|
Installing and Securing Windows NT 4.0
CAUTION: The information contained below is aimed towards securing the NT Operating System. This information represents a "high security" posture and may break or disrupt performance on your own machine. The suggestions listed on this page may not be suitable for your environment. Test all changes on a non-production host before applying them to your production machine. Security-Focus is not responsible for any damage that may result from applying these suggestions.
Create and Modify Registry Keys
| 19 |
Review the following Registry Keys and add those that are applicable to your installation. Use regedt32.exe to make these changes (do not use regedit.exe). |
Function | Prevent non-administrators from connecting to the Registry via remote connections |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\SecurePipeServers\winreg |
Verify | Ensure that only the Administrators group has Security-Permission: Full Control over this key |
Benefit | Restricts network access to the Registry.
Installation of Windows NT 4.0 Service Pack 3 or later removes the ability for anonymous users to connect to the registry
remotely. Anonymous users cannot connect to the registry and cannot read or
write any registry data. As a reminder, Windows NT 4.0 restricts remote
access to the registry by domain users using the access control list on this
registry key. The ACL on this key identifies the authenticated users allowed to
remotely connect to the registry. Windows NT 4.0 Server, by
default, only allows Administrators remote registry access. The
winreg\AllowedPaths subkey identifies specific portions of the registry that
authenticated users who are not explicitly granted access by the winreg ACL can use for printer access and other system operations. |
Function | Prevent non-administrators from connecting to sections of the Registry via remote Win32 programming interfaces |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\SecurePipeServers
\winreg\AllowedPaths\Machine |
Verify | Remove all paths to which users do not need access |
Benefit | Server - default behavior is to allow access to the following:
System\CurrentControlSet\Control\Product Options
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Control\Services\EventLog
Software\Microsoft\Windows NT\CurrentVersion
It is recommended to REMOVE ALL except printers
Workstation - default behavior is to allow access to:
System\CurrentControlSet\Services\Replicator
It is recommended to remove this access for Workstations |
Function | Prevent guest and null sessions from viewing Event Logs |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\EventLog\
Application
Security
System |
Add Value | RestrictGuestAccess |
Type | REG_DWORD |
Data | 1 |
Benefit | Restricts guests and null sessions from viewing event logs (usually via a remote connection). SecurePipeServers (above) also prevents guest and null access from viewing the related registry keys. |
Function | Enable auditing of base system objects |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\Lsa |
Add Value | AuditBaseObjects |
Type | REG_DWORD |
Data | 1 |
Benefit | To enable auditing on base system objects, add the above key value to the registry key. Note that simply setting this key does not start generating audits. The administrator will need to turn auditing on for the "Object Access" category using User Manager. This registry key setting tells Local Security Authority that base objects should be created with a default system audit control list. |
Function | Enable SMB Signing - For Servers |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\LanManServer\Parameters |
Add Value | EnableSecuritySignature |
Type | REG_DWORD |
Data | 1 |
Benefit | Service Pack 3 (and later) includes an updated version of the Server Message Block (SMB) authentication protocol, also known as the Common Internet File System (CIFS) file sharing protocol. The updated protocol has two main improvements: it supports mutual authentication, which closes a "man-in-the-middle" attack, and it supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital security signature into each SMB, which is then verified by both the client and the server.
In order to use SMB signing, you must either enable it or require it on both the client and the server. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing will use the new protocol during all subsequent sessions, and clients that are not enabled for SMB signing will use the older SMB protocol. If SMB signing is required on a server, then a client will not be able to establish a session unless it is enabled for SMB signing. |
Function | Require SMB Signing - For Servers |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\LanManServer\Parameters |
Add Value | RequireSecuritySignature |
Type | REG_DWORD |
Data | 1 |
Benefit | Service Pack 3 (and later) includes an updated version of the Server Message Block (SMB) authentication protocol, also known as the Common Internet File System (CIFS) file sharing protocol. The updated protocol has two main improvements: it supports mutual authentication, which closes a "man-in-the-middle" attack, and it supports message authentication, which prevents active message attacks. SMB signing provides this authentication by placing a digital security signature into each SMB, which is then verified by both the client and the server.
In order to use SMB signing, you must either enable it or require it on both the client and the server. If SMB signing is enabled on a server, then clients that are also enabled for SMB signing will use the new protocol during all subsequent sessions, and clients that are not enabled for SMB signing will use the older SMB protocol. If SMB signing is required on a server, then a client will not be able to establish a session unless it is enabled for SMB signing. |
Function | Enable SMB Signing - For Workstations |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\Rdr\Parameters |
Add Value | EnableSecuritySignature |
Type | REG_DWORD |
Data | 1 |
Benefit | Same as SMB signing for Servers. This key is specific for Workstations |
Function | Require SMB Signing - For Workstations |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\Rdr\Parameters |
Add Value | RequireSecuritySignature |
Type | REG_DWORD |
Data | 1 |
Benefit | Same as SMB signing for Servers. This key is specific for Workstations |
Function | Prevent anonymous users from enumerating user and share information from GUI interfaces tools |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\Lsa |
Add Value | RestrictAnonymous |
Type | REG_DWORD |
Data | 1 |
Benefit | The purpose of the registry value is to configure local system policy for whether authentication is required to perform common enumeration functions. When the RestrictAnonymous value is set to 1, anonymous connections from the Graphical User Interface tools for security management will receive an access denied error when attempting to get the list of account names. When the RestrictAnonymous value is set to 0, or the value is not defined, anonymous connections will be able to list account names and enumerate share names. It should be noted that even with the value of RestrictAnonymous set to 1, although the user interface tools with the system will not list account names, there are Win32 programming interfaces to support individual name lookup that do not restrict anonymous connections. (User2Sid and Sid2User)
Setting this value to 1 will prevent the following commands from enumerating information about the server via "null" sessions: dumpacl, usrstat, local, global, net view \\computername, User Manager. Getmac, however, will still work.
The Server service that provides remote file access to share resources will also use the LSA registry value, RestrictAnonymous, to control whether anonymous connections can obtain a list of share names. Therefore, administrators can set the value of a single registry configuration entry to define how the system responds to enumeration requests by anonymous logons. |
Comment | This Registry Key is available in NT4.0 SP3 and later. While setting the Registry Key to a value of 1 will prevent anonymous connections from returning information, it does not prevent null session connections from being made to the IPC$. |
Function | Don?t Display the name of the User previously logged on |
Hive | HKEY_LOCAL_MACHINE\SOFTWARE |
Key | \Microsoft\Windows NT\Current Version\Winlogon |
Add Value | DontDisplayLastUserName |
Type | REG_SZ |
Data | 1 |
Benefit | Prevent Windows NT from displaying the username from the last log on. |
Function | Require log on before shutdown |
Hive | HKEY_LOCAL_MACHINE\SOFTWARE |
Key | \Microsoft\Windows NT\CurrentVersion\Winlogon |
Add Value | ShutdownWithoutLogon |
Type | REG_SZ |
Data | 0 |
Benefit | Requires Users to log on before shutting down the computer. |
Function | Access to Floppy Drive while user is logged on |
Hive | HKEY_LOCAL_MACHINE\SOFTWARE |
Key | \Microsoft\WindowsNT\CurrentVersion\Winlogon |
Value | AllocateFloppies |
Type | REG_SZ |
Data | 1 |
Benefit | Allocates floppy access solely to INTERACTIVE user when user logs on. After INTERACTIVE user logs out, floppy is accessible for general use. |
Function | Access to CD-ROM while User is logged on |
Hive | HKEY_LOCAL_MACHINE\SOFTWARE |
Key | \Microsoft\WindowsNT\CurrentVersion\Winlogon |
Value | AllocateCDRoms |
Type | REG_SZ |
Data | 1 |
Benefit | Allocates CD access solely to INTERACTIVE user when user logs on. After INTERACTIVE user logs out, CD is accessible for general use. |
Function | Shutdown option on Full Audit Log |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\Lsa |
Value | CrashOnAuditFail |
Type | REG_DWORD |
Data | 1 |
Benefit | In a C2 configured system, auditing system of Windows NT provides an option to the administrator to shut down the system when security audit log is filled up. With this setting, the system will shutdown itself when audit log becomes full. The value in the registry is reset to 2. When the system is rebooted, it only allows the administrators to log on to the machine (locally or remotely). They will be required to clean the audit log (or archive it), reset the value to 1 and reboot the system before any other user is allowed to log on. |
Function | For NT Servers - Disables Automatically Created Administrative Shares (C$, ADMIN$) |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\LanmanServer\Parameters |
Value | AutoShareServer |
Type | REG_DWORD |
Data | 0 |
Benefit | Determines whether the AutoShare feature is enabled on computers running Windows NT Server. AutoShare automatically creates hidden shares on local drives. This value does not affect shares that are created manually.
0 Disables AutoShare.
1 Enables AutoShare. |
Function | For NT Workstations - Disables Automatically Created Administrative Shares (C$, ADMIN$) |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\LanmanServer\Parameters |
Value | AutoShareWks |
Type | REG_DWORD |
Data | 0 |
Benefit | Determines whether the AutoShare feature is enabled on computers running Windows NT Workstation. AutoShare automatically creates hidden shares on local drives. This value does not affect shares that are created manually.
0 Disables AutoShare.
1 Enables AutoShare. |
Function | Monitor Available Free Space on System Partition |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\LanmanServer\Parameters |
Value | DiskSpaceThreshold |
Type | REG_DWORD |
Data | 10 |
Benefit | Specifies the percentage of disk space that must remain free for use. If the percentage of free space falls below the value of this entry, the Server service generates a user alert (Event ID 2013).
Data may be 0-99 percent
Default: 10 percent |
Function | Remove the Server/Workstation from Network Browse Lists |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\LanmanServer\Parameters |
Value | hidden |
Type | REG_DWORD |
Data | 1 |
Benefit | Determines whether the server's computer name and comment can be viewed by other computers on the domain.
0 The server's name and comment can be viewed by other computers in the domain.
1 The server's name and comment cannot be viewed by other computers in the domain. |
Function | Restrict null session access |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Services\LanmanServer\Parameters |
Value | RestrictNullSessAccess |
Type | REG_DWORD |
Data | 1 |
Benefit | Determines whether the Server service restricts access to clients using a null session. A null session is a session wherein the client is logged on to the system account without username and password authentication.
True (1) Null session access is restricted.
False (0) Null session access is not restricted.
If the value of this entry is True, null session access is determined by the values of NullSessionPipes and NullSessionShares.
RestrictNullSessAccess by default, is set to 1, even though it does not appear in the Registry. Adding this key to the Registry and setting the value to False will enable "null" session connections to attach to shares with -Everyone- permissions. |
Function | Legal Notice Caption |
Hive | HKEY_LOCAL_MACHINE |
Key | \Software\Microsoft\WindowsNT\CurrentVersion\Winlogon |
Value | LegalNoticeCaption |
Type | REG_SZ |
Data | ATTENTION |
Benefit | Specifies the caption (title bar text) for the message that appears when the user presses CTRL+ALT+DEL to log on.
If the value of this entry is not blank, a dialog box bearing the caption and the message specified in the value of LegalNoticeText appears before the Logon Information dialog box is displayed. The user must click OK in the legal notice dialog box to proceed with logon. |
Function | Legal Notice Text |
Hive | HKEY_LOCAL_MACHINE |
Key | \Software\Microsoft\WindowsNT\CurrentVersion\Winlogon |
Value | LegalNoticeText |
Type | REG_SZ |
Data | Use of this computer is restricted to authorized individuals of XYZ Corporation |
Benefit | Specifies the message that appears when the user presses CTRL+ALT+DEL to log on. For example, in the figure below, the value of LegalNoticeText is "You must be an employee of XYZ to use this computer."
If the value of this entry is not blank, a dialog box bearing this message and the caption specified in the value of LegalNoticeCaption appears before the Logon Information dialog box is displayed. The user must click OK in the legal notice dialog box to proceed with logon. |
Function | Auto End Tasks without displaying dialog box |
Hive | HKEY_CURRENT_USER, HKEY_USERS, HKEY_USERS\EachUserId\ |
Key | \Control Panel\Desktop |
Value | AutoEndTasks |
Type | REG_SZ |
Data | 1 |
Benefit | Determines whether user processes are ended automatically when the user logs off or stops Windows NT.
0 Processes are not ended automatically. The system waits until the process ends and, if the time it takes to end the process exceeds the value of HungAppTimeout, the End Task dialog box appears, stating that the application cannot respond to the End Task request.
1 Processes are ended automatically. |
Function | Clear Page File at Shutdown |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control
\Session Manager\Memory Management |
Value | ClearPageFileAtShutdown |
Type | REG_DWORD |
Data | 1 |
Benefit | Specifies whether inactive pages in the paging file are filled with zeros when the system stops. This is a Windows NT security feature. If the value of this entry is 1, when the system stops, Windows NT fills all inactive pages in the paging file with zeros so that they cannot be read by another process. It cannot fill active pages with zeros because some are being used by the system or other remaining active processes. |
Function | Audit Backup and Restore Functions |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\Lsa |
Value | FullPrivilegeAuditing |
Type | REG_DWORD |
Data | 1 |
Benefit | When files are being backed up, Windows NT checks to ensure that the user performing the backup has the Back Up Files and Directories special right each time the backup program attempts to copy a file to the backup media. In the same way, Windows NT checks for the Restore Files and Directories right for each file that is being restored from backup media. Obviously, if Windows NT were to record an audit event each time those rights were invoked, thousands of events would be recorded during a routine backup. Because this would flood the security log with event records that most often would be of little value for maintaining system security, Windows NT does not normally record audit events for the use of these rights, even when success auditing of Use of User Rights is enabled in the system user rights policy. |
Function | Enable strong encryption of the SAM database |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\Lsa |
Value | **SecureBoot** See Note Below |
Type | REG_DWORD |
Data | 1 |
Benefit | The system key feature enhances security by using stronger encryption of the SAM database. **DO NOT install this key manually. The Syskey feature must be installed via the following command line option: "syskey -l". This installs the syskey features and stores the key locally on the server.
This must be done after SP3 (or later) and all hotfixes have been applied. RDISK /s should be run after applying this feature.
This method will allow the system to boot-up without intervention (it will not prompt for a syskey pwd at startup because the key is stored locally). You may change the location of the key by running "syskey" at any time and choose to store the key on a floppy disk, or to require decryption of the system key via a special password. |
Function | Report Performance Monitor Event to Event Log |
Hive | HKEY_LOCAL_MACHINE |
Key | \Software\Microsoft\PerfMon |
Value | ReportEventsToEventLog |
Type | REG_DWORD |
Data | 1 |
Benefit | Determines whether Performance Monitor logs error and warning events to the Application log in Event Viewer when it fails to retrieve data or retrieves unreadable or uninterpretable data (such as negative time). When Performance Monitor receives uniterpretable data; it displays 0 or 100 for the data point, depending on the counter.
0 Performance Monitor does not log data errors or notify the user that it has received uninterpretable data.
1 Performance Monitor writes an error to the Application log when it receives uninterpretable data. |
Function | AutoReboot after Crash |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\CrashControl |
Value | AutoReboot |
Type | REG_DWORD |
Data | 1 |
Benefit | Specifies whether the system is to automatically reboot upon failure or lock-up. This value entry stores the value of the Automatically reboot check box on the Startup/Shutdown tab in System in Control Panel.
0 Do not reboot automatically.
1 Reboot automatically. |
Function | Write DumpFile after Crash |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\CrashControl |
Value | CrashDumpEnabled |
Type | REG_DWORD |
Data | 1 |
Benefit | Specifies whether debugging information is written to a file when the system terminates abnormally. This value entry stores the value of the Write debugging information to check box on the Startup/Shutdown tab in System in Control Panel.The name and location of the file are specified in the value of DumpFile.
0 No files are written when the system terminates abnormally.
1 Debugging information written to a file when the system terminates abnormally. |
Function | Path to Write DumpFile after Crash |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\CrashControl |
Value | DumpFile |
Type | REG_EXPAND_SZ |
Data | %SystemRoot%\Memory.dmp |
Benefit | Specifies the file to which debugging information is to be written when the system terminates abnormally. This value entry is used only when the value of CrashDumpEnabled is 1. This value entry stores the value entered in the box under the Write debugging information to check box on the Startup/Shutdown tab in System in Control Panel. |
Function | Record Crash to Event Log |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\CrashControl |
Value | LogEvent |
Type | REG_DWORD |
Data | 1 |
Benefit | Determines whether the system writes an error to the System log in Event Viewer when Windows NT terminates abnormally. This value entry stores the value of the Write an event to the system log check box on the Startup/Shutdown tab in System in Control Panel.
