Securing an NT box
John Smith
all the time via a cable modem. I am concerned about the security. I am
relatively new to using NT and I don't want to overlook something. Is there
a guide available somewhere that has information to help me get set up? Or
do any of you have any advice. I would like to run FTP and HTTP.
Thanks for your help.
Ethan
NTRO...@mcsesuck.com
Seriously, there is a lot to consider if you are going to secure your
system. As a quick fix, you should maybe install something like Black
ICE defender or another personal firewall... although there are
exploits in these, you will be safer.
Another idea is to use a broadband firewall/router. I like SMC and
LINKSYS.
Next, assuming you have blocked all ports except FTP/HTTP, you need to
make sure NTFS permissions are set properly so that only the correct
groups/users have change permissions. I highly recommend installing
something other than IIS (try Apache or iPlanet), but if you do,
install it with NTFS into a different partition and directory than the
default, and apply the LATEST security patches. If you don't, I will
be glad to hack your server in less than a minute.
Finally, never use weak passwords (like a blank password or 'admin' as
the password).
Good luck.
On Mon, 19 Mar 2001 23:14:25 GMT, "John Smith" <som...@microsoft.com>
wrote:
Unknown
Nobody
Best advice is not in this guide, which is to get a hardware firewall (my
friends are cheap). I collated (stole) these hints from other sources on
the web. Note you can get a good linksys NAT router/firewall for under
$100, and the new versions will soon have Stateful Packet Inspection (they
are betatesting the firmware now).
HARDENING WIN2000 -- WORKING COPY
This is mainly for individual workstations that are not running a server,
and not in a network.
If you can, do a clean install of Win2000. An upgrade will leave all sorts
of files behind that could possibly be exploited.
For purposes of this document, it is assumed you will be performing these
steps in an Administrator account.
CREATE A RECOVERY DISK
You should always create a recovery disk before messing with system
settings. Get a blank diskette. Start -> Programs -> Assessories -> System
Tools -> Backup. Select Backup Tab, go to Tools, select "Create an Emergency
Repair Disk".
If for some reason you don't have the Backup program in your system tools
(it happens sometimes), you can access it by creating a shortcut.
Right-click on the desktop -> New -> Shortcut. In the box type in:
%SystemRoot%\system32\NTBACKUP.EXE
Under the name type in "Backup", or whatever.
ACCOUNTS
The default Win2000 installation will come with two accounts:
"Administrator", and "Guest". You should disable "Guest", rename
"Administrator", and create at least one account which you will use as your
main account.
The Guest account should be disabled by default, but it's good to check.
Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab ->
Advanced Button -> click on "Users" group. The Guest Account should have a
little red circle with a white "x" over it. If it doesn't, right-click on
"Guest", go to Properties, go to General Tab, and click on the box "Account
is disabled".
While you are in "Users and Passwords" we can change a few other things.
Rename the Administrator account by right-clicking on it and going to
"Rename". Make it something you can remember, but avoid having
"Administrator" or "Admin" as part of the name. Right-click on the new name,
go to Properties, and clear out the "Full Name" and "Description" boxes. (A
lot of people argue this step is like putting tape on a safe, in that it
does not increase security all that much. In a regular network system this
is probably true. In fact NSA guidelines for hardening an NT workstation
even leave this step out. There are so many ways to get a list of user names
that it isn't worth it, and could be counter-productive in that it gives you
a false sense of security. However, on a non-networked workstation, there
are just a few ways you can get user names off the net, and we will be
patching the known ones up for the most part, so this step is still useful
for this type of setup).
Make a dummy Administrator account going to "Action" and selecting "New
User". Name it Administrator. Right-click on it, go to Properties, and go to
the "Member Of" tab. Make sure it is not a member of anything. If it is,
highlight them and hit "Remove". Right-click on the dummy Administrator
account, select "Set Password", and give it a (very) strong password (see
below).
Create an account you will use every day. Click on "Add" in the "Users" tab.
Put in the name and password when prompted (ALWAYS use a password, see
below). At this point, you need to select what type of account this is. The
standard advice is for your main account to be a "Standard User (Power Users
Group)". This setting will allow you to add/remove programs, but restricts a
lot of system settings. This setting is necessary for many programs written
for Windows NT. Note that Power Users cannot install many programs written
for NT, as they change system registry settings which Power Users do not
have access to.
