Export (0) Print
Expand All

Windows NT 4.0 Domain Controller Configuration Checklist

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Last Updated: 29 March 2000

This checklist outlines the steps you should take to secure servers acting as Windows NT Server 4.0 domain controllers (DCs). These steps apply to Windows NT 4.0 Server, Standard Edition and Enterprise Edition, whether it's being used as a primary or backup domain controller.

IMPORTANT: This checklist contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

On This Page

Step 1: General Information
Step 2: Background and Planning
Step 3: Initial Configuration and Installation
Step 4: Windows NT 4.0 Configuration
Step 5: Windows NT Security Configuration
Step 6: Windows NT Account and Policy Configuration
Step 7: Ongoing Maintenance Tasks
Windows NT 4.0 DC Configuration Checklist: Further Details
Background and Planning
Initial Configuration and Installation
Windows NT 4.0 Configuration
Windows NT 4.0 Security Configuration
Windows NT 4.0 Account and Policy Configuration
Ongoing Maintenance Tasks

Step 1: General Information

Server Name

Asset #

 

Setup Date

 

Manufacturer

 

Location

 

Set up by

 

Step 2: Background and Planning

 

iecl01

Read any applicable security policies for your organization

 

iecl01

Subscribe to Microsoft's Security Notification Service

 

iecl01

Review your user education and training plans

 

iecl01

Determine whether you're building a new secure DC from scratch or tightening security on an existing DC

Step 3: Initial Configuration and Installation

 

iecl01

Unpack and set up hardware

 

iecl01

Enable hardware boot protection

 

iecl01

Install Windows NT

Step 4: Windows NT 4.0 Configuration

 

iecl01

Verify that all disk partitions are formatted with NTFS

 

iecl01

Verify that the Administrator account has a strong password

 

iecl01

Unbind unnecessary protocols

 

iecl01

Remove additional OS installations

 

iecl01

Install the latest Service Pack a

 

iecl01

Install the C2 hotfix

 

iecl01

Enable SYSKEY protection

 

iecl01

Remove the OS/2 and POSIX subsystems

Step 5: Windows NT Security Configuration

 

iecl01

Make sure the Guest account is disabled

 

iecl01

Restrict the use of LanManager authentication

 

iecl01

Secure base objects

 

iecl01

Secure additional base named objects

 

iecl01

Ensure that the Shutdown button is not visible in the logon dialog

 

iecl01

Protect files and directories

 

iecl01

Protect the Registry

 

iecl01

Apply appropriate Registry ACLs

 

iecl01

Restrict access to public Local Security Authority (LSA) information

 

iecl01

Restrict null session access over named pipes

 

iecl01

Restrict untrusted users' ability to plant Trojan horse programs

 

iecl01

Allow only Administrators and Server Operators to create new shares

 

iecl01

Disable caching of logon information

 

iecl01

Restrict printer driver installation to Administrators only

 

iecl01

Set the paging file to be cleared at system shutdown

 

iecl01

Restrict floppy drive and CD-ROM drive access to the interactive user only

 

iecl01

Modify user rights membership

 

iecl01

Set auditing (if enabled) for base objects and for backup and restore

 

iecl01

Set security log behavior

 

iecl01

Change the Scheduler service's security context

 

iecl01

Set strong ACL on NotificationPackages key

 

iecl01

Hide the name of the last logged-in user

 

iecl01

Update the system Emergency Repair Disk

Step 6: Windows NT Account and Policy Configuration

 

iecl01

Disable blank passwords

 

iecl01

Set stronger password policies

 

iecl01

Set account lockout policy

 

iecl01

Use the passprop utility

 

iecl01

Use passfilt.dll

 

iecl01

Configure the Administrator account

 

iecl01

Enable auditing of failed logon attempts

Step 7: Ongoing Maintenance Tasks

 

iecl01

Review user accounts

 

iecl01

Review group memberships

 

iecl01

Review security event logs

 

iecl01

Consider using wide-scale audit and analysis tools

 

iecl01

Consider using password-cracking tools

Windows NT 4.0 DC Configuration Checklist: Further Details

Background and Planning

Read any applicable security policies for your organization

Having a security policy is paramount. You need ready answers to questions like:

  • How do we react to a break-in?

  • Where are the backups stored?

  • Who is allowed to access the server?

  • What level of physical security is appropriate?

Good sources of policy information may be found at SANS Institute, Baseline Software, Inc. and in the Windows NT 4.0 Security, Audit, and Control Guide.

