Here's to your attention one of my articles on the Windows NT4 Security. Some of people liked it, some - not very, so please now you may take a look at it.
Securing Windows NT
© Copyright Stanislav N. Ivasyuk, 2003
www.The7Soft.com
Reproduction of the article is free while the article contains a link to http://www.the7soft.com and contains the name of its author - Stanislav N. Ivasyuk
The problem of computer security is not new. Everyone who uses computer networks needs security instruments. Statistics show that in the major number of events, it is quite possible to avoid unauthorized access to the system if the system administrator attends to security enough time. Efficiency of securing always depends on the quality of tuning computer hardware and software tools. Operating system Windows NT (Win2K and XP also) has rich number of security tools. But default values of security parameters do not always match needed criteria. This article describes basic means and methods of security management of Windows NT 4.0 and Windows 2000.
Physical protection
Physical protection means are:
- securing rooms where network servers are placed;
- restricting access to network servers, hubs, switches, network cables to outliers;
- Power protection.
User Accounts Management
User identification and authenticity check are one of the functions of the Security Accounts Manager (SAM). All the necessary settings are stored in the SAM database. They are:
- user accounts;
- group accounts;
- domain computers accounts;
- Domain accounts.
Database of the SAM manager is a hive of the system registry and is located in the HKEY_LOCAL_MACHINE registry branch and is called SAM (figure 1).
Figure 1.
By default, the most hive files (Default, SAM, Security and System) are stored in the %SystemRoot%\System32\Config folder and backed up with the .log file (be sure to defend the mentioned folder from intruders!).
The most interesting section is the section of users' accounts: it stores the information on names and passwords. It should be mentioned that passwords are not stored in the plain text. They are defended with the hashing procedure. That does not mean that it is impossible to intruder to enter the system without knowing the text password. For the network connection it is not necessary to know the plain text password because hashed password is enough to enter the needed system. Moreover, there are some tools to get plain passwords from their hashed form using the brute force attack. Therefore that's enough to get a copy of the SAM database and retrieve hashed password from it.
At the installation of the Windows NT, access to the file %Systemroot%\System32\Config\sam is blocked to the usual programs. But, using the NTBackup utility any user with the backup rights may copy it. Moreover, an intruder may try to overwrite its copy (Sam.sav) from the %Systemroot%\System32\Config directory or its archive copy (Sam. _) from the %Systemroot%\Repair folder.
Therefore to protect the information stored in the SAM database it is necessary to do the following:
- Exclude booting servers in the DOS-mode (all partitions must be converted to NTFS, booting from floppies and CD-ROMs must be turned off and very desirable to set the BIOS password);
- Minimize number of users that have Backup Operators and Server Operators rights;
- After installation of Windows NT or its update, erase the Sam.sav file;
- Turn off the security information caching on the domain computers (names and passwords of the last ten users entered the system are stored in the system registry). Using the regedt32.exe (or regedit.exe) utility, you should add into the system registry to the HKEY_LOCAL_MACHINE\ Microsoft | Windows NT\ CurrentVersion\ WinLogon section parameter CachedLogonsCount of the REG_SZ type and valued 0.
One of the most popular methods of the illegal system entry is password brute force attack. To fight against it administrators usually use the Account Lockout parameter of the User Manager utility.
"Good" exception is the Administrator's account record. And if an Administrator can enter the system through the network, this opens a trap door to the simple password goal seeking. To protect against this method it is recommended to rename the Administrator user, set the Account Lockout parameter, and disable Administrator to enter through the network, disable SMB packets transmission over the TCP/IP ports 137, 138, 139. Also login fails auditing is advisable.
It is necessary to start user passwords filtering (Passfilt.dll library is needed - installed with WinNT4 SP 3 and higher). At the time of new password creating, this library checks that the password length is not less or equal that six symbols and contains three sets of rules of the four possible:
- capitalized letters;
- lower-case letters;
- digits;
- Special non-arithmetical symbols such as punctuation marks.
To turn on this filtering, it is desirable to add to the registry into the section HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa new parameter Notification Packages of the REG_MULTI_SZ type and valued "PASSFILT" (no quotes!). If this parameter already exists and contains the "FPNWCLNT" value than write a new string below that one.
