home
our
services
about Peter Davis+Assoc.
contact
security/audit
info
Privacy Test
Security & Audit
Tools
CyberScribblings
- Security &
Audit Products
-
- Top Ten
Security Links
-
- Security &
Audit Checklists
Windows NT Server
Internet Security
and Acceleration Server
- Computer &
Security
- Glossary
-
- Security &
Audit Bibliography
-
- Search Page
legal info
privacy
info
|
- Purpose
and Scope
- Preparatory
Steps
- General
Windows NT Server Security Overview
- Account
Policies and Restrictions
- Administrator
Account and Administrators Group
- User
Logons
- User
Rights
- Groups
- Guest
Account and Everyone Group
- Directory
and File Level Security
- Remote
Access Security
- Auditing
and Event Logs
- Fault-Tolerance
and Backup Procedures
- Other
Considerations
This program is designed
to enable the reviewer to examine and test the
effectiveness of controls and procedures for Windows NT
Server. Included in the review program are suggested
review steps designed to obtain evidence that key control
procedures are operating effectively. The review approach
includes: preparatory steps; general Windows NT Server
security overview; account policies and restrictions,
administrator account and administrators group; user
logons; user rights; groups; Guest account and Everyone
group; directory and file level security; remote access
security; auditing and event logs; fault-tolerance and
backup procedures; and other considerations.
[Back
to Top]
- Review existing
corporate computer policies, standards and
guidelines and evaluate any impact on the planned
review scope.
- Review the working
papers from and response to any prior review.
- Obtain and review the
current organization chart for the relevant
department(s).
- Review the letter of
recommendations issued by the external auditing
firm (where available) when evaluating review
scope.
- Document interviews
such as entrance meetings with key personnel.
Define functional responsibilities and include
documented job descriptions, when available.
[Back
to Top]
- Conduct an opening
conference to discuss the review objectives with
the Windows NT Server Administrator, IS/IT
management, and key user management directly
related to the system being reviewed.
- Review each area of
concern using the review program sections.
- Confirm your review
findings with the Windows NT Server
Administrator, IS/IT management, and each user
manager directly related to the system under
review.
- Conduct a closing
conference to discuss the review findings with
the same management personnel who attended the
opening conference.
- Prepare a draft
review report to management detailing your
findings from each area of concern. State reasons
for the omission of any review program section.
Request review responses to be returned within
ten working days from the date of the report.
Discuss the review report with the Director of
Internal Auditing.
- Release the review
report.
- Receive review
responses and clear review findings.
- Release final review
report.
- Follow-up outstanding
review findings.
[Back
to Top]
Account policies and
restrictions determine how password and logon policies
are enforced for the entire domain. Keep in mind that
each domain has its own policies. Open the User Manager
and choose Account from the Policies menu. Should you
want to check a different trusting domain, choose Select
Domain on the user menu. When the Account Policy dialog
box appears, evaluate the Password Restrictions based on
your password policies.
- Determine whether
password aging is in effect for users. (Check
Maximum Password Age Password should expire in x
number of days. Default is 30 days.) If not,
document what the company policy is regarding
periodic changing of passwords. When neither are
in effect, this is a security concern.
- Determine the Minimum
Password Age. Set to allow changes in x number of
days. The default is 14.
- Determine the Minimum
Password Length. This parameter is the minimum
number of characters the password must be to
satisfy password construction/selection. The
default is 6. The maximum length is 14
characters.
- Determine the
Password Uniqueness. Prevents users from using
the last x passwords. The default is 3.
- Determine the Account
Lockout options to prevent unauthorized users
from attempting to access the system by guessing
passwords. For optimum security, you never should
run the server with this option disabled.
- Lockout after x bad
logon attempts: Confirm the value of this setting
is set to your security policy.
- Reset Count After x
minutes: Confirm the value of this setting is set
to your security policy.
- Lockout Duration
field: Confirm this setting is set according to
your security policy. If forever is set, an
administrator must restore the account.