Subscribe to the Microsoft Security Notification Service

WARNING: You MUST keep on top of new security issues as they rise.

You can stay abreast of Microsoft-related security issues and fixes here. You will receive notice of security issues by email. You should also consider placing a 'favorites shortcut' to the Microsoft Security Advisor Program. To do so, follow these steps:

  1. Open Internet Explorer on your desktop

  2. Navigate to http://www.microsoft.com/technet/security/default.mspx

  3. Select Favorites on the menu, then choose Add to Favorites

  4. Check 'Make Available Offline'

  5. Select Customize | Next | Yes (links to other pages) | '2' links deep

  6. Next | Select 'I would like to create a new schedule' | use the defaults | finish

  7. OK

  8. Select Favorites on the menu, then choose Organize Favorites

  9. Select Properties | Download | uncheck 'Follow links outside of this page's Web site'

  10. OK

  11. Close

If you now click on the Favorites icon in the toolbar, you can drag the 'Microsoft Security Advisory Program' link to your desktop. A small red mark will appear on the icon when there is new security news.

Review your user education and training plans

Part of your security depends on your users. You'll have to train them to know, understand, and practice your organization's security policies for things like password length, password aging, and what constitutes a good password. Users typically accept security measures better when they understand the reasons behind them instead of feeling like they're being jammed up with arbitrary rules. A moderate security policy that people will actually follow is better than a draconian policy that people ignore.

Determine whether you're building a new secure DC from scratch or tightening security on an existing DCIf you're installing a new computer as a domain controller, or rebuilding a domain controller from scratch, the security steps you follow will be somewhat different from the ones needed to tighten security on an existing server. To build a new server, begin with the instructions in the "Initial Configuration and Installation" section; if you're increasing security on an existing server, begin with the instructions in the "Windows NT 4.0 Initial Configuration" section.

Initial Configuration and Installation

Unpack and set up hardware

Follow the hardware manufacturer's manuals accompanying your computer system to unpack and connect your computer system components. Physically secure the hardware to the extent necessary, including using optical fiber if cabling must pass through unsecured areas, or isolating the network in a secure building if very high security is needed. Be sure to consider fire protection, electrical service, and physical access to the machine as part of your physical security planning.

NOTE: An intruder who can physically open your server's cabinet can adjust hardware switches to disable the power-on password. Access to the internal components of the server could also permit temporary installation of a drive from which a less secure OS, or a version of Windows NT that lacks your security settings, can be used to start the computer. Options for preventing unauthorized access to internal components include locking the case (if the model permits it), using server hardware that transmits an alarm signal when the case is opened, or increasing physical security on the room where the server's located.

Enable hardware boot protection

Choose appropriate boot protection measures on your servers. Depending on your needs and your hardware configuration, you can do any of the following:

  1. Consider removing the system's floppy and CD-ROM drives to prevent booting from them. However, this may have an adverse impact on recovery time.

  2. Set BIOS options to restrict boot sources, then use BIOS passwords to restrict changes to boot settings

  3. Use a physical lock on the floppy drive

Install Windows NT

For additional information on installing Windows NT, see the instructions in Part 2, "Installation," in Windows NT Server Start Here. Keep in mind the following considerations:

  • If you use cloning tools to install systems with cloning tools (not recommended by Microsoft)-, do not use "after-GUI replication," where the copy is made after the graphical user interface (GUI) appears. Microsoft supports disk duplication for Windows NT 4.0 only if the disk is duplicated at the point in the setup process after the second reboot and before the GUI portion of Windows NT 4.0 setup.

WARNING: Duplicating the system in the wrong part of the setup process will copy the entire tree structure of Windows NT, affecting security, hardware, and other areas of the product. Security is impossible because the two installations have the same primary SID, and thus users on one system can access accounts on the other. (Copies made by the Windows NT 4.0 Deployment Tools are not simple copies, and they do configure the OS correctly.)

  • Choose the Custom Setup option.

  • As you proceed through the steps of Setup, use the default settings, except for the following:

    1. All hard-disk partitions must be formatted with NTFS.

    2. When the Administrator Account Setup dialog box appears, choose a strong password. For maximum security, select a 14-character password on Windows NT systems. Using these lengths makes NT passwords much harder to guess than shorter ones. Also, use punctuation and other non-alphabetic characters in the first 7 characters. Never leave the password field blank.

    3. When the Local Account Setup dialog box appears, you can create a user account for routine computer use. If you choose to create a local account, keep in mind that this account is placed by default in the Administrators group, which gives the user the ability to create user accounts.

