Sambar Server Documentation

NT Security


Overview
The Microsoft Windows NT Operating System provides quite a few security features, unfortunately, the default OS configuration is quite "relaxed". As most production Sambar Servers are installed and run on Windows NT, the lack of OS security can result in overall system vulnerability. Having been the target of numerous security "reviews" over the past few years, Sambar Technologies includes the following NT security notes (most of these security suggestions are geared towards users running NT as an Internet server). Note: The measures outlined below decrease the possible avenues of attack, but by no means halt all intrusions.

Basic Tips

  • Apply the latest Microsoft NT Security Pack and review the current list of Hot-Fixes (www.microsoft.com). In between the release of Service Packs, Microsoft releases Hot-Fixes to address immediate and serious problems with the software that cannot wait for the next Service Pack release.
  • Remove all protocol stacks except TCP/IP. IP is the only protocol needed for Internet services.
  • Remove network access for all users. Open the User Manager, and on the Policies | User rights menu, remove "Access this computer from the network"
  • Use NTFS disk partitions instead of FAT. NTFS offers security features, FAT doesn't. NTFS is also less prone to file corruption than FAT.
  • Implement all NT's password control features, specifically, require users to have strong passwords, force users to change their passwords at regular intervals, and hide the last username to login (as seen in the logon dialog by default). NT can lock out accounts after a specified number of bad password attempts; enable this setting, to inhibit intruders' ability to brute force guess passwords. Lastly, you can force the use of strong and complex passwords by employing the PASSFILT.DLL that comes with NT 4.0 SP2 and SP3.
  • The default Adminstrator account is a target for most intruders. Create a new administrator account by creating a new user and adding them to the Administrators group and duplicating all the account policies and permissions granted to the default Administrator account. Then remove all rights and permissions from the default Administrator account.
  • Minimize the number of users that belong to the Administrator's group.
  • If you are running the Sambar Server as an NT Service, make sure you run the service under an ordinary user account, not the System account.
  • Guard very carefully the CGI, WinCGI and ISAPI applications you install on your server; these can be grave security risks if the person writing them doesn't fully understand the security implications of their code.
  • The Guest account is created by default with each NT installation. If you do not need to permit Guest users on your system, remove or disable the Guest account. Dissable all other unnecessary accounts as well.
  • Revoke the "Access From Network" rights (using User Manager) for users that don't need to connect to that particular NT system from the network. Restricted accounts can then only be used to logon on locally.
  • Disable NetBIOS over TCP/IP network bindings if possible. See Network Bindings below.
  • Block all non-essential TCP/IP ports, both inbound and outbound. In particular, at least block UDP ports 137 and 138, and TCP port 139.
  • Disable the Simple TCP/IP Services (if installed) using Control Panel | Services. This stops the chargen, echo, daytime, discard, and qotd services. Any of which could be used for denial of service attacks. None of these services are required for proper network operation. See the NT Services section below for additional service security measures.
  • Enable auditing on all NT systems. Open the User Manager, and on the Policies | Audit menu, you'll find the account related events that may be audited. Once enabled, track the audit information!

NT Services
NT Services present a part of the vulnerabilities associated with Windows NT use. Any services that are not necessary should be stopped (disabled). Warning: Removal of some of the services listed below will inhibit your ability to perform administration functions, and some applications require the services to run properly.

  • Alerter
  • ClipBook Server
  • Computer Browser
  • DHCP Client (For connecting to a DHCP server.)
  • Directory Replicator
  • FTP Publishing Service (Microsoft FTP server.)
  • IIS Admin Service (Microsoft WWW server administration.)
  • IPSEC Policy Agent (For connecting to a Windows 2000 domain.)
  • Messenger
  • Net Logon
  • Network DDE
  • Network DDE: DSDM
  • Plug and Play
  • Remote Procedure Call (RPC) Locator
  • Remote Registry Service (For remotely accessing the registry of other systems.)
  • RIP Service (Enables your server to act as a router.)
  • RunAs Service (For use by applications that run as an alias.)
  • Server (May be required for some applications. Required by User Manager)
  • SNMP Trap Service
  • Spooler
  • TCPIP NetBIOS Helper (May be required for some applications.)
  • Telephony Service (Required if access is by dial-up connection.)
  • Tracking Client (For connecting to a Windows 2000 domain.)
  • Workstation (May be required for some applications.)
  • World Wide Web Publishing Service (Microsoft WWW server.)

Network Bindings
Using the Bindings tab in the Network control panel, you can control (bind or unbind) which protocols and services have connectivity to the installed network cards of the system. It is very important that you disable protocol capabilities on your external (internet) network card that allow avenues of penetration to unwanted users.

For an adapter that has direct connectivity to the internet, disable the following bindings from the WINS Client (TCP/IP) protocol listing:

  • NetBIOS Interface
  • Server
  • Workstation

DOS Devices
DOS treates several file names as special, such as AUX, PRN, NUL, CON, COM1-COM9, LPT1-LPT9 etc. Lucky us, after years of dealing with silliness in DOS, the developers of Windows NT/2000/XP have seen fit to keep this vulnerability around! As these file names cannot safely be used even if you include an explicit directory prefix, the Sambar Server is forced to restrict the use of these DOS device names for all files.

© 1999 Sambar Technologies. All rights reserved. Terms of Use.