- Forcibly disconnect
remote users from server when logon hours expire:
This option prevents after-hours activities or
disconnects systems that were left on.
- User must log on in
order to change password: This option prevents
users whose passwords have expired from logging
on. The administrator must change the password.
- Confirm
that blank passwords are not allowed. To check
this, open the User Manager for Domains and
choose Account from the Policies menu and ensure
Permit Blank Passwords in the Minimum Password
Length field is selected. A value for "At
Least x Characters" field also will be
specified.
[Back
to Top]
Confirm that each
Administrator of the system is required and that
appropriate controls exist for the accounts by following
this section of the review program.
The Administrator account
and Administrators group have unlimited rights on the
system. Therefore, you need to carefully evaluate the
membership of the Administrators group.
- Perform a review of
the system and note what accounts have
Administrator status. Look for unnecessary
accounts with Administrator status. Should you
have a large network consisting of multiple
administrators, regularly interview these
administrators to evaluate their activities and
need for Administrator status.
- Determine that the
Administrator account has a password. By default,
the account doesn't have a password. Since the
account often is the target of attacks because of
its well-known name, check to see whether the
Administrator account was renamed to obscure it.
Also, check whether a decoy account called
Administrator with no permissions was created.
Intruders will attempt to break in to this decoy
account instead of the real account.
- Have failed logons
been enabled in the auditing system to detect
attempts to logon to any account, including
Administrator?
- View the Event Log to
audit the activities of users with administrative
rights.
- Perform a review of
the membership of the Administrators group and
the Domain Admins group. Look for unnecessary
accounts with membership in the Administrator and
Domain Admins groups.
- Check to see whether
administrators can logon from anywhere on the
network (normally, the Administrators group has
"Access this computer from network"
right) or must they logon at the computer itself
in a controlled environment to do any
administrative tasks? You also will need to
remove the right from the Everyone group then add
back in accounts that are allowed to logon from
network.
- When a Windows NT
Workstation computer is added to a domain, the
Domain Admins group is added to the workstation's
Administrators group. This gives any member of
the Domain Admins group access to the workstation
computer as well. Determine whether this is
appropriate. You may need to remove the Domain
Admins group at the workstation and add only a
specific Administrator account.
[Back
to Top]
Confirm that each user of
the system is assigned a user name and password by
following this section of the review program.
- Is there a Data
Security access form and related procedures? If
not, determine how users requesting access to the
system are granted access. This is a security
concern, but can be corrected depending on the
current procedures used to grant access and
requiring that they be formally documented.
- Perform a review of
the active Data Security access forms and compare
the user names assigned to the system to the
users in the User Manager for Domains to ensure
there is a form on file for each user known to
the system.
- Verify that the
description entered for user name is descriptive
with respect to the user. For example, does the
user's full name appear, match up with the
assigned initials, and agree with the Data
Security access form? If not, this is a security
concern.
- Perform a review of
the inactive Data Security access forms and
compare the user names of terminated employees to
the current users to ensure no user names exist
for terminated employees. (Same as step C.2
except for terminated employees).
- Check the status of
each user account and group using the User
Manager. Double-click on each account when you
are checking manually. This opens the New User
properties dialog box that displays password
information and has buttons for checking group
membership and other options.
- Check the password
options. Should the user be able to change the
password? Does the password never expire? Is this
account disabled? If it is disabled, has the user
left the company? If so, consider removing the
account.
- Verify the user's
logon script. Determine that the script has been
approved, and that it meets the security policy.
Is it necessary to have a script? Do users have
common scripts?
- Click the Groups
button to determine what groups the user belongs
to. Is membership in these groups appropriate for
the user? What rights and permissions does the
user obtain from the groups? What access does the
group have to other domains?
- Click the Profile
button in the New User properties dialog box to
check the location of the user's home directory.
If you remove the account, also remove the
specified directory. Does the user have a
profile, and if so, is it mandatory? Are System
Policies required?
