from: Microsoft Technet October 1998
AT A GLANCE Key Point: Steps to secure Windows NT, Windows 95, and UNIX computers connected to the Internet. Detail: Medium Task: Administration, Management Article Section What’s There Introduction Security is an ongoing issue that needs to be revisited often. Securing a Windows NT System on the Internet Steps to secure Windows NT Workstation and NT Server systems. Securing a Windows 95 System on the Internet Steps to secure Windows 95 system. Securing a UNIX System on the Internet Steps to secure UNIX system. Introduction Security on the Internet is a key concern for Web users. For good reason: on the Internet there are no borders, no roving police cars helping to secure the place by their mere presence. In fact, existing laws are just now being changed to take the Internet into account. Many companies provide some measure of security to computers connected directly to the Internet via firewalls and filtering. Relying solely on these protections, however, is like putting a fence around your house and not locking the doors. At home with your own ISP connections, you probably will not even have that fence. The tips below provide an overview of steps you can take to protect your computer on the Internet. The tips are divided into three sections: · Securing a Windows NT system · Securing a Windows 95 system · Securing a UNIX system NOTE Be aware that what is secure today may be made vulnerable by a new discovery tomorrow. Please check the Microsoft Security Advisor site (http://www.microsoft.com/security/) periodically to see current security-related issues. Securing a Windows NT System on the Internet Here is an overview of a few things you should do to make sure that your Windows NT Workstation and Server systems are safe on the Internet. 1. If possible, start with a clean install of Windows NT 4.0. Only install the absolute minimum components you need to get the job done. This is a good idea no matter what operating system you are using on the computer on the Internet. If you use the APSETUP disk to install Windows NT, use the manual install option rather than the auto install. Auto install installs too many services and leaves too many things open. 2. Use the NTFS file system. If you don't have a compelling reason to use FAT (some systems require the system partition to be FAT and FAT is sometimes a more efficient file system) use NTFS. To convert a FAT partition to NTFS, use convert.exe. 3. Install the latest Windows NT Service Pack. 4. Secure the computer's user accounts: · Rename the Administrator account. Make sure that it has a strong password. This will make gaining administrative rights more difficult for a potential hacker · Create a fake Administrator account that has no rights. This will give a potential hacker a bogus account to try to hack. · Limit the membership of the local Administrators group. The more members there are in this group, the more targets a hacker has to use to gain administrative privileges. · Disable the Guest account. The Guest account is disabled by default on Windows NT Server but on Workstation, Guest is enabled by default. As an added safety measure, give the Guest account a strong password. · Set you local account policy to ensure strong passwords length of 6 characters. · Enable account lockout for local accounts. 5. Secure the system security account database (SAM) The SAM file contains encrypted copies of users' passwords. If it is not secured, hackers could get it and use it to crack the passwords. You can only secure the SAM by using the NTFS file permissions so you must be using NTFS instead of FAT/FAT32. · Secure the main copy of the SAM by securing the Winnt\System32\config directory. Remove the Everyone group from the list of users/groups that have permission to access the directory and files Add the Users group to the list of users/groups that have permission to access the directory and files. · Secure the backup copy in the Winnt\Repair director. (Only exists if you have created a Repair Disk.) Remove the Everyone group from the list of users/groups that have permission to access the directory and files. Only allow the System account and the local Administrators group to have access to the directory and files. 6. Secure the system registry. There are three things you should do to secure the registry. · Restrict Anonymous Access to the registry by creating the RestrictAnonymous value under the LSA key. (See KB article: Q143474) This requires SP3. · Restrict Network Access to the registry with the Winreg key. (See KB article: Q155363) This requires SP3. · Change the file association for the .reg extension to something like notepad. This prevents a malicious web site from inserting new keys into your registry while you are browsing the web. 7. Restrict access from the network/Internet. Using the user manager and the User Rights command, restrict "Access this computer from the network" to the absolute minimum necessary. 8. If you don't need them, turn off the messenger and alerter services. 9. If you don't need DCom, turn it off with dcomcnfg.exe. Since DCom allows COM objects to be run from remote computers, a hacker might be able to use a DCom object to attack your system. 