Windows NT Security Check Part I by slash tcsh@b0f.i-p.com Introduction ------------ What do you do when you face the task of evaluating the security of a Windows NT system? The only thing You can do is to manually evaluate the security of a system. Although this can be a daunting task, you will find it a little easier if you follow the steps provided here. This discussion provides quick steps for analyzing the basic security of a server. Short Tips ---------- The following settings can serve as the basis for building a very secure system even if they don't necessarily apply to a network server. - All drives on the system must be formatted for the NT File System, not the FAT file system. To check drive status in Windows NT 4.0, right-click on the drive and choose Properties. - The Security Log should not overwrite old events. To check this, open the Event Viewer and choose Log Settings from the Log menu. The option called "Do Not Overwrite Events (Clear Log Manually)" should be enabled. - Check Your logs daily. They tell a lot if an intruder tried to brake in. - Do not allow blank passwords. It allows a hacker to get into the system and easily gain administrator privileges. To check this, open the User Manager for Domains and choose Account from the Policies menu and disable Permit Blank Passwords in the Minimum Password Length field. This will require that you choose the "At Least x Characters" field and specify a value for x. - Disable the Guest account. In the User Manager, double-click on the Guest account and put a check mark on the item called "Account Disabled." Having a Guest account means getting hacked. Leave it only if that's absolutely necessary. - Disable NetBIOS over TCP/IP network bindings where ever you can. - Block all non-essential TCP/IP ports, especially UDP 137 and 138 and TCP 139. This may save You from some DoS attacks. Logging Options --------------- Another good thing is to enable the Account Lockout option to prevent unauthorized users from attempting to access the system by guessing passwords or brute forcing it. For optimum security, never run the server with this option disabled. Set the following options as appropriate: - Lockout after x bad logon attempts. Set x to 3 to 4. - Reset Count After x minutes Set to approximately 20 minutes to avoid unnecessary lockouts. - Forcibly disconnect remote users from server when logon hours expire Set this option to prevent after-hours activities or disconnect systems that were left on - User must log on in order to change password Set this option to prevent users whose passwords have expired from logging on. The administrator must change the password. User Accounts ------------- After You setup the domain account, check the status of each user account and group in the User Manager. Check these options as follows: - It's a good thing to check the password options. Should the user be able to change the password? Does the password never expire? Is this account disabled? If it is disabled, has the user left the company? If so, consider removing the account. - Click the Groups button to determine which groups the user belongs to. Is membership in these groups appropriate for the user? What rights and permissions does the user obtain from the groups? What access does the group have to other domains? - Click the Hours button to evaluate the times that the user can access the network. Make sure no one can log on after hours if that is your policy. - Click the Logon To button to evaluate which computers the user can log on to. Make sure that no one can log on from a computer in an unsupervised area. - Check for old user accounts and remove them. - When setting up temporary accounts be sure to set an expiration date for the account, and assign rights and permissions carefully. Conclusion ---------- In this issue I explained how to improve security by taking care of user accounts and logging options. Follow them step by step to help secure Your server. If You don't take care of Your system, who will ? In the next issue I'm planing to explain user rights on a NT system, give You some short tips about user groups and help You to setup the Administrators account for best performance and security. Feel free to discuss any of these topics on Default webboard (http://net-security.org/webboard.htm). More to come in Part II of "Windows NT Security Check" Default newsletter (http://default.net-security.org)