< IT Governance, Compliance, Security and Audit from the Pros: Windows NT

PDA Logo.gif (6595 bytes)

Windows NT Server Checklist

home

our services

about Peter Davis+Assoc.

contact

security/audit info

Privacy Test

Security & Audit Tools

CyberScribblings

Security & Audit Products
 
Top Ten Security Links 
 
Security & Audit Checklists

Windows NT Server

Internet Security and Acceleration Server

Computer & Security
Glossary
 
Security & Audit Bibliography 
 
Search Page

legal info

privacy info

Contents

Purpose and Scope
Preparatory Steps
General Windows NT Server Security Overview
Account Policies and Restrictions
Administrator Account and Administrators Group
User Logons
User Rights
Groups
Guest Account and Everyone Group
Directory and File Level Security
Remote Access Security
Auditing and Event Logs
Fault-Tolerance and Backup Procedures
Other Considerations

Purpose and Scope

This program is designed to enable the reviewer to examine and test the effectiveness of controls and procedures for Windows NT Server. Included in the review program are suggested review steps designed to obtain evidence that key control procedures are operating effectively. The review approach includes: preparatory steps; general Windows NT Server security overview; account policies and restrictions, administrator account and administrators group; user logons; user rights; groups; Guest account and Everyone group; directory and file level security; remote access security; auditing and event logs; fault-tolerance and backup procedures; and other considerations.

[Back to Top]

Preparatory Steps

  1. Review existing corporate computer policies, standards and guidelines and evaluate any impact on the planned review scope.
  2. Review the working papers from and response to any prior review.
  3. Obtain and review the current organization chart for the relevant department(s).
  4. Review the letter of recommendations issued by the external auditing firm (where available) when evaluating review scope.
  5. Document interviews such as entrance meetings with key personnel. Define functional responsibilities and include documented job descriptions, when available.

[Back to Top]

General Windows NT Server Security Overview

  1. Conduct an opening conference to discuss the review objectives with the Windows NT Server Administrator, IS/IT management, and key user management directly related to the system being reviewed.
  2. Review each area of concern using the review program sections.
  3. Confirm your review findings with the Windows NT Server Administrator, IS/IT management, and each user manager directly related to the system under review.
  4. Conduct a closing conference to discuss the review findings with the same management personnel who attended the opening conference.
  5. Prepare a draft review report to management detailing your findings from each area of concern. State reasons for the omission of any review program section. Request review responses to be returned within ten working days from the date of the report. Discuss the review report with the Director of Internal Auditing.
  6. Release the review report.
  7. Receive review responses and clear review findings.
  8. Release final review report.
  9. Follow-up outstanding review findings.

[Back to Top]

Account Policies and Restrictions

Account policies and restrictions determine how password and logon policies are enforced for the entire domain. Keep in mind that each domain has its own policies. Open the User Manager and choose Account from the Policies menu. Should you want to check a different trusting domain, choose Select Domain on the user menu. When the Account Policy dialog box appears, evaluate the Password Restrictions based on your password policies.

  1. Determine whether password aging is in effect for users. (Check Maximum Password Age Password should expire in x number of days. Default is 30 days.) If not, document what the company policy is regarding periodic changing of passwords. When neither are in effect, this is a security concern.
  2. Determine the Minimum Password Age. Set to allow changes in x number of days. The default is 14.
  3. Determine the Minimum Password Length. This parameter is the minimum number of characters the password must be to satisfy password construction/selection. The default is 6. The maximum length is 14 characters.
  4. Determine the Password Uniqueness. Prevents users from using the last x passwords. The default is 3.
  5. Determine the Account Lockout options to prevent unauthorized users from attempting to access the system by guessing passwords. For optimum security, you never should run the server with this option disabled.
  • Lockout after x bad logon attempts: Confirm the value of this setting is set to your security policy.
  • Reset Count After x minutes: Confirm the value of this setting is set to your security policy.
  • Lockout Duration field: Confirm this setting is set according to your security policy. If forever is set, an administrator must restore the account.
  • Forcibly disconnect remote users from server when logon hours expire: This option prevents after-hours activities or disconnects systems that were left on.
  • User must log on in order to change password: This option prevents users whose passwords have expired from logging on. The administrator must change the password.
  1. Confirm that blank passwords are not allowed. To check this, open the User Manager for Domains and choose Account from the Policies menu and ensure Permit Blank Passwords in the Minimum Password Length field is selected. A value for "At Least x Characters" field also will be specified.