Securing Files and Folders
The Windows NT operating system supports such file systems as FAT and NTFS. We'll remind that the first one is supported by MS-DOS, Windows 3.x, Windows 95/98 and OS/2, and the second one - only by the Windows NT. FAT and NTFS have different characteristics and performance, have different number of possibilities provided and so on. The main difference between NTFS file system and other ones (FAT, VFAT, HPFS) is that it only satisfies the C2 security standard, and, in particular, the NTFS provides files and folders securing on the local level.
Therefore it should be recommended to create NTFS partitions instead of FAT on your disks. And if you have to use FAT partition, it should be used only for the MS-DOS applications and you should not place Windows NT system files to the FAT partition.
As files and folders in the Windows NT are objects, the security control is implemented on the object level. The security descriptor of any object in the NTFS partition contains two access control lists (ACL): discretionary ACL (DACL) and the system ACL (SACL).
In the Windows NT operating system files and folders access control is not executed by the system administrator, but on the resource owner, and is controlled by the security system through the access mask that is contained in the access control lists' records.
The access mask includes standard (Synchronize, Write_Owner, Write_Dac, Read_Control, and Delete), specific (Read (Write) _Data, Append_Data, Read (Write)_Attributes, Read (Write)_ExtendedAttributes, Execute) and generic (Generic_Read (Write), Generic_Execute) access rights. All these rights are in the discretionary access control list. Additionally, the access mask contains the bit that corresponds to the Access_System_Security access right. This right controls access to the System Access Control List (SACL).
The DACL list determines to what users and groups access to the given resource is allowed. The object owner controls this list.
The SACL list specifies determined by the resource owner kind of access, that makes the system to generate check records in the system event log file. Only the system administrator controls this list.
Actually for administering we do not use the separate access right, but the NTFS permissions. Permissions are divided into individual (number of rights that can allow giving the user access of the certain kind) and special standards. Individual standard is a set of individual rights to execute with files and folders actions of the certain level. Special standard is combination of individual rights that do not match any standard set of permissions.
Table 1.
Individual rights
| CODE |
Right Access right Operations on Files Folders Read Read_Control File read Operations of Read_Data operations, folder listing, Read_Atributes attributes, attributes, Read_EA owner name and owner name and Synchronize access rights access rights view view Write Read_Control Operations of Operations of Write_Data the file the file and Append_Data content and subfolders Write_Atributes attributes creating, Write_EA changing, changing file Synchronize access rights attributes, and owner name access rights view and owner name view Execute Read_Control Operations on Operations on Read_Atributes the program the attributes, Synchronize start, owner name and Execute attributes, access rights owner name and view, changing access rights subfolders view Delete Delete Operations on Operations on file deletion folder deletion Change Write_Dac Operations on Operations on Permission changing the changing the access rights access rights Take Ownership Write_Owner Operations on Operations on changing the changing the file owner folder owner |
Table 2.
Standard access rights
| CODE |
Rights Individual rights Operations No Access N/A Files access denial. User to whom this right is set, is unable to get access to this file even if he is a member of a group file access is allowed to Read Read, Execute Granting access to files view and applications execution that are stored in the folder Change Read, Write, Granting access (in addition to the Execute, Delete rights granted by the read right) on files and folders creation and deletion, files content modification Full ALL Granting access (in addition to the Control rights granted by the read right) on the access rights changing and files and folders owning |
Table 3.
Special access rights
| CODE |
Rights Rights to Operations Folders Files No Access N/A N/A Denial of access to folder and contained files List Read, N/A Permission to view Execute filenames. View folders content and their structure Read Read, Read, Granting the user Execute Execute right to view files, and execution of applications stored in a folder Add Write, N/A Permissions (in Execute addition to the READ right) to create files and folders. Does not allow to show the directory structure Add & Read Read, Read, Granting permissions Write, Execute of the ADD and READ Execute rights Change Read, Read, Permissions (in Write, Write, addition to the ADD Execute, Execute, and READ rights) to Delete Delete create, delete files and folders and modify the file content Full Control ALL ALL Permissions (in addition to the change rights) to change access rights and owning files and folders |
By default, after the installation of the Windows NT and the NTFS, the system sets very broad permissions to its resources. Broad permissions give usual users (group Everyone) access to the number of important system files and folders, such as %systemroot% and %systemroot%\system32. To set more or less efficient right policy we may recommend you to set the following rights:
Table 4.
| CODE |
Object of defense Account Permission %Systemroot%\Repair Administrator Full control %Systemroot%\System32\Config Administrator Full control Creator Owner Full control Users List System Full control %Systemroot%\System32\SPOOL Administrator Full control Creator Owner Full control Users Read Power Users Change System Full control %Systemroot%\COOKIES Administrator Full control %Systemroot%\ FORMS Creator Owner Full control %Systemroot%\ HISTORY Users Special Directory %Systemroot%\ OCCACHE Access v Read, Write %Systemroot%\ PROFILES and Execute, Special %Systemroot%\ SENDTO File Access v None %Systemroot%\ Temporary System Full control Internet Files |
To defend certain very important system files we may recommend you to do the following:
| CODE |
Object of defense Account Permission \Boot.ini, Administrators Full Control \Ntdetect.com, \Ntldr SYSTEM Full Control \Autoexec.bat, Administrators Full Control \Config.sys SYSTEM Full Control Everyone Read \TEMP directory Administrators Full Control SYSTEM Full Control CREATOR OWNER Full Control Users Special Directory Access v Read, Write and Execute, Special File Access v None |
Be aware that recommended above files and folders permissions will obstruct software installation by users.
Number of users with the Administrator rights must be minimized. The guest account should be deleted or blocked and instead of this account you may create a temporary account with needed rights and permissions.
Securing registry
The Windows NT registry is a database containing information on configuration and value of all system parameters (devices, operations system itself and applications installed). The main hives of the registry are located in the HKEY_LOCAL_MACHINE branch and are called SAM, SECURITY, SOFTWARE and SYSTEM. The SAM hive, as we do already know, is the database of the System Accounts Manager. The SECURITY hive stores the information that is used by the Local Security Administrator (LSA). In the SOFTWARE hive there are parameters and tunings of installed software, and in the SYSTEM hive there are located data needed for operating system configuration and start (drivers, devices and services).
The user access to mentioned registry fields should be delimited. You can do it with the help of the REGEDT32.EXE system utility.
Usual users cannot modify the default access settings to the registry sections. Because some registry branches are accessible to the EVERYONE group, after the Windows NT installation some of the registry access settings should be modified:
| CODE |
Section Object of defence HKEY_LOCAL_MACHINE \Software \Software\ Microsoft\RPC (and subsections) \Software\ Microsoft\Windows NT\ CurrentVersion \Software\ Microsoft\Windows NT\ CurrentVersion\Profile List \Software\ Microsoft\Windows NT\ CurrentVersion\AeDebug \Software\ Microsoft\Windows NT\ CurrentVersion\Compatibility \Software\ Microsoft\Windows NT\ CurrentVersion\Drivers \Software\ Microsoft\Windows NT\ CurrentVersion\Embedding \Software\ Microsoft\Windows NT\ CurrentVersion\Fonts \Software\ Microsoft\Windows NT\ CurrentVersion\FontSubstitutes \Software\ Microsoft\Windows NT\ CurrentVersion\Font Drivers \Software\ Microsoft\Windows NT\ CurrentVersion\Font Mapper \Software\ Microsoft\Windows NT\ CurrentVersion\Font Cache \Software\ Microsoft\Windows NT\ CurrentVersion\GRE_Initialize \Software\ Microsoft\Windows NT\ CurrentVersion\MCI \Software\ Microsoft\Windows NT\ CurrentVersion\MCI Extensions \Software\ Microsoft\Windows NT\ CurrentVersion\Port (and subsections) \Software\ Microsoft\Windows NT\ CurrentVersion\Type1 Installer \Software\ Microsoft\Windows NT\ CurrentVersion\WOW (and subsections) \Software\ Microsoft\Windows NT\ CurrentVersion\ Windows3.1MigrationStatus (and subsections) \System\CurrentControlSet \Services\ LanmanServer\Shares \System\CurrentControlSet\ Services\UPS \Software\ Microsoft\ Windows\CurrentVersion\Run \Software\ Microsoft\Windows\ CurrentVersion\RunOnce \Software\ Microsoft\Windows\ CurrentVersion\Uninstall HKEY_CLASSES_ROOT \HKEY_CLASSES_ROOT (and subsections) HKEY_USERS \.DEFAULT |
To access the HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\PerfLib section you may delete the EVERYONE group at all and, instead of it, add the INTERACTIVE group with the "read" access right.
To restrict the remote registry access to the Windows NT the registry sections HKEY_LOCAL_MACHINE\System\CurrentcontrolSet\Control\ SecurePipeServers\winreg is used. By default, the remote registry access right is granted to the Administrators group. In the Windows NT Workstation, this section is absent, so it should be created. Remote registry access rights can get users and groups to whom access to the mentioned above section is allowed. To some registry sections it is necessary to add network access to other users or groups. To do it, these sections should be specified in the Machine and Users parameters of the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths subsection.
Security of the SMB server
The files and printers access across the network in the Windows NT operating system is provided by the SMB (server message block) Server. Sometimes it is just called "Server" or the LAN Manager server. SMB performs authenticity check of the user thatis trying to get access to information across the network. There are two modes of the validity control system work: security check on the Share Level, and on the User Level. Windows NT supports only the second kind.
At the time of the user level checking the server identifies a user accordingly to the account records database. The SMB protocol provides security only at the starting moment of session and then all users' data are transferred across the network in plain text. So if you want to provide confidence of information transfer, you should use program or hardware cryptography (e.g., PPTP protocol).
The SMB sessions may be intercepted or fabricated. A gateway may intercept the SMB session but gateways are used very rare in local networks. A machine in the Token Ring or Ethernet network will very likely fail when it'll try to intercept SMB session because it is rather difficult to do that.
The possibility of transferring unencrypted passwords makes the Windows NT system vulnerable. After the Service Pack 3 and higher installation, the possibility of the automated transferring of unencrypted password is automatically turned off. To allow the system to transfer unencrypted password (e.g. to communicate with LAN Manager for Unix) the next parameter should be set:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parametrs
Parameter: EnablePlainTextPassword
Type: REG_DWORD
Value: 1
It should be mentioned that the Microsoft Corporation has changed the SMB protocol, which is now called SMB Signing. Both the server and the client, check validity of every SMB message. This is possible because every SMB message is signed with the electronic signature.
To turn on the signature checking you should install the Service Pack 3 and higher packet and set the EnableSecuritySignature (REG_DWORD) parameter of the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parametrs section to the value of 1.
At the time of the server initialization, administrator shares are created. They give access to the root directory of the folder for the members of Administrators, Backup operators, and Power users groups. If you want to cancel admin shares, then in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parametrs section you should modify:
Parameter: AutoShareServer
Type: REG_DWORD
Value: 0,
Or, in the System Policy Editor, check off the Share Hidden Shares parameter.
Installation of the Windows NT SP 3 closes access to the anonymous user to the system registry.
Securing the IIS Server
The Microsoft Internet Information Server was created to unify work of the all Internet services. It is the highly-integrates package of HTTP, FTP and Gopher services.
The IIS security is based on the Windows NT security facilities. Among them:
- Users' accounts. To prevent unauthorized access to the IIS site, users' accounts should be controlled. To the main securing methods also apply: using the "Internet Guest Account" formula, registration by the user's name and password (according to the Windows NT authentication scheme) and using hard-to-divine passwords.
- NTFS installation.
- Access rights. The main access mechanism through the IIS server is the anonymous access. Only the Windows NT Challenge-Response protocol, which is used by the HTTP server, may be considered as secured. Therefore do not use the base authentication scheme, because the user name and password are transferred in the plain text.
- Decreasing the number of network protocols installed, and the Server service downing. Having decreased the number of protocols network adapters use, you will notably increase the system security. To Internet users could not browse IIS shared resources, down the Server service. Having downed that service you will obstruct intruders to find weak points of your system.
- Securing the FTP information. FTP always uses the user-level information protection. That means to access the FTP server user should pass the registration procedure. The IIS FTP server may use the system accounts database to authenticate users, connecting to FTP. But this procedure passes all the authentication information in plain text across the network that makes the possibility of password and login information intercepting. The problem of the password interception is eliminated when using the anonymous access. At the anonymous entry user may (or may not) as password enter his email address and as login enter the name "anonymous" (w/o quotes!) Anonymous users get access to the same files as the access of the IUSR_computername Windows NT user allows. Besides, you may allow only anonymous access to IIS service. That variant is also good.
- The IP-addresses access control. There is an additional possibility of the IIS access control. For example, you may deny access to your server from an IP address, or you may allow access to your server from certain IP addresses and deny to the rest.
- Encrypting schemes. To secure packets at the time of their transmission, it is necessary to use encrypting methods to avoid their capturing. The most encrypting systems work inside application and transport layers of the Open System Interconnection standard (OSI). Some of the schemes may work even on lower levels. Protocols used for encryption are SSL, PCT, SET, PPTP, and PGP.
Audit
Audit is one of the Windows NT security instruments. With its help you may trace users' actions, and a number of the system events in the network. The next parameters of the system events are written:
- user's action;
- username that execute an action;
- Date and time of the action.
Audit, established on one domain controller is spread on all the domain controllers. The audit tuning lets the Administrator to select kinds of events to be logged and determine what the parameters will be registered.
In the network with minimal security requirements the next events should be logged:
- successful usage of resources (in the case of when this information is needed for planning);
- Successful usage of important and confidential information.
In the network with normal security requirements, the next events should be logged:
- successful usage of important resources;
- successful and unsuccessful security strategy and administrative policy changes;
- Successful usage of important and confidential information.
In the network with high security requirements, the next events should be logged:
- successful and unsuccessful users' registrations;
- successful and unsuccessful usage of any resource;
- Successful and unsuccessful security strategy and administrative policy changes.
Audit leads to the additive load on the system, so you should register events that really may interest you.
Windows NT records events to the three journals:
- System log that contains messages on errors, warnings and other information that comes from the operating system and third-part components. List of events that are registered in this journal is predefined by the operating system and third-part components, and cannot be changed. The journal is located in the Sysevent.evt file.
- Security log contains information on successful and unsuccessful actions registering with the auditing tools. The system administrator may determine events logging to this journal (Secevent.evt).
- Application log contains information on errors, warnings and other information issued by different applications. Software developers determine the list of events that may be logged to this journal (Appevent.evt).
All the journals are located in the %Systemroot%\System32\Config folder.
At the time of determining the number of events to be logged you should consider the possibility of journal overflow. To tune needed journal you should use the Event Log Settings window (the eventvwr.exe tool).
You may change the log file size up to 4 Gigabytes (4 194 240 KB). You may also change the methodic of the event log wrapping.
To view information on logged events you should use the Event Viewer application.
The organization of access to the event viewing is shown in the table below:
| CODE |
Journal Account Permission System Log System Read, Write, Clear Administrators Read, Write, Clear Server Operators Read, Clear Everyone Read Security Log System Read, Write, Clear Administrators Read, Clear Application Log System Read, Write, Clear Administrators Read, Write, Clear Server Operators Read, Write, Clear Everyone Read, Write |
By default, the auditing is off.
The first step in the audit planning is the selection of audible events in the Audit Policy Window of the User Manager utility:
To see what rights do users have, you should open the User Rights Policy window:
To enable the full privilege auditing (some listed below events are not audible by default) you should set in the HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa branch the next parameter:
Name: FullPrivilegeAuditing
Type: REG_DWORD
Value: 1
| CODE |
Right Account Description Bypass traverse Everyone The possibility to get access to checking files and folders even if the user does not have access to the parent folder Debug programs Administr The possibility of different ators objects low-level debugging (e.g. streams) Create a token no one Process may create a marker of object access Replace process no one The possibility of the level token modification process access marker Generate Security no one Process may generate records Audits Backup files and administr The possibility to make reserve directories ators and copies of files and folders backup overriding the file system operators permissions Restore files and administr The possibility to restore copies directories ators and of files and folders overriding backup the file system permissions operators |
Conclusion
Of course, Windows NT has its more actual and perfect analogs, such as Windows 2000 and Windows XP. But this operating system still stays the base of the most number of Windows NT (read: 2K, XP) networking concepts.
(The original version is at this link)
Thank you for your attention!
Stanislav N. Ivasyuk
Thank you sir.
