Windows NT - Battening down the hatches

We've covered quite a few things in the NT column but something we haven't really dwelt on is the operating system's much vaunted security features. Microsoft was justifiably proud back in December 1999 when NT4 received an Orange Book security rating of C2.

This is a basic security rating that is one of several evaluations awarded by the National Security Agency, based on its Trusted Computer System Evaluation Criteria, or Orange Book.

Sounds impressive, huh? Well, no, actually - the claim was resoundingly debunked by security guru Bruce Schneier of Counterpane.

In his excellent book, Secrets & Lies, he says: "Microsoft made a big deal about Windows NT getting a C2 security rating. They were much less forthcoming with the fact that this rating only applied if the computer was not attached to a network and had no network card, and had its floppy drive epoxied shut, and was running on a Compaq 386."

And switched off - no, I just made that last bit up! To be fair, he was equally scathing about Solaris as well!

Nevertheless, NT was designed as a secure operating system (OS), more or less. There are provisions to make NT a very secure OS, such as privilege levels in separate user accounts, file permissions and kernel object access control lists.

However, the configuration that makes NT secure is a long way from the default installed one, and Microsoft admits this. You have to make a surprisingly large number of security checks and modifications to NT to make it safe. Put bluntly, NT could be secure, but Microsoft refuses to ship the OS in that condition.

Battening down the hatches

So, what are the changes that need to be made to NT to make it resistant to attack, to make it more secure? For my subject I'm going to pick a particularly vulnerable NT machine, an NT server running Internet Information Server (IIS), permanently connected to the internet and acting as a web host - it doesn't get any more exposed to risk than that!

The trick here is to turn your vulnerable web server in to what's called a 'bastion host' - calling on ancient castle terminology, this means a hardened node on your network, a critical strong point in your network's security that is exposed to attack.

Examples of bastion hosts include web, DNS and FTP servers. Because of their extreme exposure, and hence vulnerability to attack, they have to be made especially resilient. Here's how to rustle up a bastion host.

Installation

It's best to start with a clean slate, so we'll install NT4 Server on a freshly formatted hard disk. This must be disconnected from any public network, and preferably from all networks. This is simply to prevent any hacking while it's in a vulnerable state.

Avoid a dual-boot configuration and be sure to select NTFS as your file system - under no circumstances select FAT. NTFS is what's known as a 'journalled' file system, with extensive logging and error checking to ensure consistency. When the install is complete, remove all extraneous Windows programs except, say, Notepad and WordPad - the rest won't be needed.

On the networking front, be sure to install only the TCP/IP protocol and no other network services. Also, configure it as a standalone server because it can't be a member of a domain for security reasons.

Obtain and install Service Pack 6a at this point. You're given the option of backing up the files it overwrites to permit an uninstall at a later date - avoid this if possible but if you do want to keep a hold of the uninstall files, move them off the server.

Install additional features such as the Option Pack in order to get IIS. Don't forget, if you add any services or features later, you'll need to re-apply the Service Pack.

Check to see if any hotfixes are available; if there are, download and install them.

You need to keep this server utterly up to date with regard to security patches and updates, so you ought to keep a weather eye on the various NT security sites, such as Windows IT Security (www.windowsitsecurity.com), NT Security (www.ntsecurity.com), NT BugTraq (www.ntbugtraq.com), the SANS Institute (www.sans.org) and Microsoft (www.microsoft.com/security).

Strip down the configuration

There's an awful lot of excess baggage in NT's default configuration, baggage that could be potentially useful to an intruder. And if it isn't needed, it has to be dispensed with. So open up the Network applet in Control Panel, head for Services tab and start wielding the knife. You should remove the following services:

• NetBIOS interface
• Workstation service
• Server service
• Computer Browser

This should leave you with just RPC Configuration.

Next we have to dispense with the User Manager for Domains, usrmgr.exe. Instead, we need to copy over the NT4 workstation copy of User Manager, musrmgr.exe, and use that. Why? Because the User Manager for Domains won't work if the Workstation service is removed.

You should also disable NetBIOS over TCP/IP. Do this by removing all the bindings to it, so first unbind the WINS client from all network interface cards (NICs). Then disable the WINS client for TCP/IP in Control Panel - open Devices, select WINS Client, click the Startup button and select Disable. This closes the ports 137-139 NetBIOS loophole.

Stay in Control Panel and turn your attention to the Services applet. We have to go to town here, disabling all those 30 or so services except the following:

• Event Log
• NTLM Security Support Provider
• Plug and Play
• Protected Storage
• Remote Procedure call service
• Schedule
• UPS (if you have one, that is.)

We now need to disable the Load Web Check process and the Network DDE agent process by editing the Registry at: HKLM/SOFTWARE/Microsoft/Windows/CurrentVersion/Browser/WebCheck and at: HKLM/SOFTWARE/Microsoft/WindowsNT/CurrentVersion/Winlogon/UserInit.

Strip components

As we have no need for them and they could provide ammunition for intruders, we also have to disable the DOS, Win16, OS/2 and POSIX subsystems, so remove the Registry entries for OS/2 Warp 4.0, POSIX and WOW at: HKLM/SYSTEM/CurrentControlSet/Control/SessionManager/Subsystems.

Set the entry at: HKLM/SYSTEM/CurrentControlSet/Control/SessionManager/Subsystems/Optional to 00 00.

TCP/IP configuration

We also need to tighten up our TCP/IP settings and we do this by enabling the TCP/IP packet-filtering tool, TCP/IP Security. To do this, open Control Panel, double-click on the Networks applet, select Protocols, TCP/IP, Advanced, Enable Security and click on the Configure button. The suggested settings are - Permit All TCP Ports, Permit Only UDP ports - None and Permit Only IP protocols - None.

Many of the steps I've outlined are examined in more detail at Stefan Norberg's website, which is athttp://people.hp.se/stnor/hpntbast13.pdf. Finally, check out the Windows NT4 Security FAQ athttp://www.it.kth.se/~rom/ntsec.html.

Your new bastion host system should be audited with Microsoft's NT Resource Kit's C2 Configuration Manager. If you haven't bought NT's Resource Kit, you may want to, since it contains many useful tools for NT, from security tools, to disk utilities, as well as manuals on how to run certain aspects of the OS. Microsoft publishes a Windows NT C2 Configuration Checklist athttp://www.microsoft.com/technet/security/C2config.asp.

It's also a very good idea to make use of Microsoft's Security Configuration Editor (SCE), which is an MMC snap-in that allows you to edit a wide range of security settings in one place. Once this is installed it gives you a global snapshot and analysis of all your current security settings.

The utility comes bundled with a range of predefined security templates, offering three levels of security for workstations, servers and domain controllers. In addition it lets you create custom templates for use on other servers. I installed my copy of SCE from the SP4 CDRom - it's in the MSSCE folder. Refer to http://www.microsoft.com/TechNet/winnt/Winntas/technote/scmnt4.aspfor more details on this very useful utility.

Anyway, that's enough on bastion hosts for this month - we'll look into yet more security next month!

Contact:

Roger Gann welcomes your comments on the Windows NT column. Contact him via the Personal Computer World editorial office or email nt@pcw.co.uk. Please do not send unsolicited file attachments.