Previous Next Top Detailed TOC
Some useful tips for NT:
Ref. | Document number | Ver. | Title | Date | Author |
[nt1] | Technet CD | Enterprise Planning Guide - Security | May'95 | Microsoft | |
[nt2] | ISBN 1-55615-653-7 | 3.5 | NT resource Toolkit | 1995 | Microsoft |
[nt3] | ISBN 1-55615-814-9 | Windows NT 3.5 Guidelines for Security, Audit and Control | 1994 | Microsoft | |
[nt4] | Technet CD | 5.95 | Enterprise Planning Guide - Domains | May'95 | Microsoft |
[nt5] | Technet CD /Backoffice | 5.95 | The Microsoft Strategy for Distributed Computing and DCE Services | May'95 | Microsoft |
[nt6] | 3.5 | NT Server "Concepts and Planning Guide" | Microsoft | ||
[nt7] | The Perl Journal | #8 | Issue #8, "NT Administration with Perl" | Winter 1997 | Dave Roth |
The principal dangers with NT are:
NT has lots of good points (compared with Win95 or Win3.1), but it is not without it's problems. The following is a list of known security problems and administrative problems.
NT is only suitable as an internet server if protected by a filter and very carefully setup. See also the Firewalls Chapter:
NT only offers one mechanism for identifying/authorising and authorising users: Lan Manager 3 (either as peer to peer or in a domain configuration).
Lan Manager identifies subjects via usernames and authenticates via entry of a password.
To view the current settings,
type
net accounts /domain.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
Value: Notification Packages
Type: REG_MULTI_SZ
Data: Passfilt.dll
By default, NT separates tasks into the following groups:
Function | NT Workstation group | NT Server group |
Advanced System administrators | Administrators | Administrators |
Basic administration (disks/sharing) | Power Users | Server operators |
User account creation/deletion | Power Users | Account operators |
Printer configuration | Power Users | Print operators |
System backups/restore | Backup operators | Backup operators |
Any user at all | Everyone | Everyone |
normal users | Users | Users |
Guest | Guests | Guests |
It is suggested that a new group be created: Security Administrators, having the rights listed in the next section "Rights".
TBD: define global groups and how they relate to the above.
NT has a defined list of rights which can be attributed to users or (preferably) groups. Rights is the term for what a user is allowed to do on a system. E.g. if a user has the "log on locally right", this user will be allowed to login to the machine console. Certain rights cannot be attributed, they are built in to NT. For instance, if you want allow an administrator to be able to share filesystems & printers, but not be able to carry out other administrator functions, it is not easy (you'd need to remove rights such as Backup/Restore/Shutdown/Change time from the Operator group and use that for sharing alone).
TBD: Bypass Traverse Checking: If this right is disabled (in the User Manager), a user must have list permission on a directory before being able to execute a program in it.
The following table recommends what rights should be attributed to what (NT Server local) groups. Note the addition of the new group Security admins. The basic rule is: attribute the minimum rights necessary to each group.