For more security (but bigger headaches) you can also try the "Restricted
User (User Group)" setting for more security. This type of user can't even
install or remove programs, and so are very safe from trojans. They should
be able to run any program that was written to be compatible with Win2000.
If you need administrative rights to access a program (such as Regedit), you
can use the "Run As" feature in Win2000. Just right click the program you
want to run, and select "Run As". You can then type in the name and password
of your renamed Administrator account.
Log in with Adminstrator access as rarely as possible. A trojan that is run
by mistake, or a malicious ActiveX or Java component run by a webpage that
gets through, will have access to anything the account has access to. Many
bugs that let hostile web pages damage your system have already been found,
more are most likely out there. If a dangerous program runs as an
Administrator, it will have access to your system files, such as the
registry. Running as a Restricted User can mean the difference between
having your inidividual User profile wiped out, versus having your entire
system wiped out as an Administrator. Note that running a trojan as a
Standard User can affect some system-wide settings, but not all.
PASSWORDS
Always put in passwords, strong passwords. Meaning at least 8 characters,
with a combination of at least three of the following: lower case, upper
case, numbers, and symbols.
There are some utilties that can crack your passwords, like L0phtCrack. To
defeat these programs, there are certain ascii characters accessed with the
numeric keypad ALT key that you can include in your passwords, as shown at:
http://sysopt.earthweb.com/articles/win2kpass/index.html
Next, go to Local Security Policy. Start -> Settings -> Control Panel ->
Administrative Tools -> Local Security Policy -> Account Policy -> Account
Lockout Policy
Some recommended settings are listed below.
Account lockout duration: (45 minutes)
Account lockout threshold: (5 invalid login attempts)
Reset account lockout counter after: (45 minutes)
The Account Lockout Policies should not affect you as long as you don't
forget your password, and can restrict the number of tries some network user
has to guess your Administrator password.
Look in Password Policies too. Settings may be needed if have other users on
your system. Generally, these settings can be a real pain to use.
UPDATE WINDOWS
Go to Start -> Windows Update. If you don't have a Windows Update icon in
your start menu (some installs don't do this, I don't know why), you can
make one. Do it as shown in the section above for creating a shortcut to the
Backup program, but the path this time is:
%SystemRoot%\system32\wupdmgr.exe
Under the name type in "Windows Update", or whatever. Drag it to the Start
button, when it shows the menu release. It will be put into the upper menu.
Make sure you get the latest Service Packs (SP2 is almost out at time of
writing), as well as the critical updates, and the High Encryption pack.
AUDITING
If someone does break in, you may not know it unless you have auditing
enabled and actually check your logs.
Start -> Programs -> Administrative Tools -> Local Security Policies ->
Local Policies -> Audit Policy
Audit account logon events records logons. Audit success (to see if someone
stole a password) and failure (for random password hacks).
Audit policy changes tracks security policy changes. Audit success and
failure.
Audit privilege use can identify when a user tries to use a right not
assigned to them. Audit failure.
Audit system events can monitor if someone clears the event log. Audit
success and failure.
Event viewer lets you see the logs.
FIREWALLS
Download and install a Firewall. ZoneAlarm is good and free, and it is at
www.zonelabs.com. Go into Security, and set security at "High" for both
Local and Internet. Under the "MailSafe e-mail protection" section, click on
the box labeled "Enable MailSafe protection to quarantine e-mail script
attachments". Under "Lock", Enable "Automatic Lock", and "Engage Internet
Lock when screen saver activates." To set up a screen saver, right-click on
the desktop, select "Properties", go into Screen Saver and set one up. If
you need to have some programs access the internet while the Automatic Lock
is enabled (like email programs that check for new messages), you need to
select the "Pass Lock" box next to the program in the "Programs" directory
of ZoneAlarm.
If you have Zonealarm, download ZoneLog Analyser (shareware, nag screens).
This will read in your Zonealarm log file and sort your alerts by type (such
as trojan and DOS attacks) and date.
