CHAPTER
16
Windows NT
Security Issues
307
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
308
Network Security: A Beginner’s Guide
M
icrosoft Windows NT is one of the most prevalent operating systems within or
-
ganizations and across the Internet. It is being used in the traditional roles of file
and print servers as well as in new roles such as Web server, application server,
and database server. Given the sensitivity of information being stored on Windows NT
systems and the sensitivity of applications being run on Windows NT systems, it is critical
that system administrators understand how to set up the systems in a secure manner.
In this chapter, we will discuss basic steps to take during system setup. These steps
will include Registry settings as well as basic system configuration. We will also discuss
how to manage users within a Windows NT domain. In the final section of this chapter,
we will discuss system management issues from a security perspective and identify some
indicators to watch for that may indicate something is going wrong with the system.
SETTING UP THE SYSTEM
Windows NT is not secure right out of the box. This is the case even though the National
Computer Security Center (NCSC) has certified some implementations of Windows
NT (4.0 and 3.5) as C2-compliant (for a complete discussion of C2 and other Orange
Book Criteria, see Chapter 1). The C2 certification says that Windows NT has the appro-
priate security functionality to be certified but it does not say anything about being secure
for a particular environment. The certification is also provided to the system when it is
not connected to a network. If true C2 functionality is required, the C2 Configuration
Manager (provided in the NT Resource Kit) must be used.
Given that Windows NT is not secure right out of the box, there are some settings that

should be made before the system goes into production that will make the system more
secure. The configuration settings are divided into Registry settings and system configu-
ration settings.
Registry Settings
The Windows NT Registry is the internal system database that stores necessary system
parameters and values. Take care when making changes to the Registry as mistakes can
make the system unusable. That said, some changes to the Registry could aid in securing
the system.
NOTE:
Some Registry changes are necessary to invoke security functions or configurations that
come in service packs or hot-fixes.
The following sections detail recommended Registry changes. You should edit the
Registry using Regedit or Regedit32. Access to either of these programs can be accom
-
plished through the Run command (see Figure 16-1).
Chapter 16: Windows NT Security Issues
309
Enabling Logon Message
The logon message provides a vehicle to display a legal notice prior to a user logging on
to the network. This is generally a good idea for any organization. To accomplish this on a
Windows NT domain, follow these steps:
1. Go to \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurentVersion\Winlogon.
2. Find the LegalNoticeText key and insert the text you wish to display.
NOTE:
If the text you wish to display is large, it will be easier to type it out in Notepad or another text
editor and paste it into the value.
Figure 16-1.
A view of Regedit showing the Registry hierarchy
310

Network Security: A Beginner’s Guide
Clearing System Pagefile on Shutdown
The system pagefile contains important system information when the system is running.
This system information may include encryption keys or password hashes. To force Win
-
dows NT to clear the system pagefile on shutdown, follow these steps:
1. Go to \HKEY_LOCAL_MACHINE\System\CurrentControlSet\
Control\Session Manager\MemoryManagement.
2. Find the ClearPageFileAtShutdown key and set the value to 1.
Preventing Shutdown Without Logon
The default Windows NT installation allows anyone to shut down the system by entering
CTRL-ALT-DEL and clicking the Shutdown button. To force a user to log on to the system
before being able to shut it down, follow these steps:
1. Go to \HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\
CurentVersion\Winlogon.
2. Find the ShutdownWithoutLogon key and set the value to 0.
Disabling LAN Manager Authentication
LAN Manager authentication is an authentication system that allows Windows NT servers
to work with Windows 95 and Windows 98 clients (as well as Windows for Workgroups).
LAN Manager authentication schemes are significantly weaker than the NT authentica-
tion systems and thus may allow an intruder to perform a brute-force attack on the en-
crypted passwords using much less computing power. To force the use of NT
authentication, follow these steps:
1. Go to \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
2. Find the LMCompatibilityLevel key. (You may have to create it. If so, it is of
type REG_DWORD.) Set the value. The value you set depends upon your
environment. There are six levels defined as follows:
0 This is the default level. Send both LAN Manager and NT responses.
The system will never use NT version 2 session security.
1 Use NT version 2 session security if negotiated.

2 Send NT authentication only.
3 Send NT version 2 authentication only.
4 (Applies to Servers only) Server refuses LAN Manager authentication.
5 (Applies to Servers only) Server only accepts NT version 2 authentication
and refuses all others.
TEAMFLY






















































Team-Fly

®

Chapter 16: Windows NT Security Issues
311
NOTE:
Before making the change to this Registry key, determine the operating requirements for
your network. If you have Windows 95 or Windows 98 clients on your network, you must use levels 0 or 1.
Also, Service Pack 4 or higher is required to use NT version 2 authentication.
Restricting the Anonymous User
Windows NT allows a null user session to access information such as the usernames on
the system, groups, shares, and policy values. This null session uses a blank user name
and a blank password. To restrict this ability, follow these steps:
1. Go to \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa.
2. Find the RestrictAnonymous key. (You may have to create it. If so, it is of type
REG_DWORD.) Set the value to 1.
NOTE:
If your network has multiple NT domains or if you are using the Novell NDS, you may not be
able to do this. See the Microsoft Knowledge Base (article Q143474) for more details.
Restricting Remote Registry Access
Tools like Regedit and Regedit32 can be used to read and edit the registries of remote
computers. This can be done over a LAN (that is, within an organization) or over the
Internet. To restrict this ability, follow these steps:
1. Go to \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\
SecurePipeServers\WinReg.
2. Use Regedit32 to set the permissions on WinReg. The permissions should be
Full Control to Administrators and System, Read to Everyone.
System Configuration Settings
Before a Windows NT system is ready for production, there are a number of system
configuration settings that should be changed to increase the security of the system.
These changes are in four primary areas:

▼
File systems
■
Network settings
■
Account settings
▲
Service packs and hot-fixes
As a general rule, the specific settings should be governed by the organization’s
security policy and system configuration requirements.
312
Network Security: A Beginner’s Guide
File Systems
All file systems on Windows NT systems should be converted to NTFS. Windows NT will
establish FAT file systems by default. FAT file systems do not allow for file permissions;
therefore, NTFS is better from a security point of view. If you have a FAT file system, you
can use the program CONVERT to change it to NTFS. This program requires a reboot but
it can be done with information already on the drive.
Every Windows NT system creates administrative shares when it boots. These are the
C$, D$, IPC$, ADMIN$, and NETLOGON (only found on domain controllers) shares.
These shares can be used by an attacker to attempt to brute-force administrator pass
-
words because failed attempts against them do not trigger the failed login attempt lock
-
outs. Unfortunately, turning these off may have significant consequences to the
operation of the system. For example, if the NETLOGON share is removed, no one can
log on to the domain. This clearly defeats the purpose of the domain controller. If you
choose to disable the administrative shares, there are two reasonable ways to do it:
▼
Install the Windows NT Policy Editor from the Resource Kit and use it to

disable the administrative shares. However, doing this will disable all the
shares except for IPC$. This may break remote backup programs.
▲ Use the AUTOEXNT program from the Resource Kit and add one line to the
batch file for each share you wish to delete. The line to remove a share looks like:
net share <share name> /delete
Do this for each of the drive shares and the ADMIN share.
NOTE:
Removing the shares can have significant consequences to the way the Windows NT system
or domain operates. Shares should only be removed with great care.
When a system is built, it is often a good idea to create an Emergency Repair Disk
(ERD). The ERD provides a way to recover the Registry and user database on a broken sys
-
tem. The ERD is more useful when the number of users is small and if the users on the system
do not change often. For domain controllers, it is more useful to have good backups. When
the ERD is created, Windows NT also creates a directory called %systemroot%\repair.
This directory contains copies of the user database file (SAM file) as well as other impor
-
tant configuration files. Normally, when the system is in operation, the SAM file is not ac
-
cessible. However, if the repair directory is not properly secured, the backed up SAM file is
accessible. Only administrators should have access to this directory.
Network
The network is a key part of any Windows NT deployment. Generally, domains are better
than workgroups as they allow for a central user database and management. If domains
are to be used, each domain should have a primary domain controller (PDC) and at least
one backup domain controller (BDC). Large organizations may want to consider divid
-
ing the user community into multiple domains based on geographic divisions.
NOTE:
Dividing the user community into multiple domains is not really a security issue but provides

for better performance in large organizations.
When multiple domains exist within an organization, trust relationships are often es
-
tablished to allow users from one domain to access resources in another. From a security
point of view, trust relationships should be kept to a minimum and the users who are
allowed access across the domains should be tightly controlled.
NetBIOS is enabled on Windows NT by default. There are many ways that detailed
information about a Windows NT network can be gained through NetBIOS. However,
NetBIOS also helps the Windows NT network work smoothly. NetBIOS should be turned
off for any system that will be accessed from the Internet. To do this, go to the Control
Panel and select Network. Select the Services Tab, highlight the NetBIOS Interface, and
choose Remove (see Figure 16-2). Your system will need to be rebooted.
It is also possible to add additional TCP/IP services (such as ECHO, Time,
CHARGEN, and so on) to a Windows NT system. You do this from the Network Services
tab by selecting Add and highlighting Simple TCP/IP Services. Do not do this. There is
no reason to enable these services on a Windows NT system.
Chapter 16: Windows NT Security Issues
313
Figure 16-2.
Removing NetBIOS from a Windows NT system
Account Settings
Windows NT comes with two default accounts: administrator and guest. The guest ac
-
count should be disabled. In addition, I change the password on the guest account to
something very long and very random just in case. The administrator account is an easy
target for any brute-force attempts since it does not get locked out after a number of failed
login attempts as user accounts may. This account should be renamed. Also, since every
Windows NT workstation and server in the organization will have an administrator
account that is local to that machine, a procedure should be established to define a pass
-

word for these accounts that is very strong. The password should be written down,
sealed in an envelope, and stored in a locked cabinet.
The password policy should be configured per the organization’s security policy.
This is done by invoking the User Manager (or User Manager for Domains on the domain
controller) and selecting Account Policy from the Policies menu to see the screen shown
in Figure 16-3. This screen is used to define the following:
▼
Maximum and minimum password ages
■ Minimum password length
■ Password uniqueness
▲ The account lockout policy
NOTE:
The account lockout policy is used to prevent an attacker from conducting a brute-force
attack to guess passwords. It can also be used to cause a denial-of-service condition to the entire user
community. Therefore, it may be wise to consider the consequences of prolonged lockouts of the user
community when setting this policy.
The account lockout policy will not be enforced against the administrator account
unless the PASSPROP utility from the Resource Kit is used. This utility will allow the
administrator account to be locked out but it will never be locked out from the console.
Service Packs and Hot-Fixes
Service packs and hot-fixes are the terms Microsoft uses for new versions of software.
Generally speaking, these new versions are good things as they fix bugs and security vul
-
nerabilities. Unfortunately, some of the service packs and hot-fixes have not worked
properly and thus system administrators did not implement them.
Service packs and hot-fixes should be implemented within an organization after ap
-
propriate testing. It is also important to understand that the order in which hot-fixes are
installed is critical. If hot-fixes are installed in the wrong order, it is possible that one will
negate the effects of another.

The installation of some types of software may also affect the service packs and
hot-fixes on a system. If the software requires the installation of files from the original
Windows NT installation CD, it may overwrite the updates from service packs and
hot-fixes. If this occurs, the service packs and hot-fixes should be reinstalled.
314
Network Security: A Beginner’s Guide
Chapter 16: Windows NT Security Issues
315
USER MANAGEMENT
The management of users on a Windows NT system is critical to the security of the sys
-
tem and the NT domain. You should have proper procedures in place within the organi
-
zation to identify the proper permissions each new user should receive. When an
employee leaves the organization, you should also have established procedures to make
sure that the employee loses access rights to the organization’s systems.
Adding Users to the System
Add new users to a system or domain through the User Manager. Select New User from
the User pull-down menu to see the screen shown in Figure 16-4. Each user should have a
unique user ID and his or her own account. If two users require the same access, then two
accounts should be created and they should be placed in the same group. Under no
circumstances should multiple users be given access to the same user ID.
Figure 16-3.
Windows NT Account Policy screen