    4. Create an emergency repair disk. This makes it easier to recover your system if the operating-system configuration databases become corrupt. Secure the ERD, as it contains security-critical information. In addition, consider installing SYSKEY to protect stored information from being brute-forced.

Windows NT 4.0 Configuration

Verify that all disk partitions are formatted with NTFS

NTFS partitions offer access controls and protections that aren't available with the FAT, FAT32, or FAT32x filesystems. Make sure that all partitions on your server are formatted using NTFS. If necessary, use the convert utility to non-destructively convert your FAT partitions to NTFS.

WARNING: If you use the convert utility, it will set the ACLs for the converted drive to Everyone:Full Control. Use the fixacls.exe utility to reset them to more reasonable values.

Verify that the Administrator account has a strong password

Windows NT allows passwords of up to 14 characters. In general, longer passwords are stronger than shorter ones, and passwords with several character types (letters, numbers, punctuation marks, and non-printing ASCII characters, generated by using the Alt key and three-digit key codes on the numeric keypad)) are stronger than alphabetic or alphanumeric-only passwords. For maximum protection, make sure the Administrator account's password is at least nine characters long and that it includes at least one punctuation mark or non-printing ASCII character within the first seven characters.

Unbind unnecessary protocols

If you're not using a particular protocol on a server, like IPX/SPX or NetBIOS, unbind it from the network adapters it's bound to. This prevents denial-of-service attacks against that protocol, improves your overall server performance, and safeguards you against protocol-specific exploits. (To unbind protocols, use the Bindings tab of the Network control panel; if you're not using a particular protocol at all, remove it from the Protocols tab to unbind it from all adapters.)

Remove additional OS installations

Your domain controllers should only have one OS on them: Windows NT Server. Remove any additional Linux, OS/2, or other OS installations. If you have additional Windows NT installations for disaster recovery, make sure it's secured according to the steps in this checklist.

Install the latest Service Pack

Each Service Pack for Windows NT includes all security fixes from previous service packs. Microsoft recommends that you keep up to date on service pack releases and install the correct service pack for your servers as soon as your operational circumstances allow. The current Service Pack, 6a, is available from the Microsoft Download Center:

Service packs are also available through Microsoft Product Support. Information on contacting Microsoft Product Support is available at http://support.microsoft.com/support/contact/default.asp.

In addition, you should also install all post-SP6a security patches. For a complete list of security patches, consult http://www.microsoft.com/technet/security/default.mspx.

Enable SYSKEY protection

The SAM database stores password hashes for domain and local computer accounts. An attacker who gains access to the SAM database files (either from the server itself, the server's emergency repair disk, or a backup tape) can use a password cracking tool to attack these hashes. The SYSKEY tool allows you to encrypt the SAM database to make it more difficult for an unprivileged attacker to use password cracking tools against your stored password hashes. Microsoft Knowledge Base article 143475 details how to install and use SYSKEY.

WARNING: Before you install SYSKEY, make sure to update your server's emergency repair disk. After installing SYSKEY, make a second ERD using a new, separate floppy. Do not attempt to use the pre-SYSKEY ERD to restore your system once SYSKEY is installed.

Remove the OS/2 and POSIX subsystems

These subsystems are not necessary for the vast majority of applications and services, and removing them protects you against attacks launched from programs running in these subsystems.

First, delete the \winnt\system32\os2 directory and all its subdirectories. Then make the following registry changes, which will take effect on the next reboot: (Note: The Subkeys "Microsoft\OS/2 Subsystem for NT" and "Os2LibPath" will be recreated after the system reboots, but as long as the "optional" subkey remains empty, the OS2 subsystem is in fact removed.)

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\OS/2 Subsystem for NT

Action

Delete all sub keys

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager\Environment

Value Name

Os2LibPath

Action

Delete

   

Hive Key

\CurrentControlSet\Control\Session Manager\SubSystems

Value Name

Optional

Action

Delete values

   

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager\SubSystems

Action

Delete entries for Posix and OS/2

Windows NT 4.0 Security Configuration

WARNING: The changes in this section must be performed on all domain controllers in a domain. If you fail to leave one DC unprotected, you gain no protection from attacks since an attacker can simply attack the unprotected DC.

Make sure the Guest account is disabled

By default, the Guest account is disabled on Windows NT Server systems. If the Guest account is enabled, disable it

Restrict the use of LanManager authentication

Windows NT supports several types of challenge-response authentication:

  • LanManager (LM) authentication, is the original authentication protocol used in Microsoft networking products. It's not as strong as the other available authentication types.

