PRACTICAL STEPS IN PRACTICAL STEPS IN SECURING WINDOWS NTSECURING WINDOWS NT

Copyright, 1996 © Dale Carnegie & Associates, Inc.

TIP For additional advice seeDale Carnegie Training® Presentation Guidelines

As recommended by corporate As recommended by corporate officials, programmers and officials, programmers and hackers.hackers.

By William WhiteBy William White

IntroductionIntroduction

• Windows NT is easy to secure, Windows NT is easy to secure, compared to some other systems.compared to some other systems.

• As long as you take some necessary As long as you take some necessary steps, your system will be steps, your system will be reasonably secure.reasonably secure.

Securing Windows NT Securing Windows NT consists of two main consists of two main areas:areas:

• Putting filters between your network Putting filters between your network and the Internet.and the Internet.

• Configuring workstations and Configuring workstations and servers against unauthorized servers against unauthorized access.access.

Filters for your NetworkFilters for your Network

• Firewalls.Firewalls.

• Packet Filtering.Packet Filtering.

FirewallsFirewalls

• Set your firewall to disable everything, Set your firewall to disable everything, then enable only the access you need.then enable only the access you need.

• Firewalls are effective, but they have two Firewalls are effective, but they have two major problems:major problems:

• 1) High cost.1) High cost.

• 2) It is hard for users on your network to 2) It is hard for users on your network to access the Internet.access the Internet.

Packet FilteringPacket Filtering

• Because much traffic goes through two Because much traffic goes through two ports, you can:ports, you can:

• 1) Enable packet filtering.1) Enable packet filtering.

• 2) Disable port 138, which handles UDP 2) Disable port 138, which handles UDP packets.packets.

• 3) Disable port 139, which handles TCP 3) Disable port 139, which handles TCP packets.packets.

Other Ports to Block with Other Ports to Block with Packet FilteringPacket Filtering

• Service NameService Name PortPort TypeType Port NamePort Name DirectionDirection

FTPFTP 20 tcp ftp-data incoming 20 tcp ftp-data incoming

FTPFTP 21 tcp ftp incoming 21 tcp ftp incoming

Telnet 23 tcp telnet incomingTelnet 23 tcp telnet incoming

Mail 25 tcp smtp incomingMail 25 tcp smtp incoming

NFS 111 tcp portmapper bothNFS 111 tcp portmapper both

NFS 111 udp portmapper bothNFS 111 udp portmapper both

Administration 161 udp snmp bothAdministration 161 udp snmp both

Administration 162 udp snmp bothAdministration 162 udp snmp both

Disable Netbeui over Disable Netbeui over TCP/IP.TCP/IP.

• In control panel->network-In control panel->network->bindings disable these: >bindings disable these:

• 1) NetBIOS Interface -> WINS Client(TCP/IP) -> 1) NetBIOS Interface -> WINS Client(TCP/IP) -> ethernet.ethernet.

• 2) Server -> WINS Client(TCP/IP) -> ethernet.2) Server -> WINS Client(TCP/IP) -> ethernet.

• 3) Workstation -> WINS Client(TCP/IP) -> ethernet.3) Workstation -> WINS Client(TCP/IP) -> ethernet.

Configuring Workstations Configuring Workstations and Servers against and Servers against Unauthorized Access:Unauthorized Access:

• 1) Disable the Guest account.1) Disable the Guest account.

• 2) Rename Administrator account to 2) Rename Administrator account to something non-obvious.something non-obvious.

• 3) Enable password lock-out user 3) Enable password lock-out user policy.policy.

Configuration of Configuration of Workstations and Servers Workstations and Servers -- continued:-- continued:

• 4) Set up accounts with passwords 4) Set up accounts with passwords for all local workstations.for all local workstations.

• 5) Use long, difficult to guess 5) Use long, difficult to guess passwords.passwords.

• 6) Keep you administrative 6) Keep you administrative passwords known to a very minimal passwords known to a very minimal group of people.group of people.

Configuration of Configuration of Workstations and Servers Workstations and Servers -- continued:-- continued:

• 7) Change your passwords regularly.7) Change your passwords regularly.

• 8) Create a backup administrative 8) Create a backup administrative account, with some complicated account, with some complicated password written somewhere outside password written somewhere outside of the computer system.of the computer system.

• 9) Never keep passwords on the disk.9) Never keep passwords on the disk.

Configuration of Configuration of Workstations and Servers Workstations and Servers -- continued:-- continued:• 10) Don't install FTP Server except for a very 10) Don't install FTP Server except for a very

restricted area.restricted area.

Check if FTP User has permissions to other Check if FTP User has permissions to other areas of the server. areas of the server.

• 11) Don't use Telnet daemon at all.11) Don't use Telnet daemon at all.

• 12) Don't use your administrative passwords 12) Don't use your administrative passwords in any other place, neither in the computer, in any other place, neither in the computer, nor in real life. nor in real life.

Configuration of Configuration of Workstations and Servers Workstations and Servers -- continued:-- continued:

• 13) Remove Share Permissions to the 13) Remove Share Permissions to the Everyone group.Everyone group.

• 14) Remove Network Access for the 14) Remove Network Access for the Everyone group.Everyone group.

• 15) If you use PERL for CGI programs, 15) If you use PERL for CGI programs, DO NOT put perl.exe into the web DO NOT put perl.exe into the web server's cgi bin directory.server's cgi bin directory.

Configuration of Configuration of Workstations and Servers Workstations and Servers -- continued:-- continued:

• 16) Restrict FTP.16) Restrict FTP.

• 17) Implement APOP, if you use 17) Implement APOP, if you use POP3.POP3.

• 18) Adjust RAS parameters.18) Adjust RAS parameters.

Configuration of Configuration of Workstations and Servers Workstations and Servers -- continued:-- continued:

• 19) Keep track of logons and 19) Keep track of logons and security failures.security failures.

• 20) Check the security log regularly.20) Check the security log regularly.

• 21) Run the C2 Configuration 21) Run the C2 Configuration Manager.Manager.

Configuration of Configuration of Workstations and Servers Workstations and Servers -- continued:-- continued:

• 22) Remove the Bypass Traverse 22) Remove the Bypass Traverse Checking right from all user Checking right from all user accounts.accounts.

• 23) Install all NT Service Packs.23) Install all NT Service Packs.

Examples of Past Attacks Examples of Past Attacks on Windows NT:on Windows NT:

• L0phtcrack 1.5 and the "PW Crack" L0phtcrack 1.5 and the "PW Crack" attack -- 1997.attack -- 1997.

• The "GetAdmin” program -- 1997.The "GetAdmin” program -- 1997.

• The "Red Button" attack -- 1997.The "Red Button" attack -- 1997.

Examples of Recent Examples of Recent Attacks on Windows NT:Attacks on Windows NT:

• IE5 Allows File Creation and IE5 Allows File Creation and Modification -- 8/24/1999.Modification -- 8/24/1999.

• The “Java VM Sandbox” attack -- The “Java VM Sandbox” attack -- 8/26/1999.8/26/1999.

CloseClose

• Microsoft releases many fixes for Microsoft releases many fixes for known problems in the form of known problems in the form of Hotfixes, Service Packs and new Hotfixes, Service Packs and new Releases. Releases.

• There is a tradeoff between Security There is a tradeoff between Security and Usefulness.and Usefulness.

• Vigilance is the price of Liberty.Vigilance is the price of Liberty.