|
Overview
The Microsoft Windows NT Operating System provides quite a few security
features, unfortunately, the default OS configuration is quite "relaxed".
As most production Sambar Servers are installed and run on Windows NT,
the lack of OS security can result in overall system vulnerability.
Having been the target of numerous security "reviews" over the past few
years, Sambar Technologies includes the following NT security notes
(most of these security suggestions are geared towards users running
NT as an Internet server).
Note: The measures outlined below decrease the possible
avenues of attack, but by no means halt all intrusions.
Basic Tips
- Apply the latest Microsoft NT Security Pack and review the current
list of Hot-Fixes (www.microsoft.com). In between the release of
Service Packs, Microsoft releases Hot-Fixes to address immediate and
serious problems with the software that cannot wait for the next
Service Pack release.
- Remove all protocol stacks except TCP/IP. IP is the only protocol
needed for Internet services.
- Remove network access for all users. Open the User Manager,
and on the Policies | User rights menu, remove
"Access this computer from the network"
- Use NTFS disk partitions instead of FAT. NTFS offers security features,
FAT doesn't. NTFS is also less prone to file corruption than FAT.
- Implement all NT's password control features, specifically, require
users to have strong passwords, force users to change their passwords at
regular intervals, and hide the last username to login (as seen in the
logon dialog by default). NT can lock out accounts after a specified number
of bad password attempts; enable this setting, to inhibit intruders' ability
to brute force guess passwords. Lastly, you can force the use of strong
and complex passwords by employing the PASSFILT.DLL that comes with NT 4.0
SP2 and SP3.
- The default Adminstrator account is a target for most intruders.
Create a new administrator account by creating a new user and adding them
to the Administrators group and duplicating all the account policies and
permissions granted to the default Administrator account. Then remove all
rights and permissions from the default Administrator account.
- Minimize the number of users that belong to the Administrator's group.
- If you are running the Sambar Server as an NT Service, make sure you run
the service under an ordinary user account, not the System account.
- Guard very carefully the CGI, WinCGI and ISAPI applications you install
on your server; these can be grave security risks if the person writing them
doesn't fully understand the security implications of their code.
- The Guest account is created by default with each NT installation.
If you do not need to permit Guest users on your system, remove or disable
the Guest account. Dissable all other unnecessary accounts as well.
- Revoke the "Access From Network" rights
(using User Manager) for users that don't need to connect to that
particular NT system from the network. Restricted accounts can then only
be used to logon on locally.
- Disable NetBIOS over TCP/IP network bindings if possible. See
Network Bindings below.
- Block all non-essential TCP/IP ports, both inbound and outbound.
In particular, at least block UDP ports 137 and 138, and TCP port 139.
- Disable the Simple TCP/IP Services (if installed) using
Control Panel | Services. This stops the chargen,
echo, daytime, discard, and qotd services.
Any of which could be used for denial of service attacks.
None of these services are required for proper network operation.
See the NT Services section below for additional service security
measures.
- Enable auditing on all NT systems. Open the User Manager, and
on the Policies | Audit menu, you'll find the account related
events that may be audited. Once enabled, track the audit information!
NT Services
NT Services present a part of the vulnerabilities associated with
Windows NT use. Any services that are not necessary should be
stopped (disabled).
Warning: Removal of some of the services listed below will
inhibit your ability to perform administration functions, and some
applications require the services to run properly.
- Alerter
- ClipBook Server
- Computer Browser
- DHCP Client (For connecting to a
DHCP server.)
- Directory Replicator
- FTP Publishing Service (Microsoft FTP
server.)
- IIS Admin Service (Microsoft WWW server
administration.)
- IPSEC Policy Agent (For connecting to a Windows
2000 domain.)
- Messenger
- Net Logon
- Network DDE
- Network DDE: DSDM
- Plug and Play
- Remote Procedure Call (RPC) Locator
- Remote Registry Service (For remotely accessing
the registry of other systems.)
- RIP Service (Enables your server to act as
a router.)
- RunAs Service (For use by applications that run
as an alias.)
- Server (May be required for some applications.
Required by User Manager)
- SNMP Trap Service
- Spooler
- TCPIP NetBIOS Helper (May be required for some
applications.)
- Telephony Service (Required if access is by dial-up
connection.)
- Tracking Client (For connecting to a Windows
2000 domain.)
- Workstation (May be required for some
applications.)
- World Wide Web Publishing Service (Microsoft
WWW server.)
Network Bindings
Using the Bindings tab in the Network control panel, you
can control (bind or unbind) which protocols and services have connectivity
to the installed network cards of the system. It is very important
that you disable protocol capabilities on your external (internet) network
card that allow avenues of penetration to unwanted users.
For an adapter that has direct connectivity to the internet, disable
the following bindings from the WINS Client (TCP/IP) protocol
listing:
- NetBIOS Interface
- Server
- Workstation
DOS Devices
DOS treates several file names as special, such as AUX, PRN, NUL,
CON, COM1-COM9, LPT1-LPT9 etc. Lucky us, after years of dealing with
silliness in DOS, the developers of Windows NT/2000/XP have seen fit
to keep this vulnerability around! As these file names cannot safely
be used even if you include an explicit directory prefix, the Sambar Server
is forced to restrict the use of these DOS device names for all files.
|