  • NT Lan Manager (NTLM) authentication is significantly stronger than plain LM authentication. However, like LM, NTLM is vulnerable to some kinds of network-based attacks. NTLM uses 56-bit encryption.

  • NT Lan Manager version 2 (NTLMv2) authentication adds session-level security for the challenge-response authentication; it also uses 128-bit encryption, rendering it infeasible to brute-force an NTMLv2 password.

You can control which types of authentication your domain controllers will accept by adjusting two registry keys: LSA and the LSA\MSV1_0 subkey. These keys allow you to regulate which types of authentication the DC will accept, For complete details, see KB article 147706; it's important to balance the increased security gained from restricting the use of LM and NTLM authentication with the requirements of downlevel client support.

Secure base objects

This step is necessary to further heighten security of the base objects. Among other things, it prevents users from gaining local administrator privileges by way of a dynamic-link library (DLL). This issue is explained in more detail in Microsoft Security Bulletin 99-006. Use the registry editor to make the following change to implement this security; note that making this change may cause problems on some systems. An improved version of this same fix is included in the C2 hotfix for SP6a.

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager

Value Name

ProtectionMode

Type

REG_DWORD

Value

1

Secure additional base named objects

This step is necessary to heighten security of additional base named objects such as RotHintTable or ScmCreatedEvent, not addressed by the ProtectionMode key entry above. To implement this setting, make the following registry change:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager

Value Name

AdditionalBaseNamedObjectsProtectionMode

Type

REG_DWORD

Value

1

Remove Shutdown button from logon dialog

Ensure that the following value in the Registry is set; it removes the shutdown option at logon, which prevents users with physical access from being able to shut down the machine.

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\Windows NT\Current Version\Winlogon

Value Name

ShutdownWithoutLogon

Type

REG_SZ

Value

0

Protect files and directories

A number of filesystem permissions need to be changed to provide adequate security for domain controllers. These permissions require you to use NTFS for your system volume, but you should be doing that anyway. The definitive reference for these changes is the white paper NSA Windows NT System Security Guidelines, produced by Trusted System Services. Their recommendations call for setting file and directory ACLs as shown below. In the table, "Installers" refers to any accounts with privileges to install application or system software.

Directory or file

Suggested Max Permissions

C:\

Installers: Change

Everyone: Read

Server Operators: Change

files

Installers: Change

Everyone: Read

Server Operators: Change

IO.SYS, MSDOS.SYS

Installers: Change

Everyone: Read

Server Operators: Change

BOOT.INI,
NTDETECT.COM,
NTLDR

(none)

AUTOEXEC.BAT,
CONFIG.SYS

Installers: Change

Everyone: Read

Server Operators: Change

C:\TEMP

Everyone: (RWXD)*(NotSpec)

C:\WINNT\

Installers: Change

Everyone: Read

Server Operators: Change

files

Everyone: Read

Server Operators: Change

win.ini

Installers: Change

Public: Read

Server Operators: Change

Control.ini

Installers: Change

Everyone: Read

Server Operators: Change

Netlogon.chg

(none)

\WINNT\config\

Installers: Change

Everyone: Read

Server Operators: Change

\WINNT\cursors\
\WINNT\fonts

Installers: Change

Everyone: Add and Read

Server Operators: Change

PwrUsers: Change

\WINNT\help\

Installers: Change

Everyone: Add and Read

Server Operators: Change

PwrUsers: Change

*.GID, *.FTG, *.FTS

Everyone: Change

\WINNT\inf\

Installers: Change

Everyone: Read

*.ADM files

Everyone: Read

*.PNF

Installers: Change

Everyone: Read

Server Operators: Change

\WINNT\media\

Installers: Change

Everyone: Read

Server Operators: Change

PwrUsers: Change

*.RMI

Everyone: Change

\WINNT\profiles\

Installers: Add and Read

Everyone: (RWX)*(NotSpec)

..\All users

Installers: Change

Everyone: Read

..\Default

Everyone: Read

\WINNT\repair\

(none)