Legend:
"Yes" => NT default, keep this value
"Yes" => NT default, remove this value
"New" => Add this value
Group | |||||||
Right | Users | Security admins |
Backup oper. |
Administrators | Printer oper. |
Account oper. | Server oper. |
Backup files and directories | Yes | Yes | |||||
Restore files and directories | Yes | Yes | |||||
Change system time | Yes | Yes | |||||
Access this computer from a network | Yes*[5] | Yes** | Yes** | Yes | Yes** | Yes** | Yes** |
Log on locally | New | Yes | Yes | Yes | Yes | ||
Manage audit and security log | New | Yes | |||||
Force shutdown from a remote system | Yes | Yes | |||||
Shutdown the system | Yes | Yes | |||||
Add Workstation to domain | Yes | New | New | ||||
Load/unload device drivers | Yes | ||||||
Take ownership of files / objects. | Yes | ||||||
Built-in rights (cannot be changed): | |||||||
Create & manage user accounts | Yes | Yes**[6] | |||||
Create & manage global groups | Yes | Yes** | |||||
Create & manage local groups | Yes[7] | Yes | Yes** | ||||
Assign user rights | Yes | ||||||
Lock the server | Yes | Yes | |||||
Override the server lock | Yes | ||||||
Format server's hard disk | Yes | Yes | |||||
Create common groups | Yes | Yes | |||||
Keep local profile | Yes | Yes | Yes | Yes | Yes | ||
Share & stop sharing directories | Yes | Yes | |||||
Share & stop sharing printers | Yes | Yes | Yes | ||||
Advanced rights: | |||||||
Act as part of the operating system | |||||||
Bypass traverse checking (TBD: test!!) | Yes | ||||||
Create a pagefile | Yes | ||||||
Create a token object | |||||||
Create permanent shared objects | |||||||
Debug programs | Yes | ||||||
Generate Security Audits | Yes | ||||||
Increase Quotas | Yes | ||||||
Increasing scheduling priority | Yes | ||||||
Lock pages in memory | |||||||
Log on as a batch job | |||||||
Log on as a service | |||||||
Modify firmware environment values | Yes | ||||||
Profile single process | Yes | ||||||
Profile system performance | Yes | Yes | |||||
Replace a process level token |
The Everybody local group has the right to log on over the network and to lock the server (although only those users who can log on locally will actually be able to do it). Everybody also has the Bypass traverse checking right.
The Replicator group has the right Log on as a service.
Mandatory user profiles[8] (or User Login Profiles) may be used to restrict user access to: Program manager functionality, program groups, Control panel, access to the MS-DOS prompt. Mandatory user profiles also make it very easy to install new icons groups for all users, however the user cannot have any "personal settings" like desktop colours, layout etc.. The profile editor (upedit.exe) is used to manage profiles and the User Manager attributes a profile to a particular user.
Use mandatory user profiles to restrict the icons/programs to dedicated administrator users (if any exist).
User Environment profiles do not offer any particular security benefits, but roaming users are presented with the same interface everywhere. The profile file (*.usr) must be stored on a shared directory.
The logon script can be used to:
See the Network security chapter. DNS can be used for Netbios name to IP address resolution, if so configured in Control Panel->Network->TCP/IP->DNS.
See the Network security chapter for a general discussion of DHCP. DHCP basically allows a client to boot and request network configuration parameters from a DHCP server on the network. The client sends his MAC address and the server can use this address to uniquely identify the machine, if needed.
WINS allows Netbios name to IP address resolution via a highly automated dynamic database. It reduces the need for LMHOSTS files. See "NT Server TCP/IP" 3.5, Chapter 5 (page 105) for configuration. WINS can be started/stopped on the server via net start wins or net stop wins. The WINS administration tool is winsadmn.
TCP/IP reads not just the DNS records, but flat ASCII files (in root\winnt\system32\drivers\etc by default) to discover IP addresses (hosts), network names (networks), protocols (protocols) and services (services). This data is not kept in the registry.
A system administrator who regularly checks logs will learn a lot about how the system functions, can guarantee less downtime and at the same time should notice when security breaches occur. Monitoring logs should not be regarded as a boring job, but a chance to understand the guts of the system!
The NT event log centralises logging for most applications into three logs: the security log (covered in the following section "auditing"), the system and application logs. However logs are not centralised for a group of machines (unfortunately). These logs are in root\WINNT35\system32\config and may be viewed with GUI eventvwr or via the command line utility dumpel.
dumpel -l security | perl -ne "if (/04\/05\/96/) {print
;}"
dumpel -l system | perl -ne "if (/04\/05\/96/) {print ;}"
dumpel -l application | perl -ne "if (/04\/05\/96/) {print ;}"
NT gathers an great deal of statistics on system usage. Regular monitoring of these statistics can help to detect strange system behaviour using the GUI perfmon. Alerts can be set if predefined thresholds are achieved. The following is the mere tip of the iceberg!
