FOCUS on Microsoft: Securing NT - Installing and Securing Part 8
SecurityFocus 2001-08-16

Installing and Securing Windows NT 4.0

Getting Started
Installing NT
Installing Service Packs and Hotfixes
Installing Drivers, Applications, and Services
Test the Server
Update Repair Information
Modify ACLs on Files and Directories		 Create and Modify Registry Keys
Modify Registry Key ACLs
Enable Auditing
Set Account Policies
User Rights
Password Selection and Management

CAUTION: The information contained below is aimed towards securing the NT Operating System. This information represents a "high security" posture and may break or disrupt performance on your own machine. The suggestions listed on this page may not be suitable for your environment. Test all changes on a non-production host before applying them to your production machine. Security-Focus is not responsible for any damage that may result from applying these suggestions.

User Rights

23
 Determine which User Rights should be enabled or diabled on the NT host
There are a large number of User Rights that can be modified. In most instances, the majority of keys can be left alone.

There is one key, however, that should be given special attention. Access this computer from network should be reviewed and modified on each host. Home users on the Internet (without a local area network) should consider removing all accounts for this Right. This will assist in preventing unauthorized users from attempting to remotely logon using standard Microsoft networking services.

Corporate NT Workstations should be set according to policy, consider changing 'everyone' to 'authenticated users' (this may pose problems for some trusts.) For critical servers, consider removing all rights to logn remotely - administrators must logon locally in these instances.

Password Selection and Management

24
 Enable Remote Account Lockout for the Administrator Account
By default, the true Administrator account (RID 500 - the account created when the machine is first installed) is not subject to the account lockout policies set earlier. To enable account lockout for the administrator account, execute the NT Resource Kit command 'passprop' with the /adminlockout switch. (usage C:\passprop /adminlockout) The administrator account will be subject to the same number of failed logons prior to lockout at the rest of the user population. This feature will only work if Account Lockout has been enabled in User Manager-Policies-Account.

If the administrator account does get locked out, the administrator can still logon from the local console and reset the account lockout flag.

25
 Force Complex Passwords
User Manager-Policies-Account can be used to set the password length to Seven. To force users to create passwords other than those consisting of lowercase alpha letter, consider enabling the 'passfilt' password filter. Passfilt will force users to choose a password consisting of characters from three of the four categories: Uppercase alpha, Lowercase alpha, Numbers, and Symbols (@#$%*(? etc.)

To enable passfilt, add the word 'passfilt' to the HKLM\System\CurrentControlSet\Control\Lsa\Notification Packages key.

NOTE: This password filter is only triggered when a user account modifies their password. If you apply this to an NT host with existing accounts, only those accounts that change their password after the passfilt implementation will be subject to the password composition rules. Those accounts that tend not to change their password (service, backup, replicator, and shared user accounts) will not have these rules applied until the next time they change their password.

26
 Create Stronger Passwords
Although passfilt can assist in creating strong passwords, it is not a guarantee that these paswords can't be guessed or cracked. To assist in creating an even stronger password, consider using non-printing ascii characters in the middle of the password (example: alt-255, alt 129). To create these characters, hold down the 'alt' key while pressing the numbers on the numeric keypad (not the numbers above the keyboard letters. For laptop users, this means enabling numlock and pressing the alpha keys that represent numbers (the small colored numbers above the letters.)

26
 Encrypt the User Accounts Database
The LanMan and NT Password hashes are stores in the Security Accounts Manager (SAM) database. Although each password is encrypted, the database itself is not. Administrator level accounts have permissions to access the SAM database and extract the password hashes. These hashes may be 'cracked' using a number of freely or commerically available password cracking tools.

To assist in protecting the SAM database, consider applying 'syskey' encryption to this file. Syskey encryption provides an additional level of security for password hashes and makes it more difficult for a user to obtain a copy of the encrypted passwords.

There are three methods of implementing syskey encryption:
Password Startup: Requires a password to be entered during system start
Store Startup Key on Floppy Disk: Requires a floppy disk to be inserted during system start
Store Startup Key Locally: Stores key on system. No interaction required

usage: C:\syskey will launch a GUI. C:\syskey -l will launch syskey and store startup key locally (no GUI).

NOTE: syskey requires SP3 or greater

<< PREVIOUS INDEX

Download Links

 Securing Windows NT Installation
Self Extracting Word Document (85k)
Microsoft
Microsoft Security Advisories
Microsoft

Privacy Statement
Copyright 2006, SecurityFocus