\WINNT\system\

Installers: Change

Everyone: Read

Server Operators: Change

\WINNT\System32\

Installers: Change

Everyone: Read

Server Operators: Change

Backup Operators: Change

files

Everyone: Read

Server Operators: Change

$winnt$.inf

Installers: Change

Everyone: Read

Server Operators: Change

AUTOEXEC.NT,
CONFIG.NT

Installers: Change

Everyone: Read

Server Operators: Change

cmos.ram,
midimap.cfg

Everyone: Change

localmon.dll,
decpsmon.*,
hpmon.*

Installers: Change

Everyone: Read

Server Operators: Change

Print Operators: Change

\WINNT\System32\config\

Everyone: List

\WINNT\System32\DHCP\

Everyone: Read

Server Operators: Change

\WINNT\System32\drivers\(including \etc)

Everyone: Read

\WINNT\System32\LLS

Installers: Change

Everyone: Read

Server Operators: Change

\WINNT\System32\OS2
(including \DLL subdir)

Everyone: Read

Server Operators: Change

\WINNT\System32\RAS

Everyone: Read

Server Operators: Change

\WINNT\System32\Repl

Everyone: Read

Server Operators: Change

\WINNT\System32\Repl\,

import, export, scripts

subdirs

Everyone: Read

Server Operators: Change

Replicator: Change

\WINNT\System32\spool

Installers: Change

Everyone: Read

Server Operators: Full

Print Operators: Change

\drivers\

\drivers\w32x86\2\

\prtprocs\

\prtprocs\w32x86\

\drivers\w32x86\

Installers: Change

Everyone: Read

Server Operators: Full

Print Operators: Change

\printers\, \tmp\

Installers: Change

Everyone: (RWX)(NotSpec)

Server Operators: Full

\WINNT\System32\viewers

Everyone: Read

Server Operators: Change

\WINNT\System32\wins

Everyone: Read

Server Operators: Change

C:\...\*.EXE, *.BAT, *.COM, *.CMD, *.DLL

Everyone: X

Protect the registry from anonymous access

The default permissions grant Full Control to Administrators and SYSTEM and Read access to Everyone for the following registry subkeys and all their subkeys:

  • HKEY_LOCAL_MACHINE\Hardware

  • HKEY_LOCAL_MACHINE\Software

  • HKEY_LOCAL_MACHINE\System

  • HKEY_USERS\.Default

The default permissions do not restrict who has remote access to the registry. Only administrators should have remote access to the Registry, because the Windows NT Registry editing tools support remote access to the Windows NT registry. To restrict network access to the registry:

  1. Add the following key to the registry:

    Hive

    HKEY_LOCAL_MACHINE\SYSTEM

    Key

    \CurrentControlSet\Control\SecurePipeServers

    Value Name

    \winreg

  2. Select winreg, click the Security menu, and then click Permissions.

  3. Set the Administrators permission to Full Control, make sure no other users or groups are listed, then click OK.

The security permissions (ACLs) set on this key define which users or groups can connect to the system for remote registry access.

WARNING: Don't change Registry permissions indiscriminately. Doing so will cause unpredictable results, including possible loss of system functionality.

In addition, the AllowedPaths subkey contains a list of keys to which members of the Everyone group have access, notwithstanding the ACLs on the winreg key. This allows specific system functions, such as checking printer status, to work correctly regardless of how access is restricted via the winreg registry key. The default security on the AllowedPaths registry key only grants Administrators the ability to manage these paths.

Apply appropriate Registry ACLs

A number of Registry keys need changes to their default ACLs for maximum security. The definitive reference for these changes is the white paper NSA Windows NT System Security Guidelines, produced by Trusted System Services. Their recommendations call for removing the Everyone ACE from the keys listed in the table below (where it exists), then changing the ACL as noted in the table. In the table, "Installers" refers to any accounts with privileges to install application or system software.

WARNING: Unless the table says "Entire tree", change permissions only on the indicated key, not its subkeys.

Key path

Permissions

Notes

\Software

Installers: Change

Everyone: Read

Only accounts that can install software should have change rights to this tree.

\Software\Classes

Installers: Add

Everyone: Read

Tree needs special treatment. See note [13]

\Software\Microsoft\Windows\CurrentVersion\App Paths

Installers: Change

Everyone: Read

Apply to entire tree. At install time this key is empty; set ACLs to prevent its misuse.

\Software\Microsoft\Windows\Current Version\Explorer

Everyone:Read

Apply to entire tree

\Software\Microsoft\Windows\Current Version\Embedding

Installers: Change

Everyone: Read

Apply to entire tree

\Software\Microsoft\Windows\Current Version\Run, RunOnce, Uninstall, and AEDebug

Everyone: Read

See below

\Software\Microsoft\Windows NT\CurrentVersion\Font*, GRE_Initialize

Installers: Change

Everyone: Add

Change only keys that begin with "Font," except FontDrivers, and Gre-Initialize.