NT offers quite good auditing features (in comparison to most UNIX systems for example). Selective auditing of objects (files, directories, printers etc.) is possible on a per user basis. However, high-level "big picture" auditing tools are lacking.
Switch on the following auditing in the "User
manager->Policies->Audit" [10], depending
on the data sensitivity:
Permission | Class | Class | ||
Successful | Failure | Successful | Failure | |
Logon/logoff | X | X | X | X |
File & Object access | X | |||
Use of user rights | X | X | ||
User & group management | X | X | X | |
Security policy changes | X | X | X | |
Restart, shutdown, system | X | X | X | |
Process tracking | X |
Audit access to certain
important files ("file manager->security->audit") should be enabled. Two
types of files are given with slightly different access auditing.
Type 1: root\winnt35\system32\config\secent.evt, registry key files,
regedt32.exe
Type 2: root\winnt35\ntsetup\config.sys, logon scripts, root, winnt35,
system32.
Permission | Type 1 | Type 2 | ||
Successful | Unsuccessful | Successful | Unsuccessful | |
Read | X | X | ||
Write | X | X | X | |
Execute | X | X | X | |
Delete | X | X | X | |
Change ownership | X | X | X | |
Take ownership | X | X | X |
The registry is very important to NT and must be protected to prevent compromise of the system. It is organised like a filesystem tree and permissions / auditing attributes may be set per leaf as with NTFS files (see regedt32.exe). Logging all access would probably generate huge logs, but selective auditing of particular keys could be useful. Registry auditing could be enabled when a security breach is suspected, but not confirmed.
Connections can be monitored (e.g. for strange names, new and unexpected use of resources) with net session, net use and the resource kit network monitor.
Can be used if required for applications that use the Clipbook (clipbrd.exe). Can generate many log entries.
Certain services can be configured to log their actions, e.g. ftp, RAS, PPP. See the Network Components section.
Auditing is set in Printer Manager->Security->Audit.
Printers used for
printing confidential information should have the following events audited for failure:
Take Ownership, Change permissions, Delete, Full Control.
Optionally, successful use of Print, Take Ownership, Change permissions, Delete can be
enabled.
Objects are protected by a two different methods, rights/privileges (discussed in the Identification/authentication section) and permissions (or Access Control Lists, discussed in this section). Rights are attributed to users through their account properties and the groups they belong to, permissions are assigned to objects managed by NT. The following pages discuss the different permission mechanisms for the principal objects in the NT system.
The registry is a database containing configuration parameters for
NT and applications and it is split up into several logical trees, physically stored in
files in %SystemRoot%\system32\config:
System | HKEY_LOCAL_MACHINE\SYSTEM |
software | HKEY_LOCAL_MACHINE\software |
default | |
system.alt | backup copy of system hive |
security | HKEY_LOCAL_MACHINE\security |
sam | HKEY_LOCAL_MACHINE\sam (security account manager) |
userdef | |
HKEY_USERS | |
HKEY_CLASSES_ROOT, HKEY_CURRENT_USER (a pointer for the current user into HKEY_USERS) | |
HKEY_CURRENT_CONFIG (a pointer into HKEY_LOCAL_MACHINE\System\CurrentControlSet) |
There is also a LOG file associated with each of the above, in which changes are written before being checkpointed. The registry may be directly edited via the regedt32.exe tool.
TBD: what should the NTFS file permissions be for the actual binary registry files listed above?
The registry is organised like a filesystem tree and permissions attributes may be set per leaf as with NTFS files (see regedt32.exe). These permissions control which users can access which entries.
Automatic screen locking with password protection should enabled after (say) 5 minutes (Control Panel --> Desktop).