- Click the Hours
button to evaluate the times that the user can
access the network. Make sure no one can logon
after hours when that is your policy.
- Click the Logon To
button to evaluate what computers the user can
logon to. Make sure that no one can logon from a
computer where they shouldn't.
- Evaluate whether the
account has an expiration date (Account Expires
End of). All temporary accounts (for example, for
contractors or consultants) or administrator
"test" accounts should expire
automatically.
- Determine whether the
account is a global or local account. Global
accounts are available over the entire domain and
across trust relationships. Local accounts allow
users from mistrusted domains to access local
resources, but do not permit access to Windows NT
Server domains.
- Click the Dialin
button and evaluate dial-in capabilities. Where
users can dial in, Call Back options should be
enabled to a specified telephone number in the
dialog box for added security. This option is
available on-line when the Remote Access Service
components are installed.
- Check whether the
user name of the last user to logon appears in
the Logon dialog box. You can prevent the display
by setting the DontDisplayLastUserName in the
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon.
[Back
to Top]
In the User Manager for
Domains, check the rights that users and groups have on
the system. Choose User Rights from the Policies menu to
display the User Rights Policy dialog box. Initially, the
box shows the basic rights.
- To evaluate all
rights, click the Show Advanced User Rights
option. Here are some considerations for basic
rights:
- Access this computer
from the network: By default, only the
Administrators and the Everyone group have this
right. The Everyone group should be removed and
added to specific groups as appropriate. For
example, create a new group called "Network
Users" with this right, then add users who
should have network access.
- Backup files and
directories: User's with this right can
potentially carry any files off-site. Carefully
evaluate what users and groups have this right.
Also evaluate the Restore files and directories
right.
- Log on locally: For
servers, only administrators should have this
right. No regular user ever needs to logon
directly to the server itself. By default, the
administrative groups (Administrators, Server
Manager, etc.) have this right. Make sure that
any user who is a member of these groups has a
separate management account.
- Manage auditing and
security logs: Only the Administrators group
should have this right.
- Take ownership of
files or other objects: Only the Administrators
group should have this right.
- Scan
all the advanced rights to make sure that a user
has not been granted rights inappropriately. Some
rights should only be assigned to the System
account. A rogue administrator might manage to
grant inappropriate rights and gain extended
privileges on the system.
- To review
user activities on a server, select Server
Manager from the Administrative Tools (Common).
Double-click on a server to open a Properties
dialog box where you can see:
- Users: Click this
button to view a list of all users connected to
the server, and a list of resources opened by the
users.
- Shares: Click this
button to view shared resources available on the
computer and the users using the shared
resources.
- In Use: Click this
button to view a list of the computer's open
shared resources.
[Back
to Top]
The membership of groups
should be carefully evaluated. A group granted
permissions to sensitive files might contain users that
should not have that access. Open each group listed in
the User Manager and inspect its members.
- Are any of the
accounts in a group inactive? If so, consider
removing the accounts.
- View the local and
global groups active in each file server using
User Manager for Domains.
- Carefully evaluate
and document the members of management groups
such as Administrators, Server Operators, Account
Operators, Backup Operators, and Print Operators.
Remove all unnecessary accounts. Following are
the roles of groups on domain controllers:
- Administrators:
Members can manage the entire domain.
- Backup Operators:
Members can perform backups and restores.
- Guests: Members can
access the server from the network cannot logon
locally.
- Print Operators:
Members can manage printers.
- Replicators: Members
can manage replication services.
- Server Operators:
Members can manage servers.
- Users: Members can
access the server from the network but cannot
logon locally.
Following are the roles of
groups on NT Workstations and member servers:
- Administrators:
Members can manage the local system.
- Backup Operators:
Members can perform backups and restores on the
local system.
- Guests: Members can
access the local system but do little else.
- Power Users: Members
can manage user accounts on the local system.
- Replicators: Members
can manage replication services.
- Server Operators:
Members can manage servers.
- Users: Members can
logon to the local workstation and use it to
access the network. They also can shutdown the
system.
- Review
the organization's policies for separation of
incompatible functions.
- Determine
whether any sub-administrators have been created.
Sub-administrators can be created by adding users
to the Account Operators and Server Operators
groups. Look for unnecessary accounts.
- Ensure
all sub-administrator users have two accounts:
one for administrative tasks and one for regular
use. Sub-administrators should only use their
administrative accounts when absolutely
necessary.
- Evaluate
each global group membership and the resources
that the group has access to. Does the group have
access in other domains?
- What
folders and files do groups have permission to
access? This can be difficult to evaluate.
- Do
local groups hold global groups from other
domains? Check the membership of these global
groups and make sure that no users have
unnecessary access to resources in the current
domain.
[Back
to Top]
In some organizations, the
Guest account is very useful. For example, people who
don't normally work with computers might need to
occasionally access a system to obtain some information.
Most administrators agree that it should be disabled,
although removing it remove the ability of anonymous
users to access a system. Consider creating a separate
domain for these public services where the Guest account
is enabled. Alternatively, use a Web server for this type
of system.
- Evaluate the need for
the Guest account.
- Should you need the
Guest account, carefully review where it has
privileges.
- Confirm that the
Guest account is disabled on networks connected
to untrusted networks such as the Internet. It
provides too many opportunities for break-ins.
Disable the Guest account. In the User Manager,
double-click on the Guest account and put a check
mark on the item "Account Disabled."
- Confirm that the
Guest account does not have write or delete
permissions to any files or directories. Guests
only should be allowed to read files in specific
directories.
- Ensure that the
Everyone group's permission in the root directory
and the SystemRoot directory (usually C:\winnt)
is set to Read Only. Don't propagate these
changes to the subdirectories.
- Ensure that the
Everyone group's permission in
\SystemRoot\system32 is set to Read Only and
propagate these changes to the subdirectories,
except for \SystemRoot\system32\ras and
\SystemRoot\system32\spool\printers where the
Change permission should be granted.
- If you have Microsoft
Internet Information Server software installed, a
special Guest account called IUSR_computername
exists with the rights to logon locally. Evaluate
the need for this account when you don't want the
general public to access your Web server. Users
must then have an account to access the Web
server.
[Back
to Top]
In this section, you
evaluate permissions on directories and other resources.
To check permissions on folders and other resources, you
must go to each resource individually to review what
users and groups have permissions. To open the
Permissions dialog box for a folder or file, right-click
it and choose Properties, then click either the Sharing
or the Security tab. The Sharing options show who has
access to the folder over the network. The Security tab
has the Permission and Auditing buttons so you can check
local permissions or set auditing options.
- Do you use only using
NTFS volumes on your servers? Do not use FAT or
HPFS volumes in secure installations.
- Check each folder
and/or file to determine what local users and
groups have access and whether that access is
appropriate. Start your evaluation with the most
sensitive and critical folders if you are doing
this procedure manually or performing a periodic
checkup.
- Check all shared
folders and the share permissions on those
folders to determine what network users and
groups have access and whether that access is
appropriate.
- Program files and
data files should be kept in separate folders to
make management and permission setting easier.
Also, if users can copy files into a data folder,
ensure the Execute permission on the folder has
been removed to prevent someone from copying and
executing a virus or Trojan Horse program.
- If users or groups
have access to a folder, should they have the
same access to every file in the folder? To every
subdirectory? Check the sensitivity of files and
attached subdirectories to evaluate whether
inherited permissions are appropriate.
- If the server is
connected to an untrusted network such as the
Internet, ensure that any files on the server are
not sensitive and for public access.
- Confirm the root
directory of a drive or one of the drive icons
that appears in the graphical display is not
shared. An exception would be sharing a Read Only
CD-ROM drive for public access.
- For sensitive,
password protected directories, ensure Auditing
is enabled. Right-click a folder, click Security,
then click Auditing and enable Failure to track
users that are attempting unauthorized access a
folder or file. Note that File and Object access
must be enabled from the Audit Policies menu in
the User Manager.
- Document the
directory permissions on critical directories to
ensure they provide proper integrity. The
standard persmissions for files are:
- No Access:
The folder cannot be accessed and the
files in the folder cannot be listed.
This permission overrides any other
permission a user may have.
- List: Allows
users to list the files and
subdirectories in a directory and to
access the directory.
- Read: Allows
users to display subdirectories' names
and filenames, displays the data and
attributes of files, run program files
and to switch to any subdirectories of
the folder.
- Add: Allows
users to add files to a folder but not
read or change files that been placed in
the folder.
- Change:
Allows the user to read files, create new
subdirectories, add files, change data in
and append data to files, change file
attributes, and delete subdirectories and
files.
- Full Control:
Includes all permissions.
Discuss with the
Administrator the necessity of deviations from
Table 1 for critical directories.
- Document the file
permissions on critical files to ensure they
provide proper integrity. Critical files include,
but are not limited to, those in Table 2. Discuss
with the Administrator the necessity of
deviations. The standard permissions for files
are:
- No Access:
The file cannot be accessed by any user
even when the user has been granted
access through other means.
- Read: Allows
the user to open a document or run a
program. User also can list the file's
attributes.
- Change:
Allows the user to change data in and
append data to the file, and to display
the file's owner and permissions.
- Full Control:
Includes all permissions, also allows the
user to take ownership.
- Special
Access: Allows the user to create custom
permissions that include any combination
of Read (View the contents of a file),
Write (Change the contents of a file),
Execute (Run a program), Delete (Delete a
file or folder), Change Permission
(Change the permissions of an object),
and Take Ownership (Become the owner of
an object).
- Ensure that Full
Control permission to files and folders is only
granted to administrators or owners.
- Confirm that the
Performance Monitor has been configured to alert
Errors Access Permissions (the number of times a
client attempts, but fails to open a file and
receives a message); Errors Granted Access (the
number of times accesses to files opened were
successfully denied); and Errors Logon (the
number of failed logon attempts to the server).
- Confirm that
share-level access is not enabled by checking the
Access Control tab of the Network applet.
Table 1
Directory |
Group/User |
Permission |
\root
of NTFS volume |
Administrators,
System |
Full
Control |
|
Server
Operators |
Change |
|
Everyone |
Change |
|
CREATOR
OWNER |
Full
Control |
\SystemRoot\system32\system32 |
Administrators,
System |
Full
Control |
|
Server
Operators |
Change |
|
Everyone |
Change |
|
CREATOR
OWNER |
Full
Control |
\SystemRoot\system32\config |
Administrators,
System |
Full
Control |
|
Everyone |
List |
|
CREATOR
OWNER |
Full
Control |
\SystemRoot\system32\drivers |
Administrators,
System |
Full
Control |
|
Server
Operators |
Full
Control |
|
Everyone |
Read |
|
CREATOR
OWNER |
Full
Control |
\SystemRoot\system32\spool |
Administrators,
System |
Full
Control |
|
Server
Operators |
Full
Control |
|
Print
Operators |
Full
Control |
|
Everyone |
Read |
|
CREATOR
OWNER |
Full
Control |
\SystemRoot\system32\repl |
Administrators,
System |
Full
Control |
|
Server
Operators |
Change |
|
Everyone |
Read |
|
CREATOR
OWNER |
Full
Control |
\SystemRoot\system32\repl\import |
Administrators,
System |
Full
Control |
|
Server
Operators |
Change |
|
Everyone |
Read |
|
CREATOR
OWNER |
Full
Control |
|
Replicator |
Change |
|
Network |
No
Access |
\SystemRoot\system32\repl\export |
Administrators,
System |
Full
Control |
|
Server
Operators |
Change |
|
CREATOR
OWNER |
Full
Control |
|
Replicator |
Read |
\users |
Administrators,
System |
Read,
Write, Execute, Delete |
|
Account
Operators |
Read,
Write, Execute, Delete |
|
Everyone |
List |
\users\default |
Administrators,
Systems |
Read,
Write, Execute |
|
CREATOR
OWNER |
Full
Control |
\win32app |
Administrators,
System |
Full
Control |
|
Server
Operators |
Full
Control |
|
Everyone |
Read |
|
CREATOR
OWNER |
Full
Control |
\temp |
Administrators,
System |
Full
Control |
|
Server
Operators |
Change |
|
Everyone |
Change |
|
CREATOR
OWNER |
Full
Control |
|
|
|
|
|
|
|
|
|
Table 2
File |
Description |
C:\ntdetect.com |
Runs
at boot time, gathers the information that NT
needs to create HKEY_LOCAL_MACHINE\HARDWARE. |
C:\ntldr |
Runs
at boot time, loads the NT kernel. |
\SystemRoot\system32\config\system.alt |
Backup
Registry hive. |
\SystemRoot\system32\drivers\etc\lmhosts |
The
LMHosts file is used to provide a source of
information for translating between NetBIOS names
and IP addresses. |
\SystemRoot\system32\dhcp\dhcp.mdb |
The
DHCP database file. |
\SystemRoot\system32\dhcp\dhcp.tmp |
A
temporary file DHCP creates for temporary
database information. |
\SystemRoot\system32\dhcp\jet.log
and jet*.log |
Contain
logs of all transactions done with the database.
These files are used by DHCP to recover data when
necessary. |
\SystemRoot\system32\dhcp\system.mdb |
Used
by DHCP for holding information about the
structure of its database. |
\SystemRoot\system32\wins\wins.mdb |
The
WINS data base file. |
\SystemRoot\system32\wins\winstmp.mdb |
A
temporary file that WINS creates. |
\SystemRoot\system32\wins\jet.log |
A
log of all transactions for the data base. |
\SystemRoot\system32\wins\system.mdb |
Used
by WINS for holding information about the
structure of its data base. |
\SystemRoot\system32\ras\device.log |
Connection
information about each Dial-Up Networking
session. |
\SystemRoot\system32\config\secevent.evt |
The
security log. |
\SystemRoot\system32\config\appevent.evt |
The
application log. |
\SystemRoot\system32\config\sysevent.evt |
The
system log. |
\SystemRoot\system32\logfiles\slog |
The
Internet Information Server log. |
|
|
[Back
to Top]
By following this section
of the review program:
- Determine what
permissions remote machines have with respect to
logon, file access, and command execution.
- Determine what remote
systems are defined to your system and that you
either expect to call in or that your system
dials.
- Are restrictions put
on internal resources that remote users can
access? Are there any subdirectory structures or
files restricted from being read by remote
machines?
- To view Remote Access
Server configuration, double-click on the Remote
Access Service button of the Services tab in the
Network applet. Document all ports and devices
used for dialup. You can select a port or device
to see whether the following options are set:
- Dial out only: This
device only will be used for internal users to
dial out.
- Receive calls only:
This device only will be used for receiving
incoming calls.
- Dial out and receive
calls: This device will allow internal users to
dial out and receive incoming calls.
- Confirm
from the Network Configuration dialog box that
the dial-out and dial-in protocols meet the
security policy.
- Confirm
that encryption is turned on and that it meets
your policy. The encryption options are:
- Allow any
authentication including clear text: Supports
CHAP, SPAP, PAP and non-Windows RAS clients.
- Require encrypted
authentication: Any supported authentication
except PAP.
- Require Microsoft
encrypted authentication: Specifies that the
Challenge-Handshake Authentication Protocol
(CHAP) is used.
- Determine
what remote systems are defined to your system
and that it is set up to call. Ask the
Administrator to identify each one and its
purpose.
- From the
Users menu in the Remote Access Admin utility,
select Permissions. Document all users and
determine they need dialup access.
- Click the
Dialin button in the New User dialog box to
display the Dialin Information dialog box.
Callback options deal with calling a user back at
a predefined number and preventing intruders who
have obtained valid logon information from
dialing in at an unauthorized location. There are
three callback options, as follows:
- No Call Back: This
disables callback options.
- Set By Caller: This
option reverses toll charges for users. When a
user calls in, the server authenticates him, and
a dialog box appears asking for the callback
telephone number. The server then disconnects the
call and calls the client back. Note that this
option provides no additional security.
- Preset To: This
callback option does provide security, because
you can specify in advance the telephone number
where a user should be called back.
- Use the
Event Viewer to view activities on each of the
remote access servers on your network.
[Back
to Top]
Determine whether audit
data is generated and reviewed by following this section
of the review program. Audit data is very useful in
system tuning and tracking down unauthorized access to
the Windows NT Server system.
- Check the status of
audit settings by choosing Audit on the Policies
menu in the User Manager for Domains. The Audit
Policy dialog box appears. The settings in this
box reflect the minimum settings that are
appropriate for auditing in most environments.
- Ensure that auditing
and security logs are protected from other
administrators who might change or delete them.
You can grant only the Administrators group the
ability to access the logs. To restrict access to
only one user (the "auditor"), remove
all users except the auditor from the
Administrators group. This means all of your
other administrators should be members of a
management group that does not have the
"Manage auditing and security log"
right.
- Check for failed
logons in the Event Viewer. You can enable
security auditing for logon attempts, file and
object access, use of user rights, account
management, security policy changes, restart and
shutdown, and process tracking.
- Confirm the option
File and Object Access in the Audit Policy dialog
box is set to enable file system auditing. You
can enable auditing for the directory only;
directory and its files only; directory and
subdirectories only, not files; and directories,
subdirectories, and all files.
- Confirm that someone
is reviewing the audit material using the Event
Viewer.
- Confirm the Security
Log does not overwrite old events. To check this,
open the Event Viewer and choose Log Settings
from the Log menu. The option called "Do Not
Overwrite Events (Clear Log Manually)"
should be enabled.
- Determine the time
the log was last cleared by checking the
timestamp of the earliest event in the log.
Ensure the previous information is archived and
protected.
- Ensure audit log
material is protected adequately.
[Back
to Top]
Fault-tolerant systems
duplicate various hardware components and process to
guard against failures. Evaluate all fault-tolerant
systems for proper installation and operation. Use the
Disk Administrator utility (on the Start | Programs menu)
to check disk systems and use the UPS utility (on the
Control Panel) to check the status of uninterruptible
power supplies.
Confirm that appropriate
backup procedures exist to ensure full recovery of the
Windows NT Server operating system and user data by
following this section of the review program.
- Determine how often
full system backups are performed. Is the backup
schedule appropriate? If full system backups are
not performed, this is a security concern.
- Determine how user
data files are backed up between full system
backup dates. Incremental backups are generally
considered the normal case. Incremental backups
are usually based since the last incremental
backup.
- For example:
A full system backup is performed each
Saturday. On Sunday through Friday,
incremental backups are performed on only
those system and data files that have
changed. Sunday's incremental will catch
any changes since Saturday's full system.
Monday's incremental will catch any
changes since Sunday's incremental, and
so forth.
- When
incremental backups are not performed and
reliance is placed on only a full system
backup, then there may be a security
concern. A security concern would not be
made when:
- A full system backup
is made every day.
- A full system backup
is made every week with no changes by users,
local applications, or remote systems between
each backup.
Since both exceptions are
rare, a security concern should be in order.
- Are files
safely transported to secure backup locations? Is
confidential information encrypted when stored
off-site?
- Confirm
that the backup media is not left in the backup
device unattended? How might backup compromise
the confidentiality of files? Are all backups
documented and cataloged?
- In Disk
Manager, evaluate whether disk mirroring or
striping is taking place to protect against
failed drives or hardware components.
- Confirm
whether directory replication is being used.
Ensure that the EXPORT and IMPORT directories
have valid entries. Confirm the Replication
account is a member of the Domain Users, Backup
Operators and Replicator groups,and has the
following values:
- Select "Password
Never Expires."
- Clear "User Must
Change Password At Next Logon."
- Clear "User Can
Not Change Password."
- Clear "Account
Disabled."
- Allow all hours for
logon.
- Do not define a user
profile or logon script.
- Grant the Replicator
account the Logon as a Service right.
- Check to
make sure an uninterruptible power supply (UPS)
is installed and configured properly. The UPS
will protect data on a server that fails from a
power loss. To check the UPS, open the UPS
utility on the Control Panel.
- Determine
the users belonging to the Backup Operators
group. Carefully evaluate whether you trust these
users. Backup operators can access all areas of
the system to backup and restore files.
- Ensure
that a Backup Domain Controller (BDC) is used.
- Was an
Emergency Repair Disk (ERD) created during
Windows NT setup? You can reload the Registry to
restore the user accounts to what they were when
you set up the system. This helps when the
administrator forgets the password for the
account.
- View the
Event Log to audit backup activities.
[Back
to Top]
The steps in this section
outline the security settings you check for standard
evaluation of a Windows NT system. Many of the settings
are checked in the User Manager. Keep in mind that these
recommendations may or may not be appropriate for your
environment.
- Confirm that the
system does not dual boot. Windows NT should be
the only operating system installed.
- Confirm that the OS/2
and POSIX subsystems are not installed.
- Confirm all drives on
the system are formatted for the NT File System,
not the FAT file system. To check drive status in
Windows NT 4.0, right-click on the drive and
choose Properties.
- One of the first
things to check are the logon policies and
restrictionsthe "welcome mat"
into the Windows NT Server. Are your users
educated about password safety and appropriate
use of the system? Do users read and sign a
security policy?
- Review whether legal
notices in Logon dialog boxes to indicate that
only authorized users may access the system and
that all activities may be monitored. Check the
value for LegalNoticeText in the Registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\LegalNoticeCaption.
- Confirm that you
cannot boot from floppy drives. Otherwise,
someone can use a program such as NTFSDOS.EXE
under DOS to look at NTFS volumes.
- Confirm that the Shut
Down button is disabled. Check that the value for
Shut Down in the Registry entry
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows
NT\CurrentVersion\Winlogon\ShutdownWithoutLogon
is 0.
- Review that someone
uses the Performance Monitor to monitor and track
network activity.
- Obtain a list or
schematic diagram of the domains in the
organization. Identify the relevant domain
controllers and backup controllers.
- Document the domains
in the network using the User Manager for
Domains.
- Review how groups are
allocated to domains and vice versa.
- Review how domain
controllers are set up and where they are
located.
- Review all trust
relationships. Check Trust Relationships option
in the User Manager for Domains utility. Document
the trust relationships with other domains.
- Does your
organization have a central repository of
information on trust relationships? Identify the
procedures for keeping this information current.
- Verify that only
administrators can access Server Manager.
Administrators only should access the Server
Manager in their appropriate domain.
- Review whether
services must be started under the System
account. You can change account the service runs
under. The following services can run under an
account other than the System account:
- ClipBook
- Directory Replicator
- Microsoft Domain Name
Service (DNS)
- Remote Access Server
- Remote Procedure Call
- Remote Procedure Call
Locator
- Schedule
- Spooler
- Telephony
- UPS
- Windows Internet Name
Service (WINS)
- Confirm
that all started services are necessary.
- Verify
that access to Server Manager is logged and
monitored.
- Confirm
that all servers are physically secure.
[Back
to Top]
|