10. If you are running IIS make sure you are running the latest version and latest NT service pack. Also install the latest fix to prevent an 8k URL from crashing the system. You can get this fix from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/iis-fix. Please see the KB article Q143484 for more information about this problem. 11. If you do not need the FTP server, do not run it. If you need FTP, do not allow write access unless absolutely necessary. If you do need to allow write access, DO NOT allow read and write access to the same directory. DO NOT allow write access to the FTPRoot directory. 12. Do NOT configure the computer for autologon. By default, this is NOT enabled and it should be left that way. Do NOT use TweakUI, the autologon tool from the Resource Kit or modify the registry to enable autologon. 13. Do NOT install Simple TCP/IP services as one of your network services. If you don't know that you need Simple TCP/IP services, you don't need Simple TCP/IP services. 14. Under the Control Panel's Network applet, Bindings tab, disable the WINS client on the network adapter. Securing a Windows 95 System on the Internet There is little you can do to really secure a Windows 95 computer from anybody with physical access to the computer. However, as an Internet client computer, it is pretty safe if you take some basic precautions: · Install Windows 95 Service Pack 1. · Disable File and Print Sharing. (If you don't disable File and Print sharing then you are exposing yourself and your data.) · When you are done using the Internet, disconnect from it. (Hang up the modem or pull the network cable.) Cable Modem Security Tips The following information is for users connected directly to the Internet via a cable modem or other direct connection (e.g. T1 line). These recommendations are based on standard "safe computing" practices and can be helpful for anyone running the Microsoft Windows 95 operating system in a shared situation. The ability to share resources, like files and printers, between users was a highly requested feature of Windows 95. However, to increase security of the information on your computer, there are some standard practices you should use. File and Print Sharing Turn off file and printer sharing if you are not using it. You can check to see if this is activated by clicking on the Start Menu and choosing Settings and Control Panel. Double-click on the Network icon and click on the File and Print Sharing button. Uncheck the boxes in the dialog box and click ok to turn file and printer sharing off. If you do share files, give read-only access to just the necessary directories, assign a strong password, and turn off sharing when it is no longer necessary. A strong password is easy for you to remember, but hard for others to guess. It uses a combination of letters and numbers and is eight characters in length. To set access permissions for a resource, open the Windows Explorer. Select the resource by clicking on it. Choose File, Properties from the menu. Click on the Sharing tab. Type in a share name, select Read-Only as the Access Type, and enter a password in the Read-Only Password section. To understand more about controlling access to information on your computer, read the Access Control topics in the Windows 95 help file index. Click on the Start Menu and choose Help. Click on the Index Tab and type Access Control in the text box. You can read a topic by double-clicking on it. Install Service Pack 1 If it is not already installed, install Windows 95 Service Pack 1 as directed above. To determine if the service pack is already installed on your computer, click the Start Menu and choose Settings, Control Panel. Double-click the System icon and click the General tab. Locate the version number under the System heading. If the version number is 4.00.950 with no letters, you need to install the service pack. If the version number ends in an a or b, then the service pack is already installed. Other Tips and Resources · Log off the Internet when leaving the computer for long periods of time. · Run a password protected screen saver when leaving for short durations. · Do not run programs from unknown sources, including Web downloads and e-mail attachments. To learn more about Windows 95 security, see Chapter 14 Security in the Windows 95 Resource Kit. If security is a critical concern for your use scenario, you may want to look at Microsoft Windows NT Workstation. Windows NT Workstation has additional security features such as the Windows NT File System and user accounts. For more information see http://www.microsoft.com/ntworkstation/. Securing a UNIX System on the Internet There are so many different versions of Unix running on so many different hardware platforms, there is little specific information about securing Unix computers on the Internet. However, here are some general guidelines: 1. Run the minimum services/daemons necessary. If you are only running a web server, don't run the ftp daemon or the sendmail daemon. 2. Stay up on the security alerts for your version of Unix provided by organizations such as CERT (http://www.cert.org/) and CIAC (http://www.ciac.org/). 3. Keep up with the latest patches from your Unix vendor. 4. Make sure your Root password is a strong, hard to guess password. Microsoft TechNet October 1998 Volume 6, Issue 10