The job scheduler (at) runs in the security context of the system account (or whatever account is used to run the scheduler service), not the user which submits the job. By default only administrators can use at (see HKEY:LOCAL_MACHINE System\CurrentControlSet\Lsa\SubmitControl. If this value is 0x00000001, System Operators can also use at). There is no ACL for at.
Other front ends to at are winat (GUI) and soon, both delivered with the resource kit. Soon executes commands "soon".
=> The at scheduler is far too primitive for administration of large important servers. It doesn't even approach the UNIX cron utility (which is not without fault either).
Printer ACLs are set in Printer Manager->Security->Permissions. The default are:
Printer Operator, Server Operator, Administrator = Full Control
Creator Owner = Manage Documents
Everyone = Print
The clipboard/clipbook application (clipbrd.exe) allows a user to share a page with other users. Access control lists are identical to NTFS ACLs (object permissions) and Lan Manager (share permissions). Access may be granted/revoked to users and user groups.
Note: I don't really see what use this is, except that users can share information without sharing file systems.
The access control on a file system level depends on the type of filesystem (FAT, HPFS, DOS) and whether it is shared (and with what share permissions).
File | Permission | Comment |
C:\ | RWXD | Should be read only? |
c:\users\default\ | RWX | OK |
c:\WINNT35\repair\ | All | Bug? |
c:\WINNT35\system32\*.fts | RWX | Bug? |
c:\WINNT35\system32\PASSPORT.MID | All | Bug? |
c:\WINNT35\system32\config\default | All | Bug? |
c:\WINNT35\system32\config\default.LOG | All | Bug? |
c:\WINNT35\system32\config\SAM | All | Bug? |
c:\WINNT35\system32\config\SAM.LOG | All | Bug? |
c:\WINNT35\system32\config\SECURITY | All | Bug? |
c:\WINNT35\system32\config\SECURITY.LOG | All | Bug? |
c:\WINNT35\system32\config\software | All | Bug? |
c:\WINNT35\system32\config\software.LOG | All | Bug? |
c:\WINNT35\system32\config\system | All | Bug? |
c:\WINNT35\system32\config\SYSTEM.ALT | All | Bug? |
c:\WINNT35\system32\config\system.LOG | All | Bug? |
c:\WINNT35\system32\os2\dll\netapi.dll | All | Bug? |
c:\WINNT35\system32\ras\ | RWXD | Bug? |
c:\WINNT35\system32\spool\drivers\w32x86\1\ | All | Bug? |
c:\WINNT35\system32\wins\ | All | Bug? |
Everybody access is restrictive, but is it tight
enough?. It needs be documented whether all the above are really necessary (Microsoft
support in Zurich say they do not know!).
TBD: Can the system32 entries be made read-only to Everybody? When replication is
installed, the Import & Export directories are also RXWD
for Everybody, read-only is sufficient.
NT services tend to run under systems accounts instead of specific blocked user accounts (i.e. like UNIX) with minimum priorities. This could open future holes if bugs are found in the system services.
NT uses the following network interfaces/protocols:
Specific TCP/IP applications (e.g. lpr, lpd, ftp, tftp, telnet, ftp, rcp, rsh, rexec, DNS and DHCP) and Netbios applications (most other networked apps.) are included in NT, but others (such as NFS, NIS) aren't..
NT uses Lan Manager to authenticate peers. See also the user identification section.
Lan Manager domains are not hierarchical and Microsoft recommends a maximum of 5'000 users per domain. Trust can be setup between domains to allow users from one domain to log on to another domain, effectively increasing domain size. Trust is non-transitive, so if A trusts B and B trusts C, it does not mean that A trusts C. Trust can be setup in one direction or in both. Each trust is protected by a password. Trusted domains accept users from trusted domains without requiring the user to authenticate himself again.
Domains can be set up in several ways depending on the number of users, masters and independence required between domains. A detailed discussion is to be found in [nt4]. In general there are four models:
In general resource domains have one-way trusts to logon domains (logon domains do not need to trust resource domains).
Guaranteed by the network protocol used.
