Lesson 16-Windows NT Security Issues

Overview

Set up the system.

Manage users.

Manage the system.

Set up the System

Windows NT is not completely secure out of the box.

Default configuration of Windows NT includes some settings

that will make the system more secure.

Set up the System

Configuration settings are divided into:

Registry settings.

System configuration settings.

Registry Settings

Windows NT Registry is the internal system database that

stores necessary system parameters and values.

Proper care must be taken while making changes to the

Registry since mistakes can make the system unusable.

Regedit32 must be used to edit the Registry.

Logon message must be used to display a legal notice prior

to a user logging onto network.

Registry Settings

User can force Windows NT to clear the system Pagefile,

containing encryption keys or password hashes, on shutdown.

Shutdown Without Logon key can be changed to force a user

to log on to a system before being able to shut it down.

LAN Manager Authentication system allows Windows NT

servers to work with Windows 95 and Windows 98 clients.

Registry Settings

Since LAN Manager is a weaker scheme than the NT

authentication system, it should be disabled.

The ability of anonymous (null) user session to access

information should be restricted.

Remote Registry access must be restricted to protect

computers from an attack over local network or Internet.

System Configuration Settings

Changes are required in the following areas to increase

security of system:

File systems.

Network settings.

Account settings.

Service packs and hot-fixes.

File Systems

FAT file systems should be converted to NTFS to allow for

file permissions.

NT policy editor or AUTOEXNT program must be used to

disable administrative shares that can be used to brute-

force administrator passwords.

Emergency repair disk (ERD) provides recovery of Registry

and user database in the case of system crash.

Network Settings

Domains allow for a central user database and

management and hence are better than workgroups.

NetBIOS should be turned off for any system that will be

accessed from the Internet.

Simple TCP/IP services should not be enabled on a Windows

NT system.

Account Settings

Windows NT comes with administrator and guest accounts

by default.

The guest account should be disabled and its password

must be changed to something long and random.

Administrator account should be renamed.

Password policy should be configured as per the

organization’s security policy.

Account Settings

Policy can be configured through Account Policy in User

Manager.

The Account Policy screen is used to define maximum

password age, minimum password length, password

uniqueness, and account lockout policy.

Account lockout policy will not be enforced against the

administrator account unless PASSPROP utility is used.

Service Packs and Hot-Fixes

Service packs and hot-fixes are new versions of software that

fix bugs and security vulnerabilities.

Some of them do not work properly and hence are not

implemented.

They should be implemented within an organization after

appropriate testing.

If hot-fixes are installed in the wrong order it is possible that

one will negate the effects of another.

Manage Users

Proper procedures must be there to identify proper

permissions received by new users.

Procedures must make sure that an employee loses access

rights to the organization’s systems after leaving the

organization.

Management of users on a Windows NT system is critical to

the security of the system and the NT domain.

Manage Users

Adding users to the system:

Users are added through the User Manager.

Each user should have a unique user ID and own account.

Multiple users should not be given access to the same user ID.

New users are forced to change the password the first time

they log in.

Manage Users

Setting file permissions:

Groups should be used to set permission on files and shares.

Everyone group is given default access to files and shares. It

includes logged-on users and/or guest and null session users.

If a file or share is accessible to all, Domain User group or

Authorized User group should be used instead of Everyone

group.

Manage Users

Removing users from the system:

When users leave an organization, their account must be

disabled immediately using User Manager.

In case the account contains any important files, the user’s

superior should access and copy them within 30 days.

After 30 days the account should be removed from the system.

Manage the System

Security is important when a system is configured and set

up as well as in day-to-day operations.

The best security mechanism is an administrator who is

paying attention to his systems.

Auditing a system, using log files, and looking for suspicious

signs enhances the administrator’s ability to detect security

problems.

Manage the System

Auditing a system - The audit policy should be set according

to the organization’s security policy.

Log files - Administrators should look at the log files and

back them up on a regular basis.

Manage the System

Looking for suspicious signs:

Security Event Log show failed login attempt entries which

indicate brute-force intrusion.

File access failures may indicate an authorized user who is

attempting to access sensitive files.

Missing log files may indicate intrusion.

Manage the System

Looking for suspicious signs (continued):

If an intruder attempts to modify entries in log files, a gap

would be found in the log file.

System administrators should periodically examine the Task

Manager to see if any unknown processes like CMD are

running.

Summary

Configuration settings like Registry settings and system

configuration settings make the system more secure.

Mistakes in Registry settings can make the system

unusable.

System configuration settings include file systems, network

settings, account settings, and service packs and hot-fixes.

Summary

Managing users in a system involves adding and removing

users and setting file permissions.

Managing a system includes auditing a system, using log

files, and looking for suspicious signs to detect security

problems.