary accounts. 

- Make sure that all administrative users have two accounts: one for administrative 
  tasks and one for regular use. Administrators should only use their administrative 
  accounts when absolutely necessary. 

- Evaluate each global group membership and the resources that the group has access to. 
  Does the group have access in other domains? 

- What folders and files do groups have permission to access? 

- Do local groups hold global groups from other domains? Check the membership of these 
  global groups and make sure that no users have unnecessary access to resources in the 
  current domain


The Administrator Account and Administrators Group
--------------------------------------------------

The Administrator account and Administrators group have unlimited rights on the system. 
Therefore, you need to carefully evaluate the membership of the Administrators group 
and take care of some other housekeeping related to the Administrator account: 

- If you are taking over the management of an existing system, you should change the 
  Administrator account name and password immediately. You do not know who might have a 
  password that would give them access to the account. 

- The Administrator account is often the target of attacks because of its well-known name. 
  You should rename the Administrator account to an obscure name and create a "decoy" 
  account called "Administrator" with no permissions. Intruders will attempt to break in 
  to this decoy account instead of the real account. 

- Enable failed logons in the auditing system to detect attempts to log on to any account, 
  including Administrator. 

- Look for unnecessary accounts that have Administrator status. Perhaps an intruder has 
  created such an account as a backdoor into the system. 

The Administrators group has "Access this computer from network" right, which you can 
block to prevent account hijacking or unauthorized activities. Without this right, 
administrators must log on at the computer itself in a controlled environment to do any 
administrative tasks. You will also need to remove the right from the Everyone group then 
add back in accounts that are allowed to log on from network. 


The Guest Account and Everyone Group 
------------------------------------

Most administrators agree that it should be disabled, although removing it remove the 
ability of anonymous users to access a system. If You decide to enable guest account 
consider creating a separate domain for these public services where the Guest account 
is enabled. Alternatively, use a Web server for this type of system. 

- Users who log on as guests can access any shared folder that the Everyone group has 
  access to (i.e., if the Everyone group has Read permissions to the Private folder, 
  guests can access it with Read permissions). 

- You don't know who Guest users are and there is no accountability because all guests 
  log in to the same account. 

- If you have Microsoft Internet Information Server software installed, a special Guest 
  account called IUSR_computername exists with the rights to log on locally. Remove this 
  account if you don't want the general public to access your Web server. Users must then 
  have an account to access the Web server. 


User rights
-----------

In the User Manager for Domains, check the rights that users and groups have on the 
system. Choose User Rights from the Policies menu to display the User Rights Policy 
dialog box. Initially, the box shows the basic rights. To evaluate all rights, click the 
Show Advanced User Rights option. Here are some considerations for basic rights: 

- Access this computer from the network

  By default, only the Administrators and the Everyone group have this right. Remove 
  the Everyone group (why would you want everyone to access this server from the network 
  if you are interested in security?), then add specific groups as appropriate. For 
  example, create a new group called "Network Users" with this right, then add users who 
  should have network access. 

- Backup files and directories 

  User's with this right can potentially carry any files off-site. Carefully evaluate which 
  users and groups have this right. Also evaluate the Restore files and directories right. 

- Log on locally 

  For servers, only administrators should have this right. No regular user ever needs 
  to logon directly to the server itself. By default, the administrative groups 
  (Administrators, Server Manager, etc.) have this right. Make sure that any user who is 
  a member of these groups has a separate management account. 

- Manage auditing and security logs 
 
  Only the Administrators group should have this right.

- Take ownership of files or other objects 

  Only the Administrators group should have this right. 


Scan all the advanced rights to make sure that a user has not been granted rights 
inappropriately.
 

Files, Folders, Permissions and Shares
--------------------------------------
 
This discussion assumes that you are only using NTFS volumes on your servers. Do not 
use FAT volumes in secure installations. 

To check permissions on folders and other resources, you must go to each resource 
individually to review which users and groups have permissions. This can be a 
bewildering task, so for large systems obtain a copy of the Somarsoft DumpACL utility. 

To open the Permissions dialog box for a folder or file, right-click it and choose 
Properties, then click either the Sharing or the Security tab. The Sharing options 
show who has access to the folder over the network. The Security tab has the Permission 
and Auditing buttons so you can check local permissions or set auditing options. 

Start your evaluation with the most sensitive and critical folders if you are doing 
this procedure manually or performing a periodic checkup. Take care to do the following: 

 - Check each folder and/or file to determine which local users and groups have access 
   and whether that access is appropriate. 

 - Check all shared folders and the share permissions 
   on those folders to determine which network users and groups have access and whether 
   that access is appropriate. 

 - Program files and data files should be kept in separate folders to make management 
   and permission setting easier. Also, if users can copy files into a data folder, 
   remove the Execute permission on the folder to prevent someone from copying and 
   executing a virus or Trojan Horse program. 

 - Separate public files from private files so you can apply different permission sets. 

 - If users or groups have access to a folder, should they have the same access to 
   every file in the folder? To every subdirectory? Check the sensitivity of files and 
   attached subdirectories to evaluate whether inherited permissions are appropriate. 

 - Keep in mind that the Everyone group gets Full access by default for all new folders 
   you create. To prevent this, change the Everyone group's permission for a folder, 
   then any new subdirectories you create will get the new permission settings. 
   
 - If the server is connected to an untrusted network such as the Internet, do not 
   store any files on the server that are sensitive and for in-house access only. 

 - Never share the root directory of a drive or one of the drive icons that appears in the 
   graphical display. An exception would be sharing a Read Only CD-ROM drive for public 
   access.
 
