Windows NT Checklist (13 Aug 98)

Windows NT Checklist

  1. Physically secure the server.
  2. Protect the Emergency Repair Disk. Run RDISK /s to create an ERD.
  3. Run SYSKEY.EXE to strongly encrypt password information.
  4. Make sure the GUEST account is disabled.
  5. Replace "Everyone" with "Authenticated Users" that comes with SP3.
  6. Do not allow shares. Run "net share" to see all shares.
  7. Run "net accounts" and examine your accounts policy.
  8. Account policy: Passwords should expire in 30-60 days. Minimum password age should be 7 days. Minimum password length should be 8 characters. Remember at least 10 passwords. Lockout after 3 attempts. Reset after 30 minutes. Lockout duration should be forever (reset by Admin). Users must log on in to change passwords. For the PDC, forcibly disconnect remote users when time has expired.
  9. Rename the administration account to other than Administrator.
  10. Look for unnecessary accounts that have Administrator status.
  11. Review the membership of the Administrators group and the Domain Admins group.
  12. Check User Rights Policy. User rights should be: 
    access computer from network - Admin
act as part of operating sysem - blank
add workstations to domain - blank
backup files and directories - Admin, Server Ops
bypass traverse checking - everyone
change system time - Admin, Server Ops
create pagefile - Admin
Create token object - blank
create permanent shared objects - blank
debug programs - Admin
force shutdown - Admin, Server ops
generate security audits - blank
increase quotas - Admin
increase scheduling priority - Admin
load and unload device drivers - Admin
lock pages in memory - blank
log on as a batch job - blank
log on as a service - blank
log on locally - Account Ops, Admin, Backup Ops, Print Ops, Server Ops
manage auditing and security log - Admin
modify firmware - Admin
profile single proces - Admin
profile system performance - Admin
replace process level token - blank
restore files and directories - Admin, Backup Ops, Server Ops
shutdown the system - Account Ops, Admin, Backup Ups, Print Ops, Server Ops
take ownership of file or other objects - Admin
  13. Remove services such as Alerter, Messenger, NT LM Security Support provider, Schedule, Rsh, DHCP services if not needed.
  14. Go to HKLM | SOFTWARE | Classes | AppID | Security | Permissions and remove any WRITE permissions to users.
  15. Go to HKLM | SOFTWARE | Classes | regfile | shell | open | command | Security | Permissions and make sure users do not have WRITE permission.
  16. Go to HKLM | SOFTWARE | Microsoft | Ole and change EnableDCOM value to N. The Ole registry key should not be writable to users.
  17. Go to HKLM | SOFTWARE | Microsoft | Windows | CurrentVersion and set subkeys RUN, RUNONCE, and UNINSTALL to READ.
  18. Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Perflib | Security | Permissions and only allow READ access to users.
  19. Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Winlogon and remove access for Server Operators. Make sure Everyone does not have full privileges.
  20. Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Winlogon and delete AutoAdminLogon.
  21. Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Winlogon and set AutoRestartShell to REG_DWORD of 1.
  22. Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Winlogon and add AllocateCDRoms with a value of REG_DWORD of 1.
  23. Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Winlogon and add AllocateFloppies with a value of REG_DWORD of 1.
  24. Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Winlogon and add CachedLogonsCount with REG_SZ value of 0 to disable cached logons.
  25. Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Winlogon and add the value of REG_SZ of 1 to DontDisplayLastUsername. This prevents the display of the last user.
  26. Go to HKLM | SOFTWARE | Microsoft | Windows NT | CurrentVersion | Winlogon and add the value of REG_SZ of 1 to ShutdownWithoutLogon
  27. Go to HKLM | SYSTEM | CurrentControlSet | Control | Lsa and add the value of 1 to CrashOnAuditFail.
  28. Go to HKLM | SYSTEM | CurrentControlSet | Control | Lsa and add the value "LMCompatibilityLevel" with a REG_WORD value of 2 to the registry key. This prevents the LANMAN format.
  29. Go to HKLM | SYSTEM | CurrentControlSet | Control | Lsa and add passfilt to "Notification Packages." Use the strong password filter passfilt.dll that comes with SP3. Remove "fpnwclnt" from the Notification Packages value. (Q161990)
  30. Go to HKLM | SYSTEM | CurrentControlSet | Control | Session Manager | Subsystems and remove the os2 and posix value. Delete the os2ss.exe and psxss.exe files.
  31. Go to HKLM | SYSTEM | CurrentControlSet | Control | Session Manager | Memory Management and set the value of ClearPageFileAtShutdown to REG-DWORD of 1.
