Last
Updated: 3-Nov-1999
IMPORTANT: This article contains information about editing the registry.
Before you edit the registry, make sure you understand how to restore it if a problem
occurs. For information about how to do this, view the "Restoring the
Registry" Help topic in Regedit.exe or the "Restoring a Registry
Key" Help topic in Regedt32.exe.
Having a security policy is paramount. You need ready answers to questions
like:
- How do we react to a break in?
- Where are the backups stored?
- Who is allowed to access the server?
Good sources of policy information may be found at SANS Institute, Baseline Software, Inc. and Practical
Unix & Internet Security.
The IIS4
Resource Kit security chapter covers many aspects of Windows NT and IIS
security.
Currently Windows NT 4.0 SP5 is the latest Service Pack and is recommended for secure IIS4 sites. Review all Microsoft Security Bulletins and then check for hot-fixes - Windows NT, IIS, and Certificate Server. Also review the latest Microsoft Security News.
You should also consider placing a 'favorites shortcut' to the Microsoft Security Advisor Program. To do so, follow these steps:
- Open Internet Explorer on your desktop
- Navigate to http://www.microsoft.com/security
- Select Favorites on the menu, then choose Add to Favorites
- Check 'Make Available Offline'
- Select Customize | Next | Yes (links to other pages) | '2' links deep
- Next | Select 'I would like to create a new schedule' | use the defaults | finish
- OK
- Select Favorites on the menu, then choose Organize Favorites
- Select Properties | Download | uncheck 'Follow links outside of this page's Web site'
- OK
- Close
If you now click on the Favorites icon in the toolbar, you can drag the 'Microsoft Security Advisory Program' link to your desktop. A small red mark will appear on the icon when there is new security news.
Because NTFS supports Access Control Lists you can set security policy in
Windows NT rather then spread around applications. If you are using FAT you can
convert to NTFS using the CONVERT.EXE tool.
There are many references to what the appropriate ACLs should be, such as the IIS4 Resource Kit and Windows NT Security Guidelines - a study for NSA Research by Trusted Systems Services Inc.
NTFS can
auto-generate 8.3 names for backward compatibility with 16-bit applications. As
16-bit apps should not be used on a secure web server 8.3 name generation can
be safely turned off. Also note, there is a performance benefit to setting
this. To turn off 8.3 name generation set the following registry entry:
|
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
|
Key |
\CurrentControlSet\Control\FileSystem |
|
Name |
NtfsDisable8dot3NameCreation |
|
Type |
REG_DWORD |
|
Value |
1 |
Generally you should set the IIS server to be a standalone server as this will minimize any possible exposure of domain user accounts.
OS/2 and POSIX subsystems removed
Remove these subsystems by performing the following registry actions:
|
Hive
|
HKEY_LOCAL_MACHINE\SOFTWARE
|
|
Key
|
\Microsoft\OS/2
Subsystem for NT |
|
Action
|
Delete
all sub keys |
|
Hive
|
HKEY_LOCAL_MACHINE\SYSTEM
|
|
Key
|
\CurrentControlSet\Control\Session
Manager\Environment |
|
Name
|
Os2LibPath
|
|
Action
|
Delete
|
|
Hive
|
HKEY_LOCAL_MACHINE\SYSTEM
|
|
Key
|
\CurrentControlSet\Control\Session
Manager\SubSystems |
|
Name
|
Optional
|
|
Action
|
Delete
values |
|
Hive
|
HKEY_LOCAL_MACHINE\SYSTEM
|
|
Key
|
\CurrentControlSet\Control\Session
Manager\SubSystems |
|
Action
|
Delete
entries for Posix and OS/2 |
Then
delete the \winnt\system32\os2 directory and all subdirectories. The changes
will take effect on the next reboot.
Run Net
Share from the command-line and make sure you delete all of them using Net
Share /d. You should also prevent all administrative shares (C$, D$, ADMIN$) by
setting the following in the Registry:
|
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
|
Key |
CurrentControlSet\Services\LanmanServer\Parameters |
|
Name |
AutoShareServer |
|
Type |
REG_DWORD |
|
Value |
0 |
Go to
Control Panel | System | Startup/Shutdown and set "Show list for" to
zero.
Set the following in the
Registry to hide the name of the last user that logged on:
|
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
|
Key |
\Microsoft\Windows
NT\Current Version\Winlogon |
|
Name |
DontDisplayLastUserName |
|
Type |
REG_SZ |
|
Value |
1 |
Set the following in the
Registry to display legal information about the use of this computer:
|
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
|
Key |
\Microsoft\Windows
NT\Current Version\Winlogon |
|
Name |
LegalNoticeCaption |
|
Type |
REG_SZ |
|
Value |
Whatever
you want for the title of the message box |
|
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
|
Key |
Microsoft\Windows
NT\Current Version\Winlogon |
|
Name |
LegalNoticeText |
|
Type |
REG_SZ |
|
Value |
Whatever
you want for the text of the message box |
Set to at
least nine characters. This makes it much harder to guess than eight characters
or less owing to the way Windows NT creates the hash of the password. Also, use
punctuation and other non-alphabetic characters in the first 7 characters.
