Tutorial:Windows NT


Securing Windows NT


Careful configuration and monitoring of NT, especially Internet facing NT machines,


can make the difference between a secure system and one which is open to security


breaches. We explain the steps you need to take.


By Justin S Kapp


W


indows NT has become a


G


Latest Windows NT Service Pack


tings using RDISK, which allows you


popular choice as a platform


(more than one service pack may be


to restore the machine to a known con 


for providing Internet serv 


required), and required Windows


figuration should there be a problem.


ices. As a result it is becoming more


NT hot fixes.


Another way to preserve the ma 


and more important that the Windows


G


Microsoft Security Configuration


chine is to create a machine image us 


NT machine is secure from attack.


Manager (SCM), which is part of


ing a product like Norton Ghost or


In order to keep Windows NT se 


the NT Service Pack 4 CD or is avail 


PowerQuest ServerMagic, and cut the


cure while on the Internet or on a pri 


able from the Microsoft Web site.


image to CD. If restoring from the im 


vate network it is important that you


G


Any hardware drivers (network,


age to more than one machine, make


have a baseline starting point for a se 


SCSI card etc) for your specific ma 


sure each machine has a unique Secu 


cure system. This starts with the instal 


chine configuration.


rity Identifier (SID) created using a


lation and continues through to the


tool like NewSID from System Inter 


live system monitoring.


Installation


nals (


www.sysinternals.com


).


When securing Windows NT it is


Firstly you should install the sys 


important to decide what role the ma 


Firstly determine the requirements


tem onto a disk partitioned to use only


chine is to undertake. There is a core


for the machine. Make sure you have


the NTFS file system, since only NTFS


set of tasks that should be undertaken


all the pre requisite items to hand be 


supports NT's access control lists for


for any machine and some specific


fore you start the installation. The in 


files. When installing an Internet 


tasks for different machine roles. It is


structions given here are geared


based Server or Enterprise Server,


also important to limit the machine to


towards the US English Windows NT;


make the machine a  standalone 


a limited set of roles, as this reduces the


however, they are equally valid for


member server. This server will not


possible exposure of the machine to


other language versions. Some of the


participate in a domain environment.


security breaches.


system configuration may leave cer 


You should create a system parti 


There are a few things you need to


tain system elements unusable, and


tion of around 1 GB, and partition the


have before you start:


note that configuration should not be


rest of the disks so you have separate


attempted at all if you are not familiar


partitions for your data, such as your


G


Windows NT Server CD (for server


with installing and configuring Win 


Web server root directories and extra


installs).


dows NT.


applications that are not part of the


G


Windows NT Workstation CD (re 


During the various stages of the ma 


operating system.


quired for Workstation installs,


chine configuration it is a good idea to


Keeping the machine system files


plus some Server installs).


perform a backup of the machine set 


separate from data and other applica 


tions is good practice to avoid some


security issues. Some applications


Password Policy


Enforce password uniqueness by remembering last passwords


6


(such as ftp servers and Web servers)


Minimum password age


2


try to enforce a sandbox for users to


Maximum password age


42


operate within. Sometimes, if there is


Minimum password length


10


an implementation issue and, as a re 


Complex passwords (passfilt.dll)


Enabled


sult, aa compromise in the sandbox, it


User must logon to change password


Enabled


would mean the user may have access


outside this sandbox. Thus separating


Account Lockout Policy


this sandbox from the system files re 


Account lockout count


5


Lockout account time


Forever


duces the risk of compromise to sys 


Reset lockout count after


720 mins


tem files. It is also a good idea to keep


the log files for such services separate,


too   this makes it easier to maintain


Figure 1   Account policies.


them.


Issue 115 (February 2000) page 11


File: T1715.1


PC Network Advisor


Next page  >


New! The best sites for quality inkjet printer cartridges and the best sites for cheap inkjet cartridges


Windows Help Desk Home