Passwords are not sent in clear text during Lan Manager authentication with newer Microsoft clients (Win95/NT). Older LM implementations such as Windows3 and UNIX's samba prior to V2, send passwords in clear text (like ftp and Telnet).
In NT4 a cryptographic API is provided (CryptoAPI) which allows application to encrypt or digitally sign data. See also www.microsoft.com/intdev/security/cryptapi.htm . The cryptographic functions are performed by modules known as CSPs (Cryptographic Service Providers). NT 4.0 has one CSP (Microsoft RSA Base Provider) bundled. This is a very interesting development, as it should allow plugging in of other cryptographic tools which conform to the API, however these CSPs have to be signed by Microsoft and will not be signed if they don't conform to the export restrictions.
=> In theory, this may allow Europeans to plug in strong
cryptographic routines (such as those used in the international PGP version) without being
hindered by the U.S. export policy on cryptographic products.
=> In practice, the CryptoAPI is restricted in Europe.
RPC has little in the way of access control or authentication, this must happen on the application layer. RPC is used extensively by NT system tools. In fact, when trying to harden NT for firewall usage, it's almost impossible to disable RPC.
Several utilities allow remote configuration of a system: Registry editor, User manager, server manager, Event Viewer etc. There doesn't seem to be anyway to prevent remote access, except by removing the users access rights in the domain, or disable the "Access this computer from the network" right for all users.
If you don't trust your domain admins, then don't log into the doamin, just log on locally and authenticate for individual resources, otherwise the Domain Admins will be added to the Local Admin group and hence have full access. One reason to log onto the domain is to change passwords, this can now be done without logging onto the domain, thanks to a tool from Alexander Frink wwwthep.physik.uni-mainz.de/~frink/nt.html.
NTFS allows ACLs to be set for files & directories. These ACLs can contain users and groups. Lan Manager can then export these directories. In exporting, NT allows a further share ACL to be set, specifying which users/groups can mount the shared directory in what mode (no access, read, change, full access).
Note: host names are not included in the share ACL i.e. it is not possible to share to specific hosts. The net use and net share commands are use to mount, respectively share directories. E.g. to share a directory: net share pubic=d:\ or to mount a directory: net use x: \\SERVER\MYDIR. The net file command can be used to monitor/close shared files on a server.
NFS is not included with NT, but many 3rd party products exist. An NFS server (Diskshare) and client (PC-NFS for NT) from Intergraph were briefly tested (Oct `95). They seem stable and are well integrated into the NT GUI, although a little slow with large files (NFS is generally slower than SMB). Chameleon 5.0 was also briefly tested in March 1996, but it is not integrated into the standard NT GUI utilities.
If NFS is used, ensure that the pcnfsd has been securely installed on the server (UNIX) side. See the "Securing UNIX" chapter. Don't rely on NFS for high security.
RAS is Microsoft's Dialup networking solution, with support for Netbios, NetBEUI, IPX, TCP/IP (PPP) and SNA. It may be used for creating WANs with gateway and routing functionality and for allowing "roaming employees" to access the corporate network. POTS Dial-in, ISDN and X.25 types are supported. RAS can be used to enable Internet access (!).
RAS does have technical problems (especially with ISDN), so you may
find that it's not suitable for a large user group.
General:
Identification/Authentication:
Access Control:
Encryption:
Accountability & Audit:
An SNMP client is delivered as standard with NT (see Control Panel->Network->snmp). Unless you have a central management team monitoring the network via snmp, disable it. If you want to use snmp:
The ftp server is configured during NT installation or via:
On an enterprise network, only routers should route data, i.e., workstations should not route between subnets. On small company networks, the new dynamic multiprotocol routing (MPR) offered by NT3.51 Service Pack 2 or NT 4.0 may be an economic alternative to routers. However, allowing hosts to route data can degrade the network availability and allow accidental routing by hosts which (happen) to have two network interfaces.
