NT4 SP4 Security Jack Schmidt - Fermilab

New Features F 3 new Event Log Messages F Security Log access locked down from Domain Admins F NTLMv2- new version of NTLM F Security Configuration Editor

3 New Event Log Messages Event Clean Shutdown Event “The Event log service was stopped.” Event Dirty Shutdown Event “The previous system shutdown at 7:01 AM on 11/12/98 was unexpected.” Event System Version Event “Microsoft (R) Windows NT (R) Service Pack 4 Uniprocessor Free.”

Security Log Viewing F Fixed so Security Rights need to be enabled in order to view and manage the Security event log- –Default allowed members of the Administrator group to view log but Security Advisor not always a System Admin –Message- “Required Privilege not held by the client”

NTLMv2 Security F Enhancements to the NTLM security protocols called NTLMv2 improves both authentication and session security. F Before SP4, NT Supported two kinds of challenge/response authentication: –LanManager (LM) challenge/response (WFW) –Windows NT challenge/response (also known as NTLM challenge/response) F To allow access to servers that only support LM authentication, Windows NT clients prior to SP4 always use both authentication methods, even to Windows NT servers that supported NTLM authentication.

NTLMv2 Security (cont) F SP4 systems can be configured to make use of the new authentication options –Level 0 - Send LM response and NTLM response; never use NTLMv2 session security –Level 1 - Use NTLMv2 session security if negotiated –Level 2 - Send NTLM response only –Level 3 - Send NTLMv2 response only –Level 4 - DC refuses LM responses –Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2) F See /q147/7/06.asp

Security Configuration Editor F Consolidates all security related settings into a single configuration file –User Manager, Server Manager, Resource Kit, Registry Settings, File Explorer F Settings can be applied to any number of NT machines (server and workstation) F Sample Configuration templates provided F Command line and GUI interface supported

A Peak at the SCE

Policies and Settings F Account Policies F Local Policies F Event Log F Restricted Groups F System Services F Registry F File System

Account Policies F Password settings such as length, uniqueness, minimum and max age, complexity, must logon to change. F Account lockout settings including lockout count, length of lockout time, reset account lockout after so many minutes

Local Policies F Audit Policy- audit settings (success/failure) of account management, logon events, object access, policy changes, privilege use, process tracking and system events F User Rights - such as add workstations to domain, change system time, take ownership of files F Security Options- such as rename Admin account, Logon messages, disconnect idle users, number of passwords to cache, restrict floppy and CDROM access

Settings F Event Log settings - maximum size for logs, restrict guest access, retention method for log files, shutdown when security log is full F Restricted Groups - ability to add and remove members from Domain Admin defined `sensitive’ groups. Designed for Windows 2000

Settings F System Services- In the future 3rd Party vendors can build in SCE attachments. Microsoft is planning attachments for services: spooler, TCP/IP, file sharing, etc… F Registry and File System - Provide ability to configure and analyze settings for object ownership, ACLs, and auditing information. Not fully implemented.

Predefined Configuration Templates F Templates can be used to configure systems and to perform security analysis of systems. F Templates are text-based.inf files. Configuration information is broken down into sections which can be applied as a full policy or in part. F Ability to exclude items from an audit. (shows as Not Configured) F Designed to allow new sections to be added. F GUI Interface allows modification of templates to provide customization.

Predefined Configuration Templates F Compatible Configuration –COMPDC4, COMPWS4 –Improvement over default security settings. Errs on the side of applications when making a tradeoff between functionality and security F Secure Configuration –SECURDC4, SECURWS4 –Improvement over compatible settings. Errs on the side of security when making a tradeoff between functionality and security

Predefined Configuration Templates F High Secure Configuration –HISECDC4, HISECWS4 –Enforces ideal security settings without consideration for application functionality. Most applications won’t work under this setting. Designed to promote the development of future “security conscious” applications. F Basic Configuration –BASICDC4,BASICSV4,BASICWK4 –Provided as a means to “undo” the application of a more secure configuration. Does NOT “rollback” settings!

SCE Adventures F `Out of the Box’ analysis based on Basic Configuration files. –Must apply a more secure configuration before attempting audit F Analysis results are easy to interpret F Remote Analysis not yet possible F Log files are useful for summarization but are not detailed.

SCE Adventures (cont) F Command line tool can be used for applying only certain sections of the policy or the full policy F SCE must be applied to all systems. F New users not always able to log on locally after SCE installed. F New file permission box F Password complexity box has correct message...

Security Analysis results

Configuration

New File Permissions View

Advanced File Permissions

Password Change Message

Suggestions F Edit either the COMP or SECUR.inf files and make changes based on your security plan (you do have a security plan don’t you?) F Save the file with a new name such as COMP4DC- FNAL.inf F Apply the Configuration file to your system. Password configurations applied to PDC will affect entire domain. F Do a security analysis and make sure items were changed. F Check servers monthly. Run audit to see if system has changed and why.

Command Line Tool F The command line tool (secedit.exe) is useful for applying predefined configuration files to many systems using distributed management tools (such as SMS).

WARNING! F Applying a secure configuration to an NT System may result in a loss of performance and functionality! –Many applications expect that all users have Change (Read, Write, Execute, Delete) permissions on root, systemroot, and systemroot\system32 directories

Further Information F tm (doesn’t work yet!) F

Any Questions?