[Back to Top]

Administrator Account and Administrators Group

Confirm that each Administrator of the system is required and that appropriate controls exist for the accounts by following this section of the review program.

The Administrator account and Administrators group have unlimited rights on the system. Therefore, you need to carefully evaluate the membership of the Administrators group.

  1. Perform a review of the system and note what accounts have Administrator status. Look for unnecessary accounts with Administrator status. Should you have a large network consisting of multiple administrators, regularly interview these administrators to evaluate their activities and need for Administrator status.
  2. Determine that the Administrator account has a password. By default, the account doesn't have a password. Since the account often is the target of attacks because of its well-known name, check to see whether the Administrator account was renamed to obscure it. Also, check whether a decoy account called Administrator with no permissions was created. Intruders will attempt to break in to this decoy account instead of the real account.
  3. Have failed logons been enabled in the auditing system to detect attempts to logon to any account, including Administrator?
  4. View the Event Log to audit the activities of users with administrative rights.
  5. Perform a review of the membership of the Administrators group and the Domain Admins group. Look for unnecessary accounts with membership in the Administrator and Domain Admins groups.
  6. Check to see whether administrators can logon from anywhere on the network (normally, the Administrators group has "Access this computer from network" right) or must they logon at the computer itself in a controlled environment to do any administrative tasks? You also will need to remove the right from the Everyone group then add back in accounts that are allowed to logon from network.
  7. When a Windows NT Workstation computer is added to a domain, the Domain Admins group is added to the workstation's Administrators group. This gives any member of the Domain Admins group access to the workstation computer as well. Determine whether this is appropriate. You may need to remove the Domain Admins group at the workstation and add only a specific Administrator account.

[Back to Top]

User Logons

Confirm that each user of the system is assigned a user name and password by following this section of the review program.

  1. Is there a Data Security access form and related procedures? If not, determine how users requesting access to the system are granted access. This is a security concern, but can be corrected depending on the current procedures used to grant access and requiring that they be formally documented.
  2. Perform a review of the active Data Security access forms and compare the user names assigned to the system to the users in the User Manager for Domains to ensure there is a form on file for each user known to the system.
  3. Verify that the description entered for user name is descriptive with respect to the user. For example, does the user's full name appear, match up with the assigned initials, and agree with the Data Security access form? If not, this is a security concern.
  4. Perform a review of the inactive Data Security access forms and compare the user names of terminated employees to the current users to ensure no user names exist for terminated employees. (Same as step C.2 except for terminated employees).
  5. Check the status of each user account and group using the User Manager. Double-click on each account when you are checking manually. This opens the New User properties dialog box that displays password information and has buttons for checking group membership and other options.
  6. Check the password options. Should the user be able to change the password? Does the password never expire? Is this account disabled? If it is disabled, has the user left the company? If so, consider removing the account.
  7. Verify the user's logon script. Determine that the script has been approved, and that it meets the security policy. Is it necessary to have a script? Do users have common scripts?
  8. Click the Groups button to determine what groups the user belongs to. Is membership in these groups appropriate for the user? What rights and permissions does the user obtain from the groups? What access does the group have to other domains?
  9. Click the Profile button in the New User properties dialog box to check the location of the user's home directory. If you remove the account, also remove the specified directory. Does the user have a profile, and if so, is it mandatory? Are System Policies required?
  10. Click the Hours button to evaluate the times that the user can access the network. Make sure no one can logon after hours when that is your policy.
  11. Click the Logon To button to evaluate what computers the user can logon to. Make sure that no one can logon from a computer where they shouldn't.
  12. Evaluate whether the account has an expiration date (Account Expires End of). All temporary accounts (for example, for contractors or consultants) or administrator "test" accounts should expire automatically.
  13. Determine whether the account is a global or local account. Global accounts are available over the entire domain and across trust relationships. Local accounts allow users from mistrusted domains to access local resources, but do not permit access to Windows NT Server domains.
  14. Click the Dialin button and evaluate dial-in capabilities. Where users can dial in, Call Back options should be enabled to a specified telephone number in the dialog box for added security. This option is available on-line when the Remote Access Service components are installed.
  15. Check whether the user name of the last user to logon appears in the Logon dialog box. You can prevent the display by setting the DontDisplayLastUserName in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon.