Set
the following value in the
Registry to remove the shutdown option at logon:
|
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
|
Key |
\Microsoft\Windows
NT\Current Version\Winlogon |
|
Name |
ShutdownWithoutLogon |
|
Type |
REG_SZ |
|
Value |
0 |
Minimize the number of users and groups on the server and keep group membership small. There should be only the most trusted accounts listed in the Administrators and Domain Admins groups. Also, be wary of the privileges given to users and groups beyond the default. You can access privilege information by opening User Manager | Policies | User Rights. A complete list of recommended user rights is detailed in the IIS4 Resource Kit.
Note, three particularly powerful rights are:
- Debug privilege
- Act as part of operating system
- Backup privilege
Scrutinize
accounts with these rights.
SYSKEY, a
tool introduced in Windows NT4, SP3 provides an extra safeguard for the SAM
database. Refer to Q143475
for further details.
While
this is an example of "security through obscurity", it's an extra
step a hacker must make to determine the admin account. Consider adding a
'fake' administrator to help detect account attacks. Give this
'Administrator' no rights and carefully audit its use.
Note: nbtstat -a
Normally,
the Administrator account cannot be locked out if an attacker attempts to guess
the password. However, a tool in the Windows NT Resource Kit called PASSPROP
supports this option. If you run the following command the Administrator
account will be locked out if an attacker attempts a brute force or dictionary
attack but the administrator can still logon locally at the server:
passprop /adminlockout
Make sure
the admin account has a very difficult to guess password and change it
frequently. Click here for more
info.
The
Registry Editor supports remote access to the Windows NT registry. To restrict
network access to the registry, use the Registry Editor to create the following
registry Key
|
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
|
Key |
\CurrentControlSet\Control\SecurePipeServers |
|
Name |
\winreg |
The
security permissions (ACLs) set on this key define which users or groups can connect
to the system for remote registry access.
Windows
NT has a feature that allows non-authenticated users to enumerate users on a
Windows NT domain. If you do not want this functionality, set the following in
the Registry:
|
Hive |
HKEY_LOCAL_MACHINE\SYSTEM |
|
Key |
CurrentControlSet\Control\LSA |
|
Name |
RestrictAnonymous |
|
Type |
REG_DWORD |
|
Value |
1 |
The following registry entries should be tightly ACL'd and monitored as they can be used to launch trojan programs:
|
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
|
Key |
Microsoft\Windows\CurrentVersion\Run |
|
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
|
Key |
Microsoft\Windows\CurrentVersion\RunOnce |
|
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
|
Key |
Microsoft\Windows\CurrentVersion\RunOnceEx |
|
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
|
Key |
Microsoft\Windows NT\CurrentVersion\AeDebug |
|
|
|
|
Hive |
HKEY_LOCAL_MACHINE\SOFTWARE |
|
Key |
Microsoft\Windows NT\CurrentVersion\WinLogon |
The default ACLs should be:
- Administrators (Full Control)
- SYSTEM (Full Control)
- Creator Owner (Full Owner)
- Everyone (R)
This only
allows users having an account in the domain or on the machine to access shares
on the server. You can perform this by opening User Manager | Policies | User
Rights, then choosing "Access this computer from network", remove
Everyone from the list and add Authenticated Users to the list.
Unbinding
NetBIOS from TCP/IP will prevent a user from accessing machine information
using tools like NBTSTAT.
If
routing is enabled, you run the risk of passing data between the intranet and
Internet. To disable routing, open the Control Panel | Network | Protocols |
TCP/IP Protocol | Properties | Routing and clear the Enable IP Forwarding check
box.
Open User
Manager | Policies | Audit | Audit these Events.
Open
Event Viewer | Log | Log Settings, and set a maximum size and "Overwrite
Events Older than" for all three logs. If you are going to overwrite logs
after only a few days and your log maximum size is small then you need to check
the logs more frequently.
Configure
TCP/IP filtering by specifying which ports are allowable on each network card. Go
to Control Panel | Network | Protocols | TCP/IP | Advanced | Enable Security |
Configure. Now set the following options:
- Permit
only TCP ports 80 and 443 (if you have SSL)
- Permit
no UDP ports
- Permit
only IP Protocol 6 (TCP)
Place all commonly used administrative tools in a special directory out of %systemroot% and ACL them so that only administrators have full access to these files. For example create a directory called \CommonTools and place the following files in there:
|
xcopy.exe |
wscript.exe |
cscript.exe |
net.exe |
ftp.exe |
telnet.exe |
|
arp.exe |
edlin.exe |
ping.exe |
route.exe |
at.exe |
finger.exe |
|
posix.exe |
rsh.exe |
atsvc.exe |
qbasic.exe |
runonce.exe |
syskey.exe |
|
cacls.exe |
ipconfig.exe |
rcp.exe |
secfixup.exe |
nbtstat.exe |
rdisk.exe |
|
debug.exe |
regedt32.exe |
regedit.exe |
edit.com |
netstat.exe |
tracert.exe |
|
nslookup.exe |
rexec.exe |
cmd.exe |
|
|
|
If you have multiple Web servers you should make sure the times are synchronized. This will aid you when you need to evaluate multiple audit logs in the case of any intrusion detection. The simplest way is to use the NET TIME command and nominate one server as having the base time.
It is
generally considered good practice to reduce the number of entry points into a
server, for Windows NT this means reducing the number of services. Refer to Q189271
for further details.
These are application specific but you need to make sure you use 'strong enough' authentication for your application. The following lists the authentication schemes supported by IIS4 in increasing trust:
-
Anonymous
-
Basic
-
Windows
NT Challenge/Response
-
Client
Certificates
Refer to Q229694
for further details.