==>It is recommended to configure static routing to a default
router:
Configure the "gateway" to be the IP address of the router in Control Panel->
Network -> TCP/IP.
It is possible to define multiple default routers for each network interface.
ntbackup backup c: d: e: f: /a /v /d "Server1 full" /b /hc:on /t normal /e /l e:\full_backup.log
and an incremental backup each day:
ntbackup backup c: d: e: f: /a /v /d " Server1 incremental" /b /hc:on /t Incremental /e /l e:\inc_backup.log
If you have Exchange server installed, don't forget to stop the servive before backups (using net stop) otherwise the files will be skipped.
Simple backups of directories can be made with xcopy (the /v option means
verify, the /d option means copy files which have changed since the last backup).
xcopy c:\mydata z:\backupdir /d /v
An even more interesting alternatve is the robocopy utility in the resource kit,
which only copies files that have changed, can even delete files for true replication and
gives a summary at the end of the operation. I use this for syncing backup disks at night
and remote syncing to laptops:
c:\reskit40\robocopy f:\ v:\ *.* /E /R:2 /PURGE
Registry Backups:
The registry should be an integral part of tape
backups.
The registry should be backed up daily to another
server :
regback \\other_serv\backups\myserver_name.reg
A quota manager is not delivered with NT. Third party products exist, but I have not yet heard hearty recommendations for any of them.
A (manual) log should be kept of all changes to the system. A record of who did what, to what files, on what machine, when, is necessary (particularly when more than one person administers a machine).
Send a message to all users attached to a working server:
net send /USERS Warning: This server will be down from 21:00-23:00 tonight.
SMS has the following functionality:
1. Inventory management and collection of installation HW and SW information on a network
of machines.
2. Centralised distribution and installation of (SMS packaged) applications.
3. Remote diagnostics and help desk functions.
4. Network monitoring functions (basic, not a replacement for systems like IBM Netview or
Sun NetManager).
Modified logon scripts are used for 1. and 2. above.
An SMS administrator could access the database directly, not just via SMSVIEW. This could lead to database corruption (since the SMS consistency checks are bypassed).
SMS servers communicate via Senders. A Sender is simply one of three methods of communication: SNA, RAS or LAN.
=> Avoid using the RAS sender.
If the RAS (Remote Access Service) sender is used, RAS configuration should be specified,
otherwise RAS should be disabled.
NT servers can't be managed form the serial port (like some UNIX machines), however many commands can be executed on a remote machine (e.g. the User Manager can be used to manage the users on another machine, if the user is authorised. Other examples are the server/printer manager, event viewer. Some of these are available as WfW or Win95 clients).
I Server trouble-shooting may be enhanced by sending debug messages to a terminal on a COM port. In boot.ini, the [operating systems] section, the switches /NODEBUG, /DEBUG and /DEBUGPORT=COMx, /BAUDRATE=xxxxx, /CRASHDEBUG, /SOS can be used.
NT directly supports RAID, Mirroring and Duplexing (separate disk controllers).
NTFS allows expansion of volumes and volume set sizes, but not mirrored or stripe sets. If volumes are expanded, all users are logged off the system (but data is preserved).
Each NT server can have an import and (only one) export directory for receiving files replicated from another NT server or for replicating to other NT servers. NT workstations only receive replicated files.
Footnotes:
[1] See [nt1] page 80-81.
[2] See [nt1] page 83.
[3] NT resource kit.
[4] See [nt2] Chap.3, customising setup.
[5] The Everyone & Administrator groups have the right `Access from a Network'.
[6] Account operators cannot modify accounts of Administrators, Domain Admins global group or the local groups: Administrators, Servers, Account Operators, Print Operators, Backup Operators.
[7] Only if a user has the log on locally right, or access to the User Manager for Domains program.
[8] See [nt6] page 87.
10] See [nt1] page 110.
Previous
Next Top
Detailed TOC
IT Security Cookbook, 10 September, 1999