[Back to Top]

User Rights

In the User Manager for Domains, check the rights that users and groups have on the system. Choose User Rights from the Policies menu to display the User Rights Policy dialog box. Initially, the box shows the basic rights.

  1. To evaluate all rights, click the Show Advanced User Rights option. Here are some considerations for basic rights:
  • Access this computer from the network: By default, only the Administrators and the Everyone group have this right. The Everyone group should be removed and added to specific groups as appropriate. For example, create a new group called "Network Users" with this right, then add users who should have network access.
  • Backup files and directories: User's with this right can potentially carry any files off-site. Carefully evaluate what users and groups have this right. Also evaluate the Restore files and directories right.
  • Log on locally: For servers, only administrators should have this right. No regular user ever needs to logon directly to the server itself. By default, the administrative groups (Administrators, Server Manager, etc.) have this right. Make sure that any user who is a member of these groups has a separate management account.
  • Manage auditing and security logs: Only the Administrators group should have this right.
  • Take ownership of files or other objects: Only the Administrators group should have this right.
  1. Scan all the advanced rights to make sure that a user has not been granted rights inappropriately. Some rights should only be assigned to the System account. A rogue administrator might manage to grant inappropriate rights and gain extended privileges on the system.
  2. To review user activities on a server, select Server Manager from the Administrative Tools (Common). Double-click on a server to open a Properties dialog box where you can see:
  • Users: Click this button to view a list of all users connected to the server, and a list of resources opened by the users.
  • Shares: Click this button to view shared resources available on the computer and the users using the shared resources.
  • In Use: Click this button to view a list of the computer's open shared resources.

[Back to Top]

Groups

The membership of groups should be carefully evaluated. A group granted permissions to sensitive files might contain users that should not have that access. Open each group listed in the User Manager and inspect its members.

  1. Are any of the accounts in a group inactive? If so, consider removing the accounts.
  2. View the local and global groups active in each file server using User Manager for Domains.
  3. Carefully evaluate and document the members of management groups such as Administrators, Server Operators, Account Operators, Backup Operators, and Print Operators. Remove all unnecessary accounts. Following are the roles of groups on domain controllers:
  • Administrators: Members can manage the entire domain.
  • Backup Operators: Members can perform backups and restores.
  • Guests: Members can access the server from the network cannot logon locally.
  • Print Operators: Members can manage printers.
  • Replicators: Members can manage replication services.
  • Server Operators: Members can manage servers.
  • Users: Members can access the server from the network but cannot logon locally.

Following are the roles of groups on NT Workstations and member servers:

  • Administrators: Members can manage the local system.
  • Backup Operators: Members can perform backups and restores on the local system.
  • Guests: Members can access the local system but do little else.
  • Power Users: Members can manage user accounts on the local system.
  • Replicators: Members can manage replication services.
  • Server Operators: Members can manage servers.
  • Users: Members can logon to the local workstation and use it to access the network. They also can shutdown the system.
  1. Review the organization's policies for separation of incompatible functions.
  2. Determine whether any sub-administrators have been created. Sub-administrators can be created by adding users to the Account Operators and Server Operators groups. Look for unnecessary accounts.
  3. Ensure all sub-administrator users have two accounts: one for administrative tasks and one for regular use. Sub-administrators should only use their administrative accounts when absolutely necessary.
  4. Evaluate each global group membership and the resources that the group has access to. Does the group have access in other domains?
  5. What folders and files do groups have permission to access? This can be difficult to evaluate.
  6. Do local groups hold global groups from other domains? Check the membership of these global groups and make sure that no users have unnecessary access to resources in the current domain.

[Back to Top]

Guest Account and Everyone Account

In some organizations, the Guest account is very useful. For example, people who don't normally work with computers might need to occasionally access a system to obtain some information. Most administrators agree that it should be disabled, although removing it remove the ability of anonymous users to access a system. Consider creating a separate domain for these public services where the Guest account is enabled. Alternatively, use a Web server for this type of system.

