Hardening Windows NT Workstation
NOTICE: TO ALL CONCERNED Certain text files and messages contained on this site deal with activities and devices which would be in violation of various Federal, State, and local laws if actually carried out or constructed. The webmasters of this site do not advocate the breaking of any law. Our text files and message bases are for informational purposes only. We recommend that you contact your local law enforcement officials before undertaking any project based upon any information obtained from this or any other web site. We do not guarantee that any of the information contained on this system is correct, workable, or factual. We are not responsible for, nor do we assume any liability for, damages resulting from the use of any information on this site.
- Install Windows NT on a clean hard disk (use Fdisk to remove all
partitions.) Make sure the version is the 128bit US version. Make sure you
use NTFS on all partitions.
- Install the latest service pack (currently version 6a) 128bit version
- Implement the System Key and strong encryption of the password database by
running C:\WINNT\SYSKEY.EXE. Also enforce use of a Floppy System Key for boot
up if deemed necessary.
- Install and run Passprop.exe from the NT Resource Kit to enforce strong
passwords and Administrator account lockout.
- Remove the Serial port devices under Control Panel | Ports
- Remove the LPT port under Control Panel | Devices
- Remove or disable the Parallel and Parport device drivers
- Implement a Hardware Power On password.
Implement the following file level security:
FILE PERMISSIONS:
Directory
|
Permissions
|
\ (this is the root directory C:\) |
Administrators: Full Control
System: Full Control
Authenticated Users: Read |
|
|
\Boot.ini
\Ntdetect.com
\Ntldr
|
Administrators: Full Control
System: Full Control
Authenticated Users: Read |
|
|
\Autoexec.bat
\Config.sys |
Administrators: Full Control
System: Full Control
Power Users: Change
Authenticated Users: Read |
\TEMP |
Administrators: Full Control
Creator Owner: Full Control
System: Full Control
Power Users: Change
Authenticated Users: Special Directory Access-Read, Write, Execute,
Special File Access: None |
|
|
\WINNT and all subdirectories |
Administrators: Full Control
Creator Owner: Full Control
Authenticated Users: Read, Execute |
|
|
\WINNT\Repair |
Administrators: Full Control |
|
|
\WINNT\System32\config |
Administrators: Full Control
Creator Owner: Full Control
System: Full Control
Power Users: Change
Authenticated Users: List |
|
|
\WINNT\System32\spool |
Administrators: Full Control
Creator Owner: Full Control
System: Full Control
Power Users: Change
Authenticated Users: Read |
|
|
\WINNT\Cookies
\WINNT\Forms
\WINNT\History
\WINNT\OCCache
\WINNT\Profiles
\WINNT\Sendto
\WINNT\Temporary Internet Files
\WINNT\Downloaded Program Files |
Administrators: Full Control
Creator Owner: Full Control
Authenticated Users: Special Directory Access:
-Read, Write, Execute, Special File Access: None
System: Full Control |
Services:
Disable or remove the following Services:
- Alerter
- Clipbook Server
- Computer Browser
- DHCP Client
- Directory Replicator
- Messenger
- Remote Procedure Call Locator
- SNMP Trap Service
- Spooler (Make sure print directly to printer is checked in the Printer
Properties box)
- TCP/IP NetBIOS helper
- Telephony Service
Protocols:
- Make Sure only TCP/IP is loaded.
- Under the TCP/IP Properties Advanced setting, Make sure security is enabled
and disable all unnecessary ports.
- Disable the NetBIOS Interface, Server and Workstation services from the WINS
client in the bindings.
Policies:
Under User Manager | Policies | Accounts
- Rename the Administrator and lock it out.
- Create a new account with full administrative privileges.
- Utilize the following account restrictions:
- Password expires in 30 days
- Minimum password length 10 characters
- Account lockout after 5 attempts.
- Reset count after 30 minutes.
- Account lockout forever
- User must login to change password
- Allow changes in 1 day
- Remember last 5 passwords
Under User Manager | Policies | User Rights:
- Remove all user access to the computer from the Network
- Only Authenticated Users can bypass transverse checking
- Remove all user access to Force Shutdown from a remote system
- Logon Locally is restricted to Authenticated Users and Administrators
(remove all other access)
- Shutdown the system is restricted to Authenticated Users and
Administrators
Under User Manager | Policies | Audit
Audit the following events:
- Logon and Logoff Success and Failure
- File and Object access Failure
- User and group Management Success and Failure
- Security policy Changes Success and Failure
- Restart, Shutdown and System Failure
The Registry:
Display legal Notices at logon by editing the following keys:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
- Key name: LegalNoticeCaption
- Data Type: REG_SZ
- Value: Legal Notice!
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
- Key name: LegalNoticeText
- Data Type: REG_SZ
- Value: This system is for authorized users only! Unauthorized use is subject
to prosecution. All activity on this machine is being logged.
Hide the name of the last user to logon:
HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon
- Key name: DontDisplayLastUserName
- Data Type: REG_SZ
- Value: 1
Restrict Anonymous Access to the Registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA
- Key Name: RestrictAnonymous
- Data Type: REG_DWORD
- Value: 1
Also create the following key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SecurePipeServers\winreg
Enable SMB signing
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Parameters
Add the following two keys:
- Key Name: EnableSecuritySignature
- Data Type: REG_DWORD
- Value: 1
- Key Name: RequireSecuritySignature
- Data Type: REG_DWORD
- Value: 1
Hide the machine in Network Neighborhood
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- Key Name: Hidden
- Data Type: REG_DWORD
- Value: 1
Disable Default Admin Shares HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- Key Name: EnableSharedNetDrives
- Data Type: REG_DWORD
- Value: 0
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
- Key Name: AutoAdminWKS
- Data Type: REG_DWORD
- Value: 0
Disable LanMan Password Hash support
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Key Name: LMCompatibilityLevel
- Data Type: REG_DWORD
- Value: 2
Erase Pagefile on Clean Shutdown
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory
Management
- Key Name: ClearPageFileAtShutdown
- Data Type: REG_DWORD
- Value: 1
Allocate Floppies and CD-ROMs
Create the following keys:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
- Key Name: AllocateFloppies
- Data Type: REG_SZ
- Value: 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon
- Key Name: AllocateCDRoms
- Data Type: REG_SZ
- Value: 1
Disable AutoRun on CDs
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom
- Key Name: Autorun
- Data Type: REG_DWORD
- Value: 0
Enable Full Privilege Auditing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
- Key Name: FullPrivilegeAuditing
- Data Type: REG_BINARY
- Value: 1
Restrict Event Log Access
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application
- Key Name: RestrictGuestAccess
- Data Type: REG_DWORD
- Value: 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security
- Key Name: RestrictGuestAccess
- Data Type: REG_DWORD
- Value: 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System
- Key Name: RestrictGuestAccess
- Data Type: REG_DWORD
- Value: 1
Double Checking:
- Run the C2 Level Configuration tool from the Resource Kit and implement all recommendations except removing Network Services, Files System security and Halt on Audit Failure. Make sure OS2 and Posix subsystems are removed.
|