  32. Go to HKLM | SYSTEM | CurrentControlSet | Control | Print | Providers | LanMan Print Services | Servers and add the value of 1 to |AddPrintDrivers.
  33. Go to HKLM | SYSTEM | CurrentControlSet | Control | SecurePipeServers and add Winreg to restrict remote access. (Q155363)
  34. Go to HKLM | SYSTEM | CurrentControlSet | Control | Lsa and add RestrictAnonymous with the value of REG_DWORD of 1.
  35. Go to HKLM | SYSTEM | CurrentControlSet | Services | DHCP and change the value to REG_DWORD of 4 (disabled).
  36. Go to HKLM | SYSTEM | CurrentControlSet | Services | LanmanServer | Paramaters | NullSessionPipes and remove SPOOLSS.
  37. Go to HKLM | SYSTEM | CurrentControlSet | Services | Rdr | Paramaters and add the REG_DWORD value of 1 to EnablePlainTextPassword.
  38. Go to HKLM | SYSTEM | CurrentControlSet | Services | Schedule | Security | Permissions and remove write access fro Server Operators.
  39. Remove "Everyone" from the \winnt\repair directory.
  40. Run regedt32 and click HKEY_LOCAL_MACHINE | SYSTEM | CurrentControlSet | Control | Lsa | and remove the FPNWCLNT string from the Notification Packages value. There should be no FPNWCLNT.DLL.
  41. The Windows NT Network Monitor (comes with SMS) can be used as a network sniffer. Disable the Network Monitor agent and remove BHSUPP.DLL from \WINNT\system32 directory.
  42. Disable network logins to the administrator account. The administrator should physically go to the workstation for all administration work.
  43. Disable the Server Message Block (SMB) network outside the local area network.
  44. Install the latest Service Pack (currently Service Pack 3). Make sure it is the 128-bit version.
  45. Install the latest hotfixes, oldest to most current in that order.
  46. Turn on auditing. Audit the following: 
    logon and off             success   fail
file and object                     fail
use of user rights                  fail
user and group mgt        success   fail
security policy changes   success   fail
restart and shutdown      success   fail
process tracking                    fail
  47. By default, Windows NT installs without any event-auditing enable. Enable event auditing. Audit events should include logon and logoff, file and object access, use of user rights, security policy changes, restart, shutdown, and system failure. Click Start | Programs | Administrative Tools | User Manager for Domains | Policies | Audit to turn auditing on. Audit for at least failures.
  48. Regularly examine security event logs for failed login attempts.
  49. Do not use .BAT or .CMD files as a script.
  50. Several Web servers will allow read and/or write access to any file in its document root. Run the latest Web server version and check for read/write permissions.
  51. Microsoft inadvertently distributed rollback.exe on some Windows NT 4.0 servers and workstation CDs. When executed, this program destroys critical system information. Do a Find and remove rollback.exe.
  52. Windows NT displays a legal notice to a user before he/she logs into a system. This notice is blank by default. Administrators should enter a notice that warns against unauthorized usage. To create a Login Legal Notice banner, run the registry editor, REGEDT32, and activate the HKEY_LOCAL_MACHINE. Double-click Software | Microsoft | Windows NT | Current Version | Winlogon. Edit the LegalNoticeCaption and LegalNoticeText. Or click Start | Programs | Administrative Tools | System Policy Editor | File | Open Registry | Local Computer | Windows NT Server | Logon. Check Logon and edit the caption and text.
  53. On Windows NT 4.0 there are some entries in the registry that points to a DLL that does not exist. There is one DLL that will capture all password changes into a file, so an attacker can obtain any passwords that get changed pertaining to passwords residing on that machine. Be aware that a Trojan DLL Password may exist. Use a password change package that can be used to receive notification of password changes.
  54. Disable ActiveX and JavaScript unless client and server are trusted.
  55. Do not use WebSite CGI programs. Many have buffer overflow vulnerabilities.
  56. Block port 19 (chargen - character generator) at the router to prevent a denial of service attack.
  57. Do not install the Remote NetShield console on an NT workstation.
  58. Run a randomized TCP sequence number generator to fix predictable TCP sequence number reports when running IIS.
  59. The system should not dual boot. Windows NT NTFS should be the only operating system installed.
  60. All drives on the system must be formatted for the NT File System (NTFS), not the File Allocation Table (FAT) file system. To check drive status, right-click on the drive and choose Properties.