  1. Evaluate the need for the Guest account.
  2. Should you need the Guest account, carefully review where it has privileges.
  3. Confirm that the Guest account is disabled on networks connected to untrusted networks such as the Internet. It provides too many opportunities for break-ins. Disable the Guest account. In the User Manager, double-click on the Guest account and put a check mark on the item "Account Disabled."
  4. Confirm that the Guest account does not have write or delete permissions to any files or directories. Guests only should be allowed to read files in specific directories.
  5. Ensure that the Everyone group's permission in the root directory and the SystemRoot directory (usually C:\winnt) is set to Read Only. Don't propagate these changes to the subdirectories.
  6. Ensure that the Everyone group's permission in \SystemRoot\system32 is set to Read Only and propagate these changes to the subdirectories, except for \SystemRoot\system32\ras and \SystemRoot\system32\spool\printers where the Change permission should be granted.
  7. If you have Microsoft Internet Information Server software installed, a special Guest account called IUSR_computername exists with the rights to logon locally. Evaluate the need for this account when you don't want the general public to access your Web server. Users must then have an account to access the Web server.

[Back to Top]

Directory and File Level Security

In this section, you evaluate permissions on directories and other resources. To check permissions on folders and other resources, you must go to each resource individually to review what users and groups have permissions. To open the Permissions dialog box for a folder or file, right-click it and choose Properties, then click either the Sharing or the Security tab. The Sharing options show who has access to the folder over the network. The Security tab has the Permission and Auditing buttons so you can check local permissions or set auditing options.

  1. Do you use only using NTFS volumes on your servers? Do not use FAT or HPFS volumes in secure installations.
  2. Check each folder and/or file to determine what local users and groups have access and whether that access is appropriate. Start your evaluation with the most sensitive and critical folders if you are doing this procedure manually or performing a periodic checkup.
  3. Check all shared folders and the share permissions on those folders to determine what network users and groups have access and whether that access is appropriate.
  4. Program files and data files should be kept in separate folders to make management and permission setting easier. Also, if users can copy files into a data folder, ensure the Execute permission on the folder has been removed to prevent someone from copying and executing a virus or Trojan Horse program.
  5. If users or groups have access to a folder, should they have the same access to every file in the folder? To every subdirectory? Check the sensitivity of files and attached subdirectories to evaluate whether inherited permissions are appropriate.
  6. If the server is connected to an untrusted network such as the Internet, ensure that any files on the server are not sensitive and for public access.
  7. Confirm the root directory of a drive or one of the drive icons that appears in the graphical display is not shared. An exception would be sharing a Read Only CD-ROM drive for public access.
  8. For sensitive, password protected directories, ensure Auditing is enabled. Right-click a folder, click Security, then click Auditing and enable Failure to track users that are attempting unauthorized access a folder or file. Note that File and Object access must be enabled from the Audit Policies menu in the User Manager.
  9. Document the directory permissions on critical directories to ensure they provide proper integrity. The standard persmissions for files are:
    • No Access: The folder cannot be accessed and the files in the folder cannot be listed. This permission overrides any other permission a user may have.
    • List: Allows users to list the files and subdirectories in a directory and to access the directory.
    • Read: Allows users to display subdirectories' names and filenames, displays the data and attributes of files, run program files and to switch to any subdirectories of the folder.
    • Add: Allows users to add files to a folder but not read or change files that been placed in the folder.
    • Change: Allows the user to read files, create new subdirectories, add files, change data in and append data to files, change file attributes, and delete subdirectories and files.
    • Full Control: Includes all permissions.

    Discuss with the Administrator the necessity of deviations from Table 1 for critical directories.

  10. Document the file permissions on critical files to ensure they provide proper integrity. Critical files include, but are not limited to, those in Table 2. Discuss with the Administrator the necessity of deviations. The standard permissions for files are:
    • No Access: The file cannot be accessed by any user even when the user has been granted access through other means.
    • Read: Allows the user to open a document or run a program. User also can list the file's attributes.
    • Change: Allows the user to change data in and append data to the file, and to display the file's owner and permissions.
    • Full Control: Includes all permissions, also allows the user to take ownership.
    • Special Access: Allows the user to create custom permissions that include any combination of Read (View the contents of a file), Write (Change the contents of a file), Execute (Run a program), Delete (Delete a file or folder), Change Permission (Change the permissions of an object), and Take Ownership (Become the owner of an object).
  11. Ensure that Full Control permission to files and folders is only granted to administrators or owners.
  12. Confirm that the Performance Monitor has been configured to alert Errors Access Permissions (the number of times a client attempts, but fails to open a file and receives a message); Errors Granted Access (the number of times accesses to files opened were successfully denied); and Errors Logon (the number of failed logon attempts to the server).
  13. Confirm that share-level access is not enabled by checking the Access Control tab of the Network applet.