It is a good idea to probe your ports when you are done setting up your
firewall, to make sure you didn't miss anything. You can do this at
www.grc.com (follow links to ShieldsUp!).
VIRUS SCANNERS / BEHAVIOR BLOCKERS/ SANDBOXES
If you don't already have a virus scanner, you need one. While many are out
there, one good free one is Inoculate IT Personal Edition, at
http://antivirus.cai.com provided you are using it on your personal computer
(similar to ZoneAlarm, business copies are not free). It is ICSA Certified
and consistently rates extremely high in detection rates. It has good user
support too, with timely update notifications emailed frequently.
Note that virus scanners only detect certain patterns. If the
virus/trojan/worm is zipped up, it probably won't detect it. If it is a new
virus/torjan/worm which isn't in the database yet, it won't detect it. Some
virii change their code to fool virus scanners (polymorphic virii). One way
to detect these types of malicious programs is to install a behavior blocker
/ sandbox. Behavior blockers restrict the rights of code accessing parts of
your computer. For example, if an app attempts to access your registry, a
warning box can pop up asking if you really want to do this. Sandboxes can
allow you to run code in a safe environment that will not affect system
resources, to see what it actually does.
One good, free combination behavior blocker / sandbox is SurfinGuard Pro at
http://www.finjan.com/surfinguard. This program can be configured to simply
block certain types of access, or to prompt you to run the code / stop the
code / run the code in a sandbox.
DISABLE NetBIOS
Start -> Settings -> Control Panel -> Network and Dial-up Connections ->
Local Area Connection -> Properties -> Internet Protocol (TCP/IP) ->
Advanced -> WINS tab -> Disable NetBIOS or TCP/IP. If you have a dial up
connection, you will need to go into that as well after "Network and Dial-up
Connections" and follow the same procedure.
DISABLE NETWORK BINDINGS
Start -> Settings -> Control Panel -> Network and Dial-Up Connections. In
here you will have your network information -- you need to go into
everything except for "Make New Connection". If you have DSL or Cable, you
will probably have one that says "Local Area Connection". Hit "Properties".
If there are tabs, select the one that says "Networking". Uncheck every box
that does not say "TCP/IP" somewhere in it. The most important category that
should be UNchecked is "File and Print Sharing for Microsoft Networks",
which can allow other computers to access your files.
CONVERT YOUR DRIVES TO NTFS
If you didn't set up your disks as "NTFS", you need to do that now. Go into
Windows Explorer, expand "My Computer", right-click on your hard drive(s),
and select "Properties". It should say somewhere in there "File System:
NTFS". If it says "File System: FAT" or "File System: FAT32", you need to
change it. IMPORTANT NOTE: you NEED to have your disks in FAT if you have
Win95, Win98 or WinME installed, as they can only read FAT disks. If you
convert your disks to NTFS, they will not be able to read the data. You can
convert only the hard drive/partition you have Win2000 on, but your older
Windows will not be able to read any files on it. If you convert the
disk/partition that your older Windows is on, the older Windows won't even
start.
If you need to change to NTFS, go to Start -> Run (or just type the Windows
key + "r"). At the command line, type in:
convert c: /fs:ntfs
Replace "c:" with every drive you wish to convert. Follow instructions,
which will probably include restarting your computer. Make sure you do this
at a time the power will not go out. It will take a few seconds to a few
minutes, depending on how much stuff is on the drive. After converting, you
should run Disk Defragger (Start -> Programs -> Assessories -> System
Tools).
DRIVE PERMISSIONS
You can set up NTFS drives to allow read/write/edit permissions for
different users/files. This is another way to ensure protection of your
system in case an anonymous user gets access.
First, we need to replace the default permission for "Everyone" or anonymous
users to access your drives (including anonymous users/guests), and set it
up so only real users that have logged in have access. Go into Windows
Explorer, expand "My Computer", right-click on your hard drive(s), and
select "Properties". Go into the "Security" tab. Click Advanced. Under the
Permissions Tab, select "Everyone". Hit View/Edit. Hit Change. Select
"Authenticated Users". Hit OK, and OK again.
Next, we need to deny access to our dummy Administrator account, in case
someone actually manages to log on with it. If you have not created a dummy
Administrator account, don't follow the rest of these instructions or you
may lock yourself out of your computer. Hit the "Add" button, and select
"Administrator". IMPORTANT: Do NOT hit "Administrators", as this is the
entire GROUP of (real) Administrators. You want the USER "Administrator" .
It will have an entry in the "In Folder" section next to the name; the
"Administrators" GROUP will NOT. Hit "OK". Back in the main Security Tab,
hit Advanced. Select Administrator. Hit View/Edit. For "Apply Onto:", make
sure "This folder, subfolder and files" is selected. Then click all boxes
under "Deny". Hit OK three times.
(If you have any other Names in the top box besides "Administrator" and
"Authenticated Users", remove them unless you know they belong for some
reason. There should not be anything else in a clean install.)
You have to repeat this for every drive / partition.
SERVICES
Services are background programs your computer uses to run correctly. Many
services are unnecessary, and some are actually dangerous. A secure system
needs to disable certain services. Many services are included by default as
Microsoft expects your system to be operated in a network. This includes
allowing remote users to access your registry, view your clipbook, browse
your directory, or connect to it via Telnet. These can open large holes in
your system, and should be removed. This also has the advantage of improving
system performance, as each service can take up megabytes of RAM. I cleared
up over 20 MB of memory simply by disabling services I never used.
Rather than repeating basic info on services, as well as lengthly
descriptions of what each service does, this guide recommends you read the
following. The "Windows 2000 Services tweak guide" is a good introduction to
services, and also describes what to do if you accidently disable a service
that you actually need to run your computer.
http://www.3dspotlight.com/tweaks/win2k_services/index.shtml
The following article (broken into parts) is more focused on the security
aspect of services:
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16301
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16363
Services that I have disabled include:
Clipbook
Computer Browser
DHCP Client (Warning: some internet connections need this service)
Fax Service
Indexing Service
Internet Connection Sharing
IPSEC Policy Agent
Net Logon
Netmeeting Remote Desktop Sharing
Remote Registry Service
Routing and Remote Access
Server
SNMP Service
SNMP Trap Service
Task Scheduler
TCP/IP NETBIOS Helper Service
Telnet
SHARING
Run or create a shortcut to Regedit (the path is X:\WINNT\regedit.exe, where
X is your Win2000 drive) Go into Regedit. Under
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
. Select Edit -> New -> Dword Value. As the name, put in "AutoShareServer".
The value should come out to "REG_DWORD : 0" by default. If not, hit modify
and change. Exit Regedit.
Note: disabling shares with Windows Explorer (as written in some other
guides) will only work until the next reboot.
OTHER SECURITY SETTINGS
Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab ->
under "Secure Boot Settings" enable the box marked "Require users to press
Ctrl-Alt-Delete before logging in". This defeats trojans that attempt to
intercept your password.
Start -> Programs -> Administrative Tools -> Group Policy -> Computer
Configuration -> Administrative Templates -> Windows Components ->
Netmeeting:
Enable "Disable remote desktop sharing." Of course, if you use Netmeeting
you need this disabled.
Start -> Programs -> Administrative Tools -> Local Security Policy ->
Security Setting -> Local Policies -> Security Options:
Set "Additional restrictions for anonymous connections" to "No access
without explicit anonymous permissions." (By default, an anonymous user is
considered part of the "Everyone" group. Even though we restricted access to
the "Everyone" group earlier, this provides another layer of protection.
Note that in NT, the highest setting was "Do not allow enumeration of SAM
accounts and shares", which replaces "Everyone" with "Authenticated Users"
in the security permissions for resources. Win2000 has added the "no access"
setting to provide even more security - this will take out both Everyone and
any network connections which don't have explicit permission. Both these
settings will defeat programs (i.e. "Redbutton") that log anonymously and
are designed to find the names of user accounts and/or the name of the
renamed Administrator account.)
Enable "Do not display last name in logon screen."
Enable "Restrict CD-ROM access to locally logged-on user only". This will
prevent users logged in over the internet from reading your CD-ROM.
Enable "Restrict floppy access to locally logged-on user only". This will
prevent users logged in over the internet from deleting/stealing info in
your floppy (or write a boot virus to your floppy that will run the next
time you start up your computer).
Enable "Restrict users from installing printer drivers" This prevents others
from installing bogus printer drivers. You will have to disable this if you
replace or add a printer driver.
Disable "Disable CTRL+ALT+DEL requirement for logon". This will grey out the
box marked "Require users to press Ctrl-Alt-Delete before logging in" in the
Users and Passwords utility, adding another layer of protection as a trojan
will have to disable both before trying to steal your passwords.
Think about enabling "Clear virtual memory pagefile when system shuts down".
This is for the truly paranoid -- it wipes out the pagefile memory (the part
of the harddrive that acts as RAM memory when you don't have enough RAM) on
shutdown. This is mainly for those computers that have to be secure in case
someone steals the harddrive, or laptaps. Of course, there is the chance on
a home system that a network user could gain control of your computer and
mine this memory looking for stuff like admin passwords and credit cards.
This option can add a long time to your shutdown time.
Start -> Programs -> Administrative Tools -> Local Security Settings ->
Security Setting -> Local Policies -> User Rights Assignment:
Go into "Deny access to this computer from the network"; add "Everyone",
"Guests", the "Administrators" group, and each separate individual account.
Note this settings takes precedence over the "Access this computer from the
network" right, so you don't have to modify both. This theoretically makes
it so you can only log in from your local computer.
ENCRYPTING FILE SYSTEM (EFS)
You can set up your NTFS drives for automatic encyption of files. I don't go
into this here as this is really only useful if you think someone is going
to physically access your computer, such as booting up from a floppy and
reading your files. If someone gets access to your Administrator account, it
doesn't matter if the files are encrypted or not.
CONFIGURE WINDOWS EXPLORER TO SHOW EXTENSIONS
This helps prevent you from running dangerous programs that you might have
downloaded by mistake, such as Registry files or .VBS files.
Windows Explorer -> Tools -> Folder Options -> View -> UNclick "Hide file
extensions for known file types".
You should turn off your email's ability to automatically run programs. Some
can run just by viewing the mail, without opening any attachments (although
the latest patches to Express are designed to avoid this from happening by
giving you a warning box). To do this in Outlook or Outlook Express, refer
to:
http://www.microsoft.com/technet/security/crsstQS.asp
It's a little easier in Eudora and Netscape. In Eudora, go to Tools ->
options -> Viewing Mail. Uncheck "Allow executables in html content".
In Netscape Navigator, go to Edit -> Preferences -> Advanced. Deselect the
option "Enable Javascript for mail and news".
DISABLE AUTOMATIC RUNNING OF .REG FILES
If a file with the extension .reg is run, the registry is changed (provided
the user has access to the registry). This is a good way for trojans to do
nasty things to your computer. A nifty trick is to change the file
association for the .REG extension. This prevents (for example) a malicious
Web site from inserting new keys into your registry while you are browsing
the Web.
To do this, you need to have a reg file you can play with. If you don't, go
into Wordpad and save a sample file as sample.reg, or rename a file you
don't need to *.reg. In Windows Explorer, right-click on the file, and
select Properties. In the section of the box that says "Type of file:", hit
Change, select Wordpad, and hit OK twice. Wordpad is good because when *.reg
files are run, it will run Wordpad and actually show you the code that would
have ran instead of running Regedit and executing it. The fastest way to
actually run reg files is to right-click on the file, go to "Open With",
choose "Other", go into the /WinNT folder, and choose Regedit.
REMOVE THE OS/2 and POSIX SUBSYSTEMS
These systems are only installed so Microsoft can sell the OS to the
government. No one else really needs them (if you do, you should know).
There are no known security problems with having these installed, but as
with any operation running on your computer, if you don't need it, it might
be better not to have it run in case a future exploit is found. This will
clear up a little bit of system resources too.
Using Regedit. preform the following changes to the listed keys:
HKEY_LOCAL_MACHINE\SOFTWARE \Microsoft\OS/2 Subsystem for NT -- Delete all
sub keys
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Session
Manager\Environment -- Delete the value for Os2LibPath
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Session
Manager\SubSystems -- Delete the value for Optional
HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Control\Session
Manager\SubSystems -- Delete entries for Posix and OS/2
Delete the \winnt\system32\os2 directory and all its subdirectories.