  61. The Security Log should not overwrite old events. To check this, open the Event Viewer and choose Log Settings from the Log menu. The option called "Do Not Overwrite Events (Clear Log Manually)" should be enabled for System, Security, and Application log.
  62. A user must log on in order to change his/her password. This option is set to prevent users whose passwords have expired from logging on. The administrator must be the only one to change an expired password.
  63. After setting the domain account policies, check the status of each user account in the User Manager for Domains. There are utilities that can automatically do this. If done manually, double-click on each account. This opens the New User properties dialog box which displays password information and has buttons for checking Group Membership, Profile, and Dial-In.
  64. Look for old user accounts and remove the accounts if appropriate.
  65. Determine which group each user belongs to and determine if membership in these groups is appropriate. Check for rights and permissions for each user and what access do the group has to other domains. The membership of groups should be carefully evaluated. A group that is granted permissions to sensitive files might contain users that should not have that access.
  66. Evaluate each user's dial-in capabilities. For added security, if users can dial in, enable Call Back options to a specified telephone number.
  67. Carefully evaluate the members of management groups such as Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Remove all unnecessary accounts.
  68. Make sure that all administrative users have two accounts: one for administrative tasks and one for regular use. Administrators should only use their administrative accounts when absolutely necessary.
  69. Determine what folders and files do groups have permission to access. There are programs that will look at the Access Control List automatically.
  70. For servers, only administrators should have the right to log on locally. No regular user ever needs to logon directly to the server itself. By default, the administrative groups (Administrators, Server Manager, etc.) have this right. Make sure that any user who is a member of these groups has a separate management account.
  71. Only the Administrators group should have the right to manage auditing and security logs.
  72. If the server is connected to an untrusted network, do not store any files on the server that are sensitive and for in-house access only.
  73. Scan all the advanced rights to make sure that a user has not been granted rights inappropriately. Some rights should be assigned to the System account. A rogue administrator might manage to grant himself/herself inappropriate rights and gain extended privileges on the system.
  74. Program files and data files should be kept in separate folders to make management and permission setting easier.
  75. If users can copy files into a data folder, remove the Execute permission on the folder to prevent someone from copying and executing a virus or Trojan Horse program.
  76. Never share the root directory of a drive or one of the drive icons that appears in the graphical display.
  77. Use encryption wherever possible to hide and protect files. There are good encryption programs for this purpose.
  78. Program directories should have permission set to Read and Execute (not Write). To install programs, temporarily set Write on, then remove it.
  79. Install new software on a separate, quarantined system for a test period, and then install the software on working systems once you have determined that it is safe to run.
  80. Public file sharing directories should have the least permissions possible (Read only).
  81. If a user needs to put files on your server, create a "drop box" directory that has only the Write permission. Check all new files placed in this directory with a virus scanner. Implement backup policies and other protective measures.
  82. Evaluate all fault-tolerant systems for proper installation and operation. Use the Disk Administrator utility on the Start | Programs | Administrative Tools menu to check disk systems.
  83. Use an Un-interruptible Power Supply (UPS) and use the UPS utility on the Control Panel to check its status.
  84. Make sure disk mirroring or duplexing is taking place to protect against failed drives or hardware components.
  85. Backup policies and procedures are essential. Determine which users belong to the Backup Operators group. Backup operators have the ability to access all areas of the system to back up and restore files.
  86. Separate public files from private files so you can apply different permission sets.
  87. View the REG file before writing it to the registry. Select Viewer under File Explorer, select options, select file Types, double clock on Registration Entries, select Edit, and select default edit rather than merge.
  88. Disable NBTSTAT and NET commands from sensitive systems.
  89. If Microsoft Internet Information Server (IIS) software was installed, a special Guest account called IUSR_COMPUTERNAME exists with the rights to log on locally. Remove this account in the Administrative Tools | User Manager for Domains or give it a strong password.
  90. The default installation and configuration of the Internet Information Server (IIS) will execute any command given a particular type of request (HTML GET command with specific arguments). Check to see whether the NT server is running IIS. Disable .BAT and .CMD file extensions for external CGI scripts in file mapping feature
  91. Upgrade to the latest IIS (IIS 4.0).
  92. Always clear the content of your clipboard before logging off or locking your computer.
  93. If not using file printing for Novell Netware, delete the FPNCLNT.DLL. (Q161990)
  94. Block ports 137, 138, and 139 (NETBIOS ports) at the firewall.
  95. Block ports 135 (file and print), 1035 (NETINFO), and 53 (DNS) at the router.
Hosted by www.Geocities.ws

1