Table 1

Directory Group/User Permission
\root of NTFS volume Administrators, System Full Control
  Server Operators Change
  Everyone Change
  CREATOR OWNER Full Control
\SystemRoot\system32\system32 Administrators, System Full Control
  Server Operators Change
  Everyone Change
  CREATOR OWNER Full Control
\SystemRoot\system32\config Administrators, System Full Control
  Everyone List
  CREATOR OWNER Full Control
\SystemRoot\system32\drivers Administrators, System Full Control
  Server Operators Full Control
  Everyone Read
  CREATOR OWNER Full Control
\SystemRoot\system32\spool Administrators, System Full Control
  Server Operators Full Control
  Print Operators Full Control
  Everyone Read
  CREATOR OWNER Full Control
\SystemRoot\system32\repl Administrators, System Full Control
  Server Operators Change
  Everyone Read
  CREATOR OWNER Full Control
\SystemRoot\system32\repl\import Administrators, System Full Control
  Server Operators Change
  Everyone Read
  CREATOR OWNER Full Control
  Replicator Change
  Network No Access
\SystemRoot\system32\repl\export Administrators, System Full Control
  Server Operators Change
  CREATOR OWNER Full Control
  Replicator Read
\users Administrators, System Read, Write, Execute, Delete
  Account Operators Read, Write, Execute, Delete
  Everyone List
\users\default Administrators, Systems Read, Write, Execute
  CREATOR OWNER Full Control
\win32app Administrators, System Full Control
  Server Operators Full Control
  Everyone Read
  CREATOR OWNER Full Control
\temp Administrators, System Full Control
  Server Operators Change
  Everyone Change
  CREATOR OWNER Full Control
     
     
     


Table 2


File Description
C:\ntdetect.com Runs at boot time, gathers the information that NT needs to create HKEY_LOCAL_MACHINE\HARDWARE.
C:\ntldr Runs at boot time, loads the NT kernel.
\SystemRoot\system32\config\system.alt Backup Registry hive.
\SystemRoot\system32\drivers\etc\lmhosts The LMHosts file is used to provide a source of information for translating between NetBIOS names and IP addresses.
\SystemRoot\system32\dhcp\dhcp.mdb The DHCP database file.
\SystemRoot\system32\dhcp\dhcp.tmp A temporary file DHCP creates for temporary database information.
\SystemRoot\system32\dhcp\jet.log and jet*.log Contain logs of all transactions done with the database. These files are used by DHCP to recover data when necessary.
\SystemRoot\system32\dhcp\system.mdb Used by DHCP for holding information about the structure of its database.
\SystemRoot\system32\wins\wins.mdb The WINS data base file.
\SystemRoot\system32\wins\winstmp.mdb A temporary file that WINS creates.
\SystemRoot\system32\wins\jet.log A log of all transactions for the data base.
\SystemRoot\system32\wins\system.mdb Used by WINS for holding information about the structure of its data base.
\SystemRoot\system32\ras\device.log Connection information about each Dial-Up Networking session.
\SystemRoot\system32\config\secevent.evt The security log.
\SystemRoot\system32\config\appevent.evt The application log.
\SystemRoot\system32\config\sysevent.evt The system log.
\SystemRoot\system32\logfiles\slog The Internet Information Server log.
   