 - For sensitive, password protected directories, enable Auditing. Right-click a folder, 
   click Security, then click Auditing and enable Failure to track users that are attempting 
   unauthorized access a folder or file. Note that File and Object access must be enabled 
   from the Audit Policies menu in the User Manager, as described later. 

 - Use encryption wherever possible to hide and protect files. Mergent 
  (http://www.mergent.com/) and RSA Data Systems (http://www.rsa.com/) provide encryption 
   software for this purpose. 

You can remove Everyone's access to an entire folder tree by going to the root of the 
drive, changing the permissions, and propagating those permissions to subdirectories. 
Do not do this for the systemroot folder (usually C:\WINNT). You must manually update 
Everyone's right there. 


Virus and Trojan Horse Controls 
-------------------------------

Viruses are a particularly serious problem in the network environment because the client 
computer can become infected, transferring the virus to server systems. Other users may come 
into contact with infected files at the server. Evaluate and set the following options: 

 - Program directories should have permissions set to Read and Execute (not Write) to 
   prevent a virus from being written into a directory where it can be executed. To install 
   programs, temporarily set Write on, then remove it. 

 - Install new software on a separate, quarantined system for a test period, then install 
   the software on working systems once you have determined that it is safe to run. 

 - Public file sharing directories should have the least permissions possible, i.e., Read 
   Only, to prevent virus infections. 

 - If a user needs to put files on your server, create a "drop box" directory that has 
   only the Write permission. Check all new files placed in this directory with a virus 
   scanner. Implement backup policies and other protective measures. 
 
 - Educate and train users. 

 - Check the Symantec (<http://www.symantec.com/>) site for interesting papers on 
   Windows NT-specific virus issues. 


Auditing and Event Logs 
-----------------------

Check the status of audit settings by choosing Audit on the Policies menu in the User 
Manager for Domains. The Audit Policy dialog box appears. The settings in this box reflect 
the minimum settings that are appropriate for auditing in most environments. Keep in mind 
that auditing too many events can affect a system's performance. 

Protect auditing and security logs from other administrators who might change or delete 
them. You can grant only the Administrators group the ability to access the logs. To 
restrict access to only one user (the "auditor"), remove all users except the auditor 
from the Administrators group. This means all of your other administrators should be 
members of a management group that does not have the "Manage auditing and security log" 
right. 

Check for failed logons in the Event Viewer. You can enable security auditing for logon 
attempts, file and object access, use of user rights, account manage- ment, security 
policy changes, restart and shutdown, and process tracking. 


Backup
------

Backup policies and procedures are essential. In your evaluation, determine which users 
belong to the Backup Operators group. Carefully evaluate if you trust these users. Backup 
operators have the ability to access all areas of the system to back up and restore files.
 
Members of the Backup Operators group should have special logon accounts (not regular user a
ccounts) on which you can set logon restrictions. If Joe is the backup operator, he should 
have a regular logon account for his personal activities and a special logon account for 
backing up the system. Set restrictions on the backup account, then set restrictions that 
force Joe to log on from a specific system only during appropriate hours. Change, with 
frequency, the name and password of the account to guard against hijacking. 

 - Review the backup policies. Is the backup schedule appropriate? Are files safely 
   transported to secure backup locations? How might backup compromise the confidentiality 
   of files? 

 - View the Event Log to audit backup activities. 


Final conclusion
----------------

Well, I hope that this articles gave You some basic info how to administrate Youre Windows NT
server. For more info I recomend reading the following books:

- Inside Windows NT Server 4 : Administrators Resource Edition  
  <http://www.amazon.com/exec/obidos/ASIN/1562057278/netsecurity>

  This national bestseller has been updated and expanded to cover the most talked-about 
  Windows NT-related technologies and the latest information on Windows NT Server 4. Aimed 
  at network administrators, consultants, and IT professionals, this book provides invaluable 
  information to help you get up and running. Written by experts, this comprehensive book 
  takes you through the ins and outs of installing, managing, and supporting a Windows NT 
  network - with efficiency. Loaded with tutorials and organized as a reference, it's the 
  perfect resource for new administrators who need to get up to speed quickly, as well as 
  technically savvy and experienced administrators who just need to locate the most essential 
  information - without reading every page.

- Essential Windows NT System Administration  
  <http://www.amazon.com/exec/obidos/ASIN/1565922743/netsecurity>

  Essential Windows NT System Administration helps you manage Windows NT systems as 
  productively as possible, making the task as pleasant and satisfying as can be. It 
  combines practical experience with technical expertise, helping you to work smarter 
  and more efficiently. It covers not only the standard utilities offered with the Windows 
  NT operating system, but also those from the Resource Kit, as well as important commercial 
  and free third-party tools. It also pays particular attention to developing your own 
  tools by writing scripts in Perl and other languages to automate common tasks. This book 
  covers the workstation and server versions of Windows NT 4 on both Intel and Alpha 
  processor-based systems.

- Microsoft Windows NT 4.0 Security, Audit, and Control  
  <http://www.amazon.com/exec/obidos/ASIN/157231818X/netsecurity>

  This "Security Handbook" is the official guide to enterprise-level security on networks 
  running Microsoft Windows NT Server 4.0 Written in collaboration between Microsoft and 
  MIS professionals at Coopers & Lybrand, here is the essential reference for any Windows 
  NT Server 4.0-based network.

This is only a small amount of book concerning Windows NT security and administration. You
can find more books on Windows NT at our online bookstore <http://net-security.org/books/>



Default newsletter (http://default.net-security.org)