0 No events are logged when the system terminates abnormally.
1 The system writes an error message to the System log when Windows NT terminates abnormally. |
Function | Do Not Overwrite Memory Dump after Crash |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\CrashControl |
Value | Overwrite |
Type | REG_DWORD |
Data | 1 |
Benefit | Determines whether the system creates a new file for debugging information if one has already been written. This value entry is used only when the system terminates abnormally and the file specified in the value of DumpFile already contains information from a previous failure.This value entry stores the value of the Overwrite any existing file check box on the Startup/Shutdown tab in System in Control Panel.
0 If debugging information has already been written to the specified file, the system writes the new debugging information over the old information.
1 If debugging information has already been written to the specified file, the system creates a new file for the new debugging information. This value preserves the existing file. |
Function | Send Alert After Crash |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\CrashControl |
Value | SendAlert |
Type | REG_DWORD |
Data | 1 |
Benefit | Determines whether an administrative alert is sent to the user when the debugging file specified by the value of DumpFile is full. This value entry is used only when the value of LogEvent is 1 and the value of Overwrite is 0.
0 The user is not alerted when the debugging file is full.
1 The system sends an administrative alert to the user when the debugging file is full. Until the user responds, the system does not write additional information to the dump file. |
Function | Strong Protection over Shared Objects |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\Session Manager |
Value | ProtectionMode |
Type | REG_DWORD |
Data | 1 |
Benefit | Setting this Registry Key to "1" will secure the NT host from a privilege escalation vulnerablity known as the "symbolic link case sensitivity exploit." Refer to Q218473 for more information. |
Function | Do Not Send LanMan Password |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\Lsa |
Value | LMCompatibilityLevel |
Type | REG_DWORD |
Data | 0-5 |
Benefit | This parameter specifies the type of authentication to be used when an NT client is authenticating to another machine. Setting this value to 4 or 5 may prevent Win9x clients from accessing server resources.
Level 0 Send LM response and NTLM response; never use NTLMv2 session security (default).
Level 1 Use NTLMv2 session security if negotiated
Level 2 Send NTLM authenication only. Never send LM authentication.
Level 3 Send NTLMv2 authentication only.
Level 4 DC refuses LM authentication.
Level 5 DC refuses LM and NTLM authentication (accepts only NTLMv2).
Refer to Q147706 for more information.
|
Function | Password Notification Packages - Password Strength |
Hive | HKEY_LOCAL_MACHINE |
Key | \System\CurrentControlSet\Control\Lsa |
Value | Notification Packages |
Type | REG_MULTI_SZ |
Data | *Remove FPNWCLNT - Add PASSFILT |
Benefit | NT 4.0 Service Packs 2 , 3, and later include a password filter (Passfilt.dll) that allows system administrators to increase password strength. This filter is copied to %system root%\SYSTEM32 when the Service Pack is installed on the system. The password filter should be copied to the primary domain controller for the domain, and to any backup domain controllers in the event the server role in the domain changes.
Passfilt.dll implements the following password policy:
1. Passwords must be at least 6 characters long.
2. Passwords must contain characters from at least 3 of the following 4 classes:
English Upper Case Letters A, B, C, ... Z
English Lower Case Letters a, b, c, ... z
Westernized Arabic Numerals 0, 1, 2, ... 9
Non-alphanumeric characters .,;:*&%!#
3. Passwords may not contain your user name or any part of your fullname. Custom password filter DLLs can be written to implement different password rules. For more information, see the Microsoft Knowledge Base article Q151082 Password Change Filtering & Notification in Windows NT. |
Function | Disable Caching of Logon Credentials during interactive logon |
Hive | HKEY_LOCAL_MACHINE |
Key | Software\Microsoft\Windows NT\CurrentVersion\Winlogon |
Value | CachedLogonsCount |
Type | REG_SZ |
Data | 0 |
Benefit | The default configuration of Windows NT caches the logon credentials for the last ten domain user accounts which have logged on interactively to a system. This feature is provided for system availability reasons such as the user?s machine is disconnected or none of the domain controllers are online. These credentials may be obtained by administrative users. To prevent unauthorized users from obtaining this information, set the cache value to 0. |
<< PREVIOUS
INDEX
NEXT >>
|