[Back to Top]

Remote Access Security

By following this section of the review program:

  • Determine what permissions remote machines have with respect to logon, file access, and command execution.
  • Determine what remote systems are defined to your system and that you either expect to call in or that your system dials.
  1. Are restrictions put on internal resources that remote users can access? Are there any subdirectory structures or files restricted from being read by remote machines?
  2. To view Remote Access Server configuration, double-click on the Remote Access Service button of the Services tab in the Network applet. Document all ports and devices used for dialup. You can select a port or device to see whether the following options are set:
  • Dial out only: This device only will be used for internal users to dial out.
  • Receive calls only: This device only will be used for receiving incoming calls.
  • Dial out and receive calls: This device will allow internal users to dial out and receive incoming calls.
  1. Confirm from the Network Configuration dialog box that the dial-out and dial-in protocols meet the security policy.
  2. Confirm that encryption is turned on and that it meets your policy. The encryption options are:
  • Allow any authentication including clear text: Supports CHAP, SPAP, PAP and non-Windows RAS clients.
  • Require encrypted authentication: Any supported authentication except PAP.
  • Require Microsoft encrypted authentication: Specifies that the Challenge-Handshake Authentication Protocol (CHAP) is used.
  1. Determine what remote systems are defined to your system and that it is set up to call. Ask the Administrator to identify each one and its purpose.
  2. From the Users menu in the Remote Access Admin utility, select Permissions. Document all users and determine they need dialup access.
  3. Click the Dialin button in the New User dialog box to display the Dialin Information dialog box. Callback options deal with calling a user back at a predefined number and preventing intruders who have obtained valid logon information from dialing in at an unauthorized location. There are three callback options, as follows:
  • No Call Back: This disables callback options.
  • Set By Caller: This option reverses toll charges for users. When a user calls in, the server authenticates him, and a dialog box appears asking for the callback telephone number. The server then disconnects the call and calls the client back. Note that this option provides no additional security.
  • Preset To: This callback option does provide security, because you can specify in advance the telephone number where a user should be called back.
  1. Use the Event Viewer to view activities on each of the remote access servers on your network.

[Back to Top]

Auditing and Event Logs

Determine whether audit data is generated and reviewed by following this section of the review program. Audit data is very useful in system tuning and tracking down unauthorized access to the Windows NT Server system.

  1. Check the status of audit settings by choosing Audit on the Policies menu in the User Manager for Domains. The Audit Policy dialog box appears. The settings in this box reflect the minimum settings that are appropriate for auditing in most environments.
  2. Ensure that auditing and security logs are protected from other administrators who might change or delete them. You can grant only the Administrators group the ability to access the logs. To restrict access to only one user (the "auditor"), remove all users except the auditor from the Administrators group. This means all of your other administrators should be members of a management group that does not have the "Manage auditing and security log" right.
  3. Check for failed logons in the Event Viewer. You can enable security auditing for logon attempts, file and object access, use of user rights, account management, security policy changes, restart and shutdown, and process tracking.
  4. Confirm the option File and Object Access in the Audit Policy dialog box is set to enable file system auditing. You can enable auditing for the directory only; directory and its files only; directory and subdirectories only, not files; and directories, subdirectories, and all files.
  5. Confirm that someone is reviewing the audit material using the Event Viewer.
  6. Confirm the Security Log does not overwrite old events. To check this, open the Event Viewer and choose Log Settings from the Log menu. The option called "Do Not Overwrite Events (Clear Log Manually)" should be enabled.
  7. Determine the time the log was last cleared by checking the timestamp of the earliest event in the log. Ensure the previous information is archived and protected.
  8. Ensure audit log material is protected adequately.

[Back to Top]

Fault-Tolerance and Backup Procedures

Fault-tolerant systems duplicate various hardware components and process to guard against failures. Evaluate all fault-tolerant systems for proper installation and operation. Use the Disk Administrator utility (on the Start | Programs menu) to check disk systems and use the UPS utility (on the Control Panel) to check the status of uninterruptible power supplies.

Confirm that appropriate backup procedures exist to ensure full recovery of the Windows NT Server operating system and user data by following this section of the review program.

  1. Determine how often full system backups are performed. Is the backup schedule appropriate? If full system backups are not performed, this is a security concern.
  2. Determine how user data files are backed up between full system backup dates. Incremental backups are generally considered the normal case. Incremental backups are usually based since the last incremental backup.
    • For example: A full system backup is performed each Saturday. On Sunday through Friday, incremental backups are performed on only those system and data files that have changed. Sunday's incremental will catch any changes since Saturday's full system. Monday's incremental will catch any changes since Sunday's incremental, and so forth.
    • When incremental backups are not performed and reliance is placed on only a full system backup, then there may be a security concern. A security concern would not be made when:
  3. A full system backup is made every day.
  4. A full system backup is made every week with no changes by users, local applications, or remote systems between each backup.

Since both exceptions are rare, a security concern should be in order.

  1. Are files safely transported to secure backup locations? Is confidential information encrypted when stored off-site?
  2. Confirm that the backup media is not left in the backup device unattended? How might backup compromise the confidentiality of files? Are all backups documented and cataloged?
  3. In Disk Manager, evaluate whether disk mirroring or striping is taking place to protect against failed drives or hardware components.
  4. Confirm whether directory replication is being used. Ensure that the EXPORT and IMPORT directories have valid entries. Confirm the Replication account is a member of the Domain Users, Backup Operators and Replicator groups,and has the following values:
  • Select "Password Never Expires."
  • Clear "User Must Change Password At Next Logon."
  • Clear "User Can Not Change Password."
  • Clear "Account Disabled."
  • Allow all hours for logon.
  • Do not define a user profile or logon script.
  • Grant the Replicator account the Logon as a Service right.
  1. Check to make sure an uninterruptible power supply (UPS) is installed and configured properly. The UPS will protect data on a server that fails from a power loss. To check the UPS, open the UPS utility on the Control Panel.
  2. Determine the users belonging to the Backup Operators group. Carefully evaluate whether you trust these users. Backup operators can access all areas of the system to backup and restore files.
  3. Ensure that a Backup Domain Controller (BDC) is used.
  4. Was an Emergency Repair Disk (ERD) created during Windows NT setup? You can reload the Registry to restore the user accounts to what they were when you set up the system. This helps when the administrator forgets the password for the account.
  5. View the Event Log to audit backup activities.

[Back to Top]

Other Considerations

The steps in this section outline the security settings you check for standard evaluation of a Windows NT system. Many of the settings are checked in the User Manager. Keep in mind that these recommendations may or may not be appropriate for your environment.

  1. Confirm that the system does not dual boot. Windows NT should be the only operating system installed.
  2. Confirm that the OS/2 and POSIX subsystems are not installed.
  3. Confirm all drives on the system are formatted for the NT File System, not the FAT file system. To check drive status in Windows NT 4.0, right-click on the drive and choose Properties.
  4. One of the first things to check are the logon policies and restrictions—the "welcome mat" into the Windows NT Server. Are your users educated about password safety and appropriate use of the system? Do users read and sign a security policy?
  5. Review whether legal notices in Logon dialog boxes to indicate that only authorized users may access the system and that all activities may be monitored. Check the value for LegalNoticeText in the Registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\LegalNoticeCaption.
  6. Confirm that you cannot boot from floppy drives. Otherwise, someone can use a program such as NTFSDOS.EXE under DOS to look at NTFS volumes.
  7. Confirm that the Shut Down button is disabled. Check that the value for Shut Down in the Registry entry HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\ShutdownWithoutLogon is 0.
  8. Review that someone uses the Performance Monitor to monitor and track network activity.
  9. Obtain a list or schematic diagram of the domains in the organization. Identify the relevant domain controllers and backup controllers.
  10. Document the domains in the network using the User Manager for Domains.
  11. Review how groups are allocated to domains and vice versa.
  12. Review how domain controllers are set up and where they are located.
  13. Review all trust relationships. Check Trust Relationships option in the User Manager for Domains utility. Document the trust relationships with other domains.
  14. Does your organization have a central repository of information on trust relationships? Identify the procedures for keeping this information current.
  15. Verify that only administrators can access Server Manager. Administrators only should access the Server Manager in their appropriate domain.
  16. Review whether services must be started under the System account. You can change account the service runs under. The following services can run under an account other than the System account:
  • ClipBook
  • Directory Replicator
  • Microsoft Domain Name Service (DNS)
  • Remote Access Server
  • Remote Procedure Call
  • Remote Procedure Call Locator
  • Schedule
  • Spooler
  • Telephony
  • UPS
  • Windows Internet Name Service (WINS)
  1. Confirm that all started services are necessary.
  2. Verify that access to Server Manager is logged and monitored.
  3. Confirm that all servers are physically secure.

[Back to Top]

Tell a friend about this page!
Their Name:
Their Email:
Your Name:
Your Email: