RIGHT OUT OF THE BOX, Windows NT is not secure. Because NT is a network operating system, it makes resource sharing easy. But to balance accessibility and control, you need network security.
Two questions facing a new NT administrator are where to add security and how to ensure that the system remains secure. To answer both questions, you need to perform a security audit-- an evaluation of your security policies and procedures and an analysis of how well your users adhere to them. An ordinary NT audit tracks events such as login success and failure. In contrast, a security audit centers around the NT security model and considers NT security features and physical security.
You can manually perform several of the steps in a security audit or use third-party software to learn about NT's security model and to automate the audit process. Such software products include Intrusion Detection's Kane Security Analyst (KSA) and Somarsoft's DumpAcl. The sidebar, "Automated Audits," explains what these products can do. By comparing your security audit results with the industry standards (see the sidebar, "Recommended Reading," page 91 and the US government's security specifications), you can assess how secure your system is and identify areas you need to improve.
NT Security Model
The standard NT security model begins with user and logon validation. You ensure that anyone who signs on is legitimate by assigning each user an account name and password for the entire network. Then you organize users in functional global groups (subsets of a network that reach out of their domain--a workgroup with security--to connect with other domains) by creating user accounts. Next you assign permissions to local groups (subsets of a network that stay within their domain) to access resources (which you secure through resource protection and permissions). Finally, you build appropriate trust relationships (associations) between local and global groups. (For more on this model, see Mark Minasi, "Domains and Workgroups," April 1996, and Ed Tittel and Mary Madden, "Domains, Trust Relationships, and Groups," June 1996.) This security model can help you formulate a strategy to audit your existing security.
User Validation Procedures
The first step in a security audit is to ensure you have adequate user validation procedures. Every user must have an account with a username and password. You set the Account Policies from User Manager for Domains on your domain controller. Screen 1 shows the Account Policy dialog.
The username must be unique within the NT domain and needs to be unique to the network to avoid confusion. A username can have up to 20 characters.
NT's password security options are maximum password age, minimum password age, password uniqueness, and minimum password length. Imposing a maximum password age forces users to change their password at certain intervals. A maximum password age also limits how long an intruder can access your system and makes the intruder work harder for less return. The maximum password age applies to all users--you can't set this option user by user. However, you can set up an individual account with a password that never expires. Reserve this option for system accounts, such as the Replicator account and SQL Server's SQLExecutive account, that never need you to update their password.
Keep in mind that frequent password expiration carries some overhead--every time users change their password, the system updates the accounts at the Primary Domain Controller (PDC). The PDCs then have to synchronize the changes with the Backup Domain Controllers (BDCs), which means more network traffic (for more on PDCs and BDCs, see Ed Tittel and Mary Madden, "PDCs, BDCs, and Availability," August 1996). A user account occupies 1024 bytes, so with 20,000 users changing their password once a month, you can expect to move 20MB of data across the network to the BDCs just for password changes.
You specify a minimum password age in NT to prevent a user from changing to a new password and then changing it back to the original password. After users change their password, they can't reset it for the specified period. By default, NT allows changes any time. The other approach to discourage recycling passwords is to turn on the password uniqueness option, which keeps a set of passwords in a history file. Of course, you will always have the user who selects passwords such as bozo1, bozo2, and bozo3, which are unique, if not very imaginative.
By default, NT permits blank passwords during installation. A blank password is obviously a security problem (for more on the security risk of using a blank administrator password, see Bob Chronister, "Tricks and Traps," page 138, September 1996), so you can use the minimum password length option to prevent blanks. (The password minimum length is 0 characters, and the maximum length is 14.) Unlike other OSs, NT doesn't insist that at least one character be nonalphanumeric, such as an underscore or a comma.
User Validation Compliance
After you establish password procedures, all users will be in compliance once their password expires for the first time. At that time, NT insists that users supply a new password that meets the new password policy standards.
The password options take effect immediately. The only exception is that these options apply to new passwords, not existing passwords. After you turn the password security options on, any users who set their password before it reaches the maximum password age can continue to log on (even if their password doesn't meet the standards for length) until it reaches the maximum password age.
For example, suppose you set the maximum password age to expire every 30 days. Users who last changed their password 15 days ago can continue to use that password for the next 15 days, until it expires, even if it doesn't meet the new standards. Other users who last changed their password 45 days ago will have to change their password at the next logon because the password is older than the policy allows.
Although NT doesn't restrict what can be a valid password, avoiding easy-to-guess words such as usernames, family names, or any word in the dictionary is a good idea. To test passwords, use a third-party product such as KSA. Password cracking will check for variations of the username (such as typing it backwards) and test whether the user chose a word from the dictionary. Make sure you can modify the password cracking software's dictionary to disallow industry-specific terminology and discourage users from selecting the name of their project or some other common word as a password. Obviously, cracking passwords can take a while if you have several user accounts.
The highest level of NT security is the US government's C2 certification level (for an overview of NT security, see Keith Pleas, "Securing Windows NT," on page 74). For C2-level security (a summary of the various levels of security is at www.dmu.ac.uk/~chl/orange.html), the name of the previous user must not appear on screen when a user presses Ctrl-Alt-Del to open the logon dialog. Users often complain about having to type their name every time they log on, but this step prevents hackers from getting half the information they need to log on. To turn this option off, edit the Registry key hkey_local_machine\software\microsoft\windowsnt\currentversion\winlogon. Add the value DontDisplayLastUserNameoftypeReg_SZ, and set the value to 1.
Security Tip: You can't delete the Administrator account, but you can change the name. Anyone trying to break in knows that NT installs by default with a powerful account called Administrator. Why not rename this account and make hackers work a little harder? You can also add a new Administrator account with a secure password and No Access set on resources. Anyone trying to break in through this account will trigger the account lockout and assume that the default Administrator account is in place. Hackers can waste their time, but this account won't provide any useful access to the system.
User Account Validation
The next step in the security audit is to ensure that only valid users have accounts on the system. This task is not easy when a network has numerous users. In particular, NT has no way of determining when someone last used, or ever used, a user account. Unused accounts that the system hasn't assigned to an individual can be a problem because nobody will notice a hacker trying to break in through that account. Third-party software such as Somarsoft's DumpAcl can detect and list unused accounts so you can remove them. Somarsoft warns that the system stores the last valid logon time and date stamp for an account at the authenticating domain controller, so the only way to tell when the user last logged on is for the software to check and compare the time stamp on the PDC and all BDCs. That comparison can take time.
User Accounts Authority Levels
The next step is to check for an excessive number of users who are members of the Administrators group or who have too many user rights assigned. The number of users with access to the Administrators group and the number of rights they have depends on how many people really need to be administrators and what rights they need. Look in the Domain Admins global group in the User Manager for Domains to see how many people have administrative authority in the domain. No easy way is available to manually check for overly liberal assignment of user rights, but a third-party package such as KSA can do so.
Having more than one administrator account is a good idea in case of emergency, but most users don't need administrator rights to perform their jobs (even on their own computer). A better approach is to put users in the Power User local group on their workstation so they can share resources and change some--not all--system settings.
User Accounts Break-in Detection
The next step in the security audit is to confirm that your NT site has a policy to lock out accounts after a set number of unsuccessful logon attempts. Go to the Account Policies dialog of the User Manager for Domains. Turn on Account Lockout, and set the number of allowed logon attempts to a low number such as three. This setting will allow legitimate users a few tries in case they mistype their username or password and will catch a hacker who is testing passwords.
Although NT can unlock the account after a predetermined time, a better approach is to establish an account lockout policy that lets only the administrator unlock the account. If the account automatically resets, the user may not realize a hacker is targeting the account. Even if users identify the hacker's attempts, they sometimes don't alert the administrator.
User Account Auditing
The security check needs to ensure that auditing is turned on for failed logon attempts, so you can detect an intruder trying to gain access with account name and password combinations. As with any NT auditing, you turn on Audit from the Policy menu in User Manager for Domains. When the auditing feature is writing to the Event Log, the security administrator needs to regularly check this log for unusual activity.
Resource Protection with NTFS
Your security audit needs to include File Allocation Table (FAT) and NT File System (NTFS) drives. You can't protect local files on a FAT volume (for information on FAT, see Sean Daily, "NTFS vs. FAT," on page 95). So for a more secure system, use NTFS for all drives, including the boot and system partitions. However, even with NTFS, you have to take precautions such as disabling a floppy boot. (For information on NTFS security risks, see Mark Russinovich and Bryce Cogswell, "NTFSDOS Poses Little Security Risk," and Joel Sloss, "That Depends on Your Definition of Secure," September 1996.)
Resource Permission Defaults
When you format a new disk as an NTFS volume, the group Everyone has Full Control Permission by default. Any directories you create on or copy to this drive will inherit this permission, so your systems administrator must remove this default permission when formatting a drive. Immediately after formatting the drive, open My Computer or NT Explorer and click the drive properties. Click the Security tab, and click Other to remove the Full Control permission from Everyone. You can set up the appropriate permissions when you copy directories and files to the disk.
Resource Permission Auditing
Auditing file and directory permissions is a complex task. NT's File Manager lets you look at the permissions, file by file. But as you move files among directories on the same disk, the files retain their original permissions. Eventually, a directory can contain files with a wide range of permissions, and examining each file individually (with potentially thousands on a disk) is not feasible.
In this case, third-party products such as DumpAcl or KSA can help. Somarsoft's philosophy is to quickly look at the security on a drive. The danger lies in the anomalous files with erroneous permissions, so DumpAcl groups files and directories with equivalent permissions and weeds out files with erroneous permissions. If all files have the same permissions as their parent directories, DumpAcl returns a short report. This approach is a logical way to analyze permissions. KSA's resource permission auditing is easier to use and more comprehensive than NT's tools, but not as convenient as Somarsoft's reporting by exception.
Physical security means that you limit physical access to computers by locking them in secure rooms, for example. Always consider a security audit in the context of building security: Take steps such as limiting access to servers, backup tapes, and uninterruptible power supplies. The specifications for the US government's levels of security contain details (such as keeping the server in a locked room with limited physical access, keeping backup tapes locked away, and ultimately, not connecting the computer to a modem or outside network) about the physical security of the computers. By default, NT Server lets only administrators and members of certain Operator groups log in locally (at the computer). This security measure means you must log in before you can shut down the computer from the keyboard.
Auditing your security is not enough--you have to establish a security policy to know how to implement the audit findings. Two conditions must accompany security policies to make them work. First, management must support them. Second, users must know the impact any lack of security has on the organization, and you must show them how they can use auditing tools (such as the ones described in this article) to help keep the network secure.
- Microsoft Windows NT 3.5 Guidelines for Security, Audit and Control
- Author:Citibank NA, et al.
- Publisher: Microsoft Press, Redmond, WA, 1994
- ISBN 1-556-15814-9
- Price: $49.95, 286 pages
- This book is the result of a joint project by Citibank NA, Coopers & Lybrand, The Institute of Internal Auditors, and Microsoft. The target audience is management and administrators who set the policies that will ensure the security of enterprise computer systems and the data they contain. Although this book was written for Windows NT 3.5, it applies to the more recent OS releases.
- Windows NT Security: A Tutorial for Regular Users and Administrators
- Author: Steve Sutton
- Publisher: Trusted Systems Training & Consulting, Urbana, IL, 1997
- ISBN 1-889-82700-2
- Price: $39.95
- You have to order this book directly from Trusted Systems Training & Consulting, 217-344-0996, on the Web, www.trustedsystems.com, or by email, firstname.lastname@example.org. The book will be available from Addison-Wesley in early 1997.
- Microsoft Windows NT Resource Kit, Version 3.51
- Publisher: Microsoft Press, Redmond, WA, 1996
- ISBN 1-556-15926-9
- Price: $199.95 (upgrades are $39.95)
- 5 volumes, 1 CD
- 330 pages, 1 CD
- The NT 3.51 Resource Kit contains a C2-level security check program, as you see in Screen E. Although C2-level security involves more than OS settings, this utility provides an overview of how to secure an NT system. The Resource Kit contains useful information about the settings you can change to achieve a more secure environment.
|Kane Security Analyst for Windows NT|
| Intrusion Detection * 212-348-8900 |
CompuServe Forum: GO INTRUSION
|DumpAcl, DumpEvt, and DumpReg|
| Somarsoft * 415-776-7315|
Price: DumpAcl: $99; DumpEvt: $39; DumpReg: $10