\Software\Microsoft\Windows NT\CurrentVersion\Type 1 Installer\Type 1 Fonts

Installers: Change

Everyone: Add

 

\Software\Microsoft\Windows NT\CurrentVersion\Drivers, Drivers.desc

Everyone: Read

Apply to entire tree

\Software\Microsoft\Windows NT\CurrentVersion\MCI, MCI Extensions

Installers:Change

Apply to entire tree.

\Software\Microsoft\Windows NT\CurrentVersion\Ports

INTERACTIVE: Read

Everyone: Read

Apply to entire tree.

\Software\Microsoft\Windows NT\CurrentVersion\WOW

Everyone: Read

Apply to entire tree.. See note[6].

\Software\Windows 3.1 Migration Status

Everyone: Read

Apply to entire tree.

\System\CurrentControlSet\Services\LanmanServer\Shares

Everyone: Read

Apply to entire tree. Prevents users from adding new shares.

\System\CurrentControlSet\Services

Everyone: Read

Apply to entire tree. This setting prevents non-administrators from changing service settings.

Restrict access to public Local Security Authority (LSA) information

You need to be able to identify all users on your system, so you should restrict anonymous users so that the amount of public information they can obtain about the LSA component of the Windows NT Security Subsystem is reduced. The LSA handles aspects of security administration on the local computer, including access and permissions. To implement this restriction, create and set the following registry entry:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\LSA

Value Name

RestrictAnonymous

Type

REG_DWORD

Value

1

Restrict untrusted users' ability to plant Trojan horse programs

Trojan horses can take advantage of the Run utility if it is unguarded. There are some Trojan horses that are written to execute during an Uninstall operation. To restrict the ability of users to plant Trojan horse programs:

  1. Use the Registry Editor to find the following keys:

    Hive

    HKEY_LOCAL_MACHINE\SOFTWARE

    Key

    Microsoft\Windows\CurrentVersion

    Values

    Run, RunOnce, Uninstall (if present), AEDebug and all their subkeys

  2. Select each subkey, click the Security menu, and then click Permissions

  3. For each subkey set the permissions for Everyone and all untrusted users to a maximum of Read, and then click OK.

Restrict printer driver installation to Administrators only

Who can add printer drivers is controlled by the value of a registry entry. The value should be set to 1 to allow only administrators to install printer drivers on servers and domain controllers.

To restrict who can add printer drivers, create the following registry entry:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers

Value Name

AddPrintDrivers

Type

REG_DWORD

Value

1

The subkey will not exist if no printers are installed on the system. In that case, you will need to create the subkey before creating an entry for AddPrintDrivers.

Set the paging file to be cleared at system shutdown

Clearing the paging file ensures that no unsecured data is contained in the paging file when the shutdown process is complete. Shutdown time will increase proportional to the amount of installed RAM, so this change may not be appropriate for installations where server restart time is at a premium. To force Windows NT to clear the page file at shutdown, make the following Registry change:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\Session Manager\Memory Management

Value Name

ClearPageFileAtShutdown

Type

REG_DWORD

Value

1

Restrict floppy drive and CD-ROM drive access to the interactive user only

Only the currently logged-on user should be able to access floppy disk drives and CD-ROM drives. To ensure this, allocate the drives at logon. To restrict floppy and CD-ROM drive access to the logged-on user, use the Registry Editor to create and set the values for the following registry entries:

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

Microsoft\Windows NT\CurrentVersion\Winlogon

Value Name

AllocateFloppies and AllocateCdRoms

Type

REG_SZ

Value

1

If the entry does not exist, or is set to any other value, floppy devices will be available for shared use by all processes on the system.

These values take effect at the next logon. If a user is already logged on when the values are set, they will have no effect for that logon session. The user must log off and log on again to cause the device or devices to be allocated.

Modify user rights membership

Use User Manager for Domains to restrict the use of user rights as shown in Table 3.

User Right

Membership

Access this computer from network

Trusted groups who need access to any resources shared from the DC

Act as part of the operating system

(no one)Do not assign to any user.

Add workstations to domain

Domain Admins

Back up files and directories

trusted users (e.g. the Backup Operators group)

Bypass traverse checking

Authenticated Users

Change the system time

trusted users (e.g. Server Operators)

Create a pagefile

trusted users (e.g. Server Operators)

Create a token object

(no one)
Do not assign to any user.

Create permanent shared objects

(no one)

Debug programs

(no one)This right is not auditable and should not be assigned to any user, including system administrators.

Force shutdown from a remote system

trusted users (e.g. Server Operators)

Generate security audits

(no one)Do not assign to any user.

Increase quotas

trusted users (e.g. Server Operators)

Increase scheduling priority

trusted users (e.g. Server Operators)

Load and unload device drivers

trusted users (e.g. Server Operators)

Lock pages in memory

(no one)

Log on as a batch job

trusted users
(as needed)

Log on as a service

trusted users
(as needed)

Log on locally

Administrators and Domain Admins; Operators groups as desired

Manage auditing and security log

trusted users (e.g. Domain Admins)

Modify firmware environment values

trusted users (e.g. Domain Admins)

Profile single process

trusted users

Profile system performance

trusted users

Replace a process level token

(no one)Do not assign to any user.

Restore files and directories

trusted users (e.g. Backup Operators)

Shut down the system

trusted users (e.g. Server Operators)

Take ownership of files or other objects

trusted users (e.g. Domain Admins)

Set auditing (if enabled) for base objects and for backup and restore

Certain programming objects (i.e., base named objects) are not audited by default when auditing of object and file access is enabled. Likewise, the Backup and Restore user rights are not audited by default when use of user rights auditing is enabled. If you turn this auditing on, it will generate a large volume of event log entries when a backup or restore is done. Adjust the size of your security event log if you enable this auditing.

WARNING: Making this change can result in a very large volume of event log messages, making it difficult for you to find legitimate events of interest. Don't do this unless you think it's necessary to track an exposure.

To enable auditing of base named object and the Backup/Restore user rights, make the following changes:

  • To set auditing for base objects:

    Hive

    HKEY_LOCAL_MACHINE\SYSTEM

    Key

    CurrentControlSet\Control\Lsa

    Value Name

    AuditBaseObjects

    Type

    REG_DWORD

    Value

    1

  • To set auditing for backup and restore privileges:

    Hive

    HKEY_LOCAL_MACHINE\SYSTEM

    Key

    CurrentControlSet\Control\Lsa

    Value Name

    FullPrivilegeAuditing

    Type

    REG_BINARY

    Value

    0x01 (hex)

Set security log behavior

Use Event Viewer to set security log behavior. Choose Do Not Overwrite Events (Clear Log Manually). Optionally, you can also force Windows NT to halt when it cannot generate an audit event record. Also optionally, you can set the registry key to enable auditing of the use of all rights. In addition, you can force the system to shut down when the security log is full by making the following change. Note that applying this change may result in unexpected shutdowns if the security event log fills unexpectedly.

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\LSA

Value Name

CrashOnAuditFail

Type

REG_DWORD

Value

1

Change the Scheduler service's security context

The context in which a system service runs determines what it can do. By default, the Schedule service runs in the LocalSystem context, meaning that users may be able to schedule jobs that run in a context that exceeds their own permission level. To change the security context for the Scheduler service, do the following:

  • Open the Services control panel (Start | Settings | Control Panel | Services).

  • Select the Schedule service, then click the Startup button. The Service information dialog will appear.

  • In the Log On As group, select the "This account" radio button. Enter a set of account credentials for the service to use, then click the OK button.

  • Stop and restart the service.

Hide the name of the last logged-in user

By default, the name of the last user who successfully logged on is displayed in the logon dialog box. To turn this display off, make the following Registry change:

Hive

HKEY_LOCAL_MACHINE\Software

Key

Microsoft\WindowsNT\CurrentVersion\winlogon

Value Name

DontDisplayLastUserName

Type

REG_SZ

Value

1

Update the system Emergency Repair Disk

You should update the system's Emergency Repair Disk (ERD) to reflect these changes. For instructions, see "Update Repair Info" in Repair Disk Utility Help. (Run rdisk.exe, then click Help.) Remember to use the emergency repair disk, rather than the Restore utility, if system files are lost. Backup and Restore do not copy system access control lists (SACLs). The emergency repair disk does restore this information.

Windows NT 4.0 Account and Policy Configuration

Disable blank passwords

Blank passwords are unacceptable on domain controllers. You can prohibit blank passwords using User Manager for Domains; open the Account Policy dialog using the Policies | Account command, then make sure that the minimum password length is set to a reasonable value.

