Lesson 16-Windows NT Security Issues

Overview Set up the system. Manage users. Manage the system.

Set up the System Windows NT is not completely secure out of the box. Default configuration of Windows NT includes some settings that will make the system more secure.

Set up the System Configuration settings are divided into: Registry settings. System configuration settings.

Registry Settings Windows NT Registry is the internal system database that stores necessary system parameters and values. Proper care must be taken while making changes to the Registry since mistakes can make the system unusable. Regedit32 must be used to edit the Registry. Logon message must be used to display a legal notice prior to a user logging onto network.

Registry Settings User can force Windows NT to clear the system Pagefile, containing encryption keys or password hashes, on shutdown. Shutdown Without Logon key can be changed to force a user to log on to a system before being able to shut it down. LAN Manager Authentication system allows Windows NT servers to work with Windows 95 and Windows 98 clients.

Registry Settings Since LAN Manager is a weaker scheme than the NT authentication system, it should be disabled. The ability of anonymous (null) user session to access information should be restricted. Remote Registry access must be restricted to protect computers from an attack over local network or Internet.

System Configuration Settings Changes are required in the following areas to increase security of system: File systems. Network settings. Account settings. Service packs and hot-fixes.

File Systems FAT file systems should be converted to NTFS to allow for file permissions. NT policy editor or AUTOEXNT program must be used to disable administrative shares that can be used to brute-force administrator passwords. Emergency repair disk (ERD) provides recovery of Registry and user database in the case of system crash.

Network Settings Domains allow for a central user database and management and hence are better than workgroups. NetBIOS should be turned off for any system that will be accessed from the Internet. Simple TCP/IP services should not be enabled on a Windows NT system.

Account Settings Windows NT comes with administrator and guest accounts by default. The guest account should be disabled and its password must be changed to something long and random. Administrator account should be renamed. Password policy should be configured as per the organization’s security policy.

Account Settings Policy can be configured through Account Policy in User Manager. The Account Policy screen is used to define maximum password age, minimum password length, password uniqueness, and account lockout policy. Account lockout policy will not be enforced against the administrator account unless PASSPROP utility is used.

Service Packs and Hot-Fixes Service packs and hot-fixes are new versions of software that fix bugs and security vulnerabilities. Some of them do not work properly and hence are not implemented. They should be implemented within an organization after appropriate testing. If hot-fixes are installed in the wrong order it is possible that one will negate the effects of another.

Manage Users Proper procedures must be there to identify proper permissions received by new users. Procedures must make sure that an employee loses access rights to the organization’s systems after leaving the organization. Management of users on a Windows NT system is critical to the security of the system and the NT domain.

Manage Users Adding users to the system: Users are added through the User Manager. Each user should have a unique user ID and own account. Multiple users should not be given access to the same user ID. New users are forced to change the password the first time they log in.

Manage Users Setting file permissions: Groups should be used to set permission on files and shares. Everyone group is given default access to files and shares. It includes logged-on users and/or guest and null session users. If a file or share is accessible to all, Domain User group or Authorized User group should be used instead of Everyone group.

Manage Users Removing users from the system: When users leave an organization, their account must be disabled immediately using User Manager. In case the account contains any important files, the user’s superior should access and copy them within 30 days. After 30 days the account should be removed from the system.

Manage the System Security is important when a system is configured and set up as well as in day-to-day operations. The best security mechanism is an administrator who is paying attention to his systems. Auditing a system, using log files, and looking for suspicious signs enhances the administrator’s ability to detect security problems.

Manage the System Auditing a system - The audit policy should be set according to the organization’s security policy. Log files - Administrators should look at the log files and back them up on a regular basis.

Manage the System Looking for suspicious signs: Security Event Log show failed login attempt entries which indicate brute-force intrusion. File access failures may indicate an authorized user who is attempting to access sensitive files. Missing log files may indicate intrusion.

Manage the System Looking for suspicious signs (continued): If an intruder attempts to modify entries in log files, a gap would be found in the log file. System administrators should periodically examine the Task Manager to see if any unknown processes like CMD are running.

Summary Configuration settings like Registry settings and system configuration settings make the system more secure. Mistakes in Registry settings can make the system unusable. System configuration settings include file systems, network settings, account settings, and service packs and hot-fixes.

Summary Managing users in a system involves adding and removing users and setting file permissions. Managing a system includes auditing a system, using log files, and looking for suspicious signs to detect security problems.