Set stronger password policies

Use the Account Policy dialog in the User Manager for Domains application (choose the Policies | Account command) to strengthen the system policies for password acceptance. Microsoft suggests that you make the following changes:

  • Set the minimum password length to at least 8 characters

  • Set a minimum password age appropriate to your network (typically between 1 and 7 days)

  • Set a maximum password age appropriate to your network (typically no more than 42 days)

  • Set a password history maintenance (using the "Remember passwords" radio button) of at least 6

Set account lockout policy

Windows NT includes an account lockout feature that will disable an account after an administrator-specified number of logon failures. To turn this on, use the Account Policy dialog in User Manager for Domains, then select the "Account lockout" radio button. For maximum security, enable lockout after 3-5 failed attempts, reset the count after not less than 30 minutes, and set the lockout duration to "Forever (until admin unlocks)".

Use the passprop utility

The Windows NT Server Resource Kit includes a tool that allows you to adjust some account properties that aren't accessible through the normal management tools. This tool, passprop.exe, allows you to turn on complex password checking and to lock out the administrator account:

  • The /complex switch turns on a requirement that all passwords must have at least one uppercase letter, one number, or one ASCII symbol. If you use passfilt.dll, this switch is not necessary.

  • The /adminlockout switch allows the administrator account to be locked out

Use passfilt .dll

Windows NT Service Pack 3 and later contain a password filtering tool, passfilt.dll, that allows you to enforce strong password rules for password changes. The tool allows only passwords that meet all of the following criteria:

  • At least 6 characters long

  • May not contain user account name, or any portion of the user's full name

  • Must contain characters from 3 of the 4 character groups (uppercase, lowercase, numeric, and non-alphabetic punctuation characters)

WARNING: This change must be performed on all domain controllers in a domain. If you fail to make the change to BDCs, when a BDC is promoted to the PDC role strong password checking will be disabled.

To install passfilt.dll, make the following Registry change (see MS KB article 151082 for more details on writing your own filters).

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\LSA

Value Name

NotificationPackages

Type

REG_MULTI_SZ

Change

Add the string passfilt.dll to the list

Configure the Administrator account

Because the Administrator account is built in to every copy of Windows NT, it presents a well-known objective for attackers. To make it more difficult to attack the Administrator account, do the following both for the domain Administrator account and the local Administrator account on each domain controller:

  • Rename the account to a non-obvious name (e.g. not "admin", "root", etc.)

  • Establish a decoy account named "Administrator" with no privileges. Scan the event log regularly looking for attempts to use this account.

  • Enable account lockout on the real Administrator accounts by using the passprop utility

  • Disable the local machine's Administrator account.

Enable auditing of failed logon attempts and privilege requests

Use the Policy | Auditing... command in User Manager for Domains to force auditing of logon failures, then review the security event log periodically to check for unusual numbers or frequency of these failures.

WARNING: This change must be performed to all domain controllers in a domain.

Ongoing Maintenance Tasks

Review user accounts

Review the list of user accounts in your domain to make sure that accounts you no longer need have been deactivated or removed. In addition, review the user policy settings in User Manager for Domains to make sure that logon hours, logon workstation restrictions, and other per-user settings remain in accordance with your requirements.

Review group memberships

Review the list of local and global groups in your domain. Remove any outdated user accounts from whatever groups they're in. Periodically check group memberships and ACLs to make sure that you're not accidentally giving access where you don't intend to. Be particularly careful with the membership of privileged groups like Server Operators, Administrators, Domain Admins, and Backup Operators.

Review security event logs

Regular review of the security event logs is a critical, and often overlooked, security requirement. Government systems which process classified information are required to review these logs, and it's a good idea for any sensitive system, including your domain controllers. During your review you should be looking for security-related failures, as well as any other occurrence that strikes you as unusual based on your knowledge of your users and their activity patterns. Third-party event log management tools can help you automate the gathering and analysis process.

Consider using wide-scale audit and analysis tools

A number of vendors offer security analysis and auditing tools that scan your Windows NT network for vulnerabilities. These tools actively scan your network looking for improperly configured workstations and servers, conducting the same kinds of probes and explorations that a human attacker might.

Microsoft offers a tool as part of Windows NT Service Pack 4 and later, the Security Configuration Manager (SCM). The SCM kit allows you to scan your network to see whether your servers and workstations meet the pre-configured security profile you choose (e.g. "High-Security Workstation", "Basic Domain Controller", etc.) It also allows you to reconfigure your computers to match the desired security settings, all from a single console. To get more information about the SCT:

THE INFORMATION PROVIDED IN THIS CHECKLIST IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Was this page helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft