Windows NT C2 Configuration Checklist
| Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist. |
Updated: January 7, 2000
Archived content - No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.
This checklist outlines the steps you should take to duplicate the C2-evaluated configuration of Windows NT Server 4.0. Note that following this checklist does not make your installation C2-compliant; it merely assures you that the software configuration matches the configuration that the NCSC evaluated.
For additional security, you are free to use these steps as a starting point. For example, you may be able to improve security further by applying more restrictive ACLs or shutting down additional services that you're not using. These guidelines must be followed to gain C2 certification, but you can always exceed the specifications as long as you don't violate the guidelines in doing so.
IMPORTANT: Remember that a C2-compliant system consists of hardware, software, application programs, and network services. This checklist will explain how to configure the OS, and it provides references to material that can help you properly configure your hardware, applications, and network services. Making these changes will not necessarily render your systems invulnerable, but doing so does guarantee that you will meet the software configuration requirements for C2 evaluation.
checklist contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.
Please email the Microsoft Security Response Center (secure@microsoft.com) if you find any problems or have any comments.
On This Page
Step 1: General Information
Step 2: Background and Planning
Step 3: Hardware Configuration & Installation
Step 4: Windows NT 4.0 Initial Configuration
Step 5: Windows NT 4.0 Security Configuration
Windows NT 4.0 C2 Compliance Checklist: Further Details
Hardware Configuration & Installation
Windows NT 4.0 Initial Configuration
Windows NT 4.0 Security Configuration
Step 1: General Information
Server Name |
|
Asset # |
|
Setup Date |
|
Manufacturer |
|
Location |
|
Set up by |
|
Step 2: Background and Planning
NOTE: More information on the following steps can be found in later in this document.
Step |
|---|
|
|
|
|
|
Step 3: Hardware Configuration & Installation
NOTE: More information on the following steps can be found in later in this document.
Step |
|---|
|
|
|
Step 4: Windows NT 4.0 Initial Configuration
NOTE: More information on the following steps can be found in later in this document.
Step |
|---|
|
|
|
|
|
|
|
|
|
|
|
Step 5: Windows NT 4.0 Security Configuration
NOTE: More information on the following steps can be found in later in this document.
Step |
|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Windows NT 4.0 C2 Compliance Checklist: Further Details
Background and Planning
Read any applicable security policies for your organization. Having a security policy is paramount. You need ready answers to questions like:
How do we react to a break-in?
Where are the backups stored?
Who is allowed to access the server?
What level of physical security is appropriate?
Good sources of policy information may be found at SANS Institute (https://www.sans.org/) , Baseline Software, Inc., (https://www.baselinesoft.com/) and O'Reilly & Associates' Practical Unix & Internet Security (https://shop.barnesandnoble.com/booksearch/isbnInquiry.asp?srefer=&isbn=1565921488).
Decide whether you need C2 evaluation or compliance
Armed with knowledge of your security policy, you can decide whether you need a fully C2-evaluated installation, based on evaluated hardware, or whether a configuration that follows the C2 requirements but has not been formally evaluated may suffice.
Review the C2 Administrator's and User's Security Guide
The C2 Administrator's and User's Security Guide contains full details on all aspects of the C2 evaluation for Windows NT 4.0. If you need additional information about deploying an evaluated configuration, the Guide is the best place to start. In particular, you should review the guide to choose the appropriate C2 configuration for your needs.
Subscribe to the Microsoft Security Notification Service at https://www.microsoft.com to stay abreast of Microsoft-related security issues and fixes. You will receive notice of security issues by email.
WARNING: You MUST keep on top of new security issues as they arise.
You should also consider placing a 'favorites shortcut' to the Microsoft TechNet Security Web site. To do so, follow these steps:
Open Internet Explorer on your desktop
Navigate to https://www.microsoft.com
Select Favorites on the menu, then choose Add to Favorites
Check 'Make Available Offline'
Select Customize | Next | Yes (links to other pages) | '2' links deep
Next | Select 'I would like to create a new schedule' | use the defaults | finish
OK
Select Properties | Download | uncheck 'Follow links outside of this page's Web site'
OK
Close
If you now click on the Favorites icon in the toolbar, you can drag the 'Microsoft TechNet Security' link to your desktop. A small red mark will appear on the icon when there is new security news.
Hardware Configuration & Installation
Unpack and set up hardware
The Compaq ProLiant platform, models 5100, 6500, 7000, and 8000, was used in evaluating Windows NT for C2 compliance. Follow the hardware manufacturer's manuals accompanying your computer system to unpack and connect your computer system components. Physically secure the hardware to the extent necessary, including using optical fiber if cabling must pass through unsecured areas, or isolating the network in a secure building if very high security is needed.
To test processor integrity, you can obtain a suite of diagnostic integrity tests for i386 processors by contacting Microsoft Product Support Services, and referring to Microsoft Knowledge Base article 240049: How to Obtain Diagnostic i386 Processor Integrity Tests Required by the C2 TFM for Windows NT 4.0. Contact information for Microsoft Product Support Services is available at https://support.microsoft.com/support/contact/default.asp .
To test peripheral integrity, use the peripheral integrity tests that are shipped with your hardware (as documented by the vendor) to test the integrity of the peripheral in the evaluated configuration.
Set power-on password
Set the power-on password for your computer by following the vendor's instructions. Normally, this involves going into the computer's BIOS setup (and perhaps a special utility, like Compaq's SmartStart).
NOTE: An intruder who can physically open your computer's central processing unit (CPU) can adjust hardware switches to disable the power-on password. Access to the internal components of the CPU would also permit temporary installation of a drive from which a less secure OS, or a version of Windows NT that lacks your security settings, can be used to start the computer. Options for preventing unauthorized access to internal components include locking the case (if the model permits it) or locking away the entire CPU in a well-ventilated area, possibly with a controlled or locked opening to allow use of the floppy drive or drives.
Enable hardware boot protection
Configure each Windows NT Workstation to boot only with a BIOS setup password and only from the fixed disk. For Windows NT Server, this configuration is not available; instead you should physically protect each Server machine as described under "Restricting the Boot Process" in Chapter 2 of C2 Administrator's and User's Security Guide.
Windows NT 4.0 Initial Configuration
Install Windows NT
For additional information on installing Windows NT, see the instructions in Part 2, "Installation," in Windows NT Server Start Here or Windows NT Workstation Start Here. Keep in mind the following considerations:
- If you install systems by disk duplication (e.g., by using the xcopy command), do not use "after-GUI replication," where the copy is made after the graphical user interface (GUI) appears. Microsoft supports disk duplication for Windows NT 4.0 only if the disk is duplicated at the point in the setup process after the second reboot and before the GUI portion of Windows NT 4.0 setup.
WARNING: Duplicating the system in the wrong part of the setup process will copy the entire tree structure of Windows NT, affecting security, hardware, and other areas of the product. Security is impossible because the two installations have the same primary SID, and thus users on one system can access accounts on the other. (Windows NT 3.51 CPS and Windows NT 4.0 Deployment Tools are not simple copies, and they do configure the OS correctly.)
Choose the Custom Setup option.
As you proceed through the steps of Setup, use the default settings except for the following:
All hard-disk partitions must be formatted with NTFS.
Do not install any other operating systems on the computer.
When the Administrator Account Setup dialog box appears, provide a strong password. Select a password that is at least nine characters long. This makes it much harder to guess than eight characters or less owing to the way Windows NT creates the hash of the password. Also, use punctuation and other non-alphabetic characters in the first 7 characters. Never leave the password field blank.
When the Local Account Setup dialog box appears, you can create a user account for routine computer use. If you choose to create a local account, keep in mind that this account is placed by default in the Administrators group, which gives the user the ability to create user accounts.
Create an emergency repair disk. This makes it easier to recover your system if the operating-system configuration databases become corrupt. Secure the ERD, as it contains security-critical information.
During the network portion of the installation process, make the following selections:
For installations of Windows NT Server, do not install Internet Information Server (IIS).
When the Network Protocol dialog appears, select only TCP/IP.
Do not use DHCP. Instead, use a static IP address appropriate for your network.
Workstations and member servers may or may not be part of a domain; either option is appropriate.
Reboot Windows NT and log on as Administrator
Log on to the Administrator account. This account has sufficient capability for you to perform the remainder of the configuration steps.
Install printer and tape drivers
If any printers or tape devices are to be installed, install those devices and their drivers before installing Service Pack 6a. If a tape or printer device is added at a later time, re-install Service Pack 6a after the drivers have been installed.
Verify video drivers The only video driver in the evaluated configuration is vga.sys. To verify that the correct video driver is loaded, right click on the desktop. From the context menu, choose Properties, select the Settings tab, then click the Display Type button. If the current files list includes any driver other than vga.sys, click the Change button and choose the VGA compatible display adapter. This change will require a reboot.
Install Service Pack 6a
Windows NT 4.0 Service Pack 6a incorporates all improvements that were made in Service Packs 1 through 5, and it is a prerequisite for achieving C2 compliance.
Install C2 Update hotfix
Install the post-Service Pack 6a "C2 Update" hotfix to ensure that:
NetBT disallows unprivileged user mode applications from sharing TCP and UDP ports that are opened by NetBT. This feature is described in Microsoft Knowledge Base article 241041: Enabling NetBT to Open TCP and UDP Ports Exclusively.
Device drivers create their corresponding DeviceObject with FILE_DEVICE_SECURE_OPEN DeviceCharacteristics. This feature is described in Microsoft Knowledge Base article 243405: Device Drivers Create Their Corresponding DeviceObject with FILE_DEVICE_SECURE_OPEN DeviceCharacteristics.
Jet500 creates events and semaphores objects with non-NULL ACLs. This feature is described in Microsoft Knowledge Base article 243404: Winobj.exe May Permit You to View Securable Objects Created or Opened by the Jet500.dll File.
The C2 Update also includes the binary files required in the spooler-fix described in Microsoft Knowledge Base article 243649: Unchecked Print Spooler Buffer May Expose System Vulnerability.
The C2 update is available from the TechNet article, C2 Security Update for Windows NT 4.0 , and at the Microsoft Download Center:
Intel version: https://www.microsoft.com/downloads/release.asp?ReleaseID=15927
Alpha version: https://www.microsoft.com/downloads/release.asp?ReleaseID=15928
The update also can be ordered on various media through Microsoft Product Support Services. Information on contacting Microsoft Product Support is available at https://support.microsoft.com/support/contact/default.asp.
Remove the NetBIOS Interface service
Use the Remove button on the Services tab of the Network control panel, to remove the NetBIOS Interface network service. This service was not included in the evaluation, and it cannot be present on a system being considered for C2 certification
Disable unnecessary devices
All devices must be disabled except those listed in Table 1 (and the NetBIOS Interface, because the associated service was disabled in the previous step). The devices in Table 1 have been evaluated, and it is acceptable to enable all of them (or a subset of them) to remain in the evaluated configuration. Do not install any devices or drivers not explicitly listed in the table.
Service name |
Service driver name |
|---|---|
AFD Networking Support Environment |
afd.sys |
atapi |
atapi.sys |
Beep |
beep.sys |
Cdfs |
cdfs.sys |
Cdrom |
cdrom.sys |
Compaq NetFlex-3 Driver |
netflx3.sys |
cpqarray |
cpqarray.sys |
Disk |
disk.sys |
Fastfat |
fastfat.sys |
Floppy |
floppy.sys |
HP 4mm DAT tape device |
hpt4qic.sys |
i8042 Keyboard and PS/2 Mouse Port |
i8042prt.sys |
keyboard class driver |
kbdclass.sys |
KSecDD |
ksecdd.sys |
Microsoft NDIS System Driver |
ndis.sys |
Mouse Class Driver |
mouclass.sys |
Msfs |
msfs.sys |
Mup |
mup.sys |
NetDetect |
netdetect.sys |
Npfs |
npfs.sys |
Ntfs |
ntfs.sys |
Null |
null.sys |
Parallel |
parallel.sys |
Parport |
parport.sys |
Rdr |
rdr.sys |
Serial |
serial.sys |
Srv |
srv.sys |
symc810 |
symc810.sys |
TCP/IP Service |
tcpip.sys |
Vga |
vga.sys |
VgaSave |
vga.sys |
VgaStart |
vga.sys |
WINS Client (TCP/IP) |
netbt.sys |
Tape |
tape.sys |
4mm tape drive |
4mmdat.sys |
Table 1: List of device drivers that may be enabled for a C2 configuration
Note: Disable devices before services. Some devices depend on services and therefore cannot be disabled if the service is not present.
Disable unnecessary services
All services except those listed in Table 2 are to be disabled. Note that Microsoft DNS Server and WINS are only enabled on servers on which they are installed. Note also that when Plug and Play is disabled, the Devices menu is not accessible from Control Panel. To remain in the evaluated configuration, it is acceptable to have all of the listed services (or a subset of them) enabled and running. Do not install any trusted services (or applications) not explicitly listed in the table.
NOTE: Only the services shown in Table 2 are part of the C2 configuration. If you add or remove other services, your system will no longer meet C2 requirements. In addition, because the C2-evaluated configuration doesn't include any auditing capacity for service installation, removal, or configuration, you can't effectively manage services with your server in a C2 configuration. If you need to remove, add, or reconfigure the services listed in Table 2, you can do so, then revert back to a C2-safe configuration.
Service |
|---|
Computer Browser |
Microsoft DNS Server (only on servers that have it installed) |
Netlogon |
NTLM SSP |
RPC Locator |
RPC Service |
TCP/IP NetBIOS Helper |
Spooler |
Server |
WINS |
Workstation |
Event Log |
Table 2: services that may be enabled for a C2 configuration. |
Remove OS/2 and POSIX subsystems
These subsystems were not included in the evaluated configuration, and therefore full C2 compliance cannot be achieved unless they are removed. First, delete the \winnt\system32\os2 directory and all its subdirectories. Then make the following registry changes:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\Microsoft\OS/2 Subsystem for NT |
Action |
Delete all sub keys |
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\CurrentControlSet\Control\Session Manager\Environment |
Value Name |
Os2LibPath |
Action |
Delete |
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\CurrentControlSet\Control\Session Manager\SubSystems |
Value Name |
Optional |
Action |
Delete Values |
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\CurrentControlSet\Control\Session Manager\SubSystems |
Action |
Delete entries for Posix and OS/2 |
The changes will take effect on the next reboot.
Disable DirectDraw
This prevents direct access to video hardware and memory. To disable DirectDraw, use the Registry Editor to set the value of the following registry entry:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\CurrentControlSet\Control\GraphicsDrivers\DCI |
Value Name |
Timeout (REG_DWORD) |
Action |
Set to 0 |
Windows NT 4.0 Security Configuration
Disable Guest account
By default the Guest account is disabled at startup. If the Guest account is enabled, disable it. Disabling accounts is described under "Disabling and Enabling User Accounts" in User Manager for Domains Help and User Manager Help.
Secure base objects
This step is necessary to further heighten security of the base objects. Among other things, it prevents users from gaining local administrator privileges by way of a dynamic-link library (DLL). This issue is explained in more detail in Microsoft Security Bulletin 99-006 at https://www.microsoft.com/technet/security/bulletin/ms99-006.mspx. Use the registry editor to make the following change to implement this security:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\CurrentControlSet\Control\Session Manager |
Value Name |
ProtectionMode |
Type |
REG_DWORD |
Value |
1 |
Secure additional base named objects
This step is necessary to heighten security of additional base named objects such as RotHintTable or ScmCreatedEvent, not addressed by the ProtectionMode key entry above. To implement this setting, make the following registry change:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\CurrentControlSet\Control\Session Manager |
Value Name |
AdditionalBaseNamedObjectsProtectionMode |
Type |
REG_DWORD |
Value |
1 |
Enable NetBT to open TCP & UDP ports for exclusive access
It is a TCSEC C2 requirement that an unprivileged user mode application should not be able to listen to TCP and UDP ports used by Windows NT services, regardless of the cryptographic protection applied to the Windows NT service traffic through the ports.
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\CurrentControlSet\Services\NetBT\Parameters |
Type |
Add new REG_DWORD value named EnablePortLocking |
Value |
1 |
Protect kernel object attributes
This step is necessary to ensure that the object manager may change attributes of a kernel object in the object table for the current process if and only if the previous mode of the caller is kernel mode.
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\CurrentControlSet\Control\Session Manager |
Action |
Add new REG_DWORD value named EnhancedSecurityLevel |
Value |
1 |
Remove Shutdown button from logon dialog
Set the following value in the Registry to remove the shutdown option at logon:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
\Microsoft\Windows NT\Current Version\Winlogon |
Value Name |
ShutdownWithoutLogon |
Type |
REG_SZ |
Value |
0 |
Protect files and directories
Use the ACL Editor in Windows NT Explorer to change access on the system drive (by default "C:\") to grant Full Control permission to Administrators and SYSTEM, and to grant Read permission to Everyone, with the following exceptions:
Directory |
Users |
Maximum access |
|---|---|---|
c:\temp |
Creator Owner |
Full Control |
c:\temp |
Everyone |
Add |
c:\winnt\profiles\<user> directory and subdirectories |
user |
Full Control |
c:\winnt\profiles\administrator directory and subdirectories |
Everyone |
None: delete from the ACL |
c:\winnt\repair directory and its files |
Everyone |
None: delete from the ACL |
Several critical operating system files exist in the root directory (System32) of the system partition on Intel 80486 and Pentium-based systems. These files must be protected with the following permissions:
File |
C2-Level Permissions |
|---|---|
BOOT.ININTDETECT.COMNTLDR |
Administrators: Full Control SYSTEM: Full Control |
AUTOEXEC.BATCONFIG.SYS |
Everybody: Read Administrators: Full Control SYSTEM: Full Control |
All TCB used program and library files are stored on the system drive (by default "C:"). Nearly all TCB files are stored in the system directory (by default "\WINNT") and its subdirectories. In addition, the three files (boot.ini, ntdetect.com, ntldr) in the root directory of the system drive (by default "C:\") are also TCB files. Modification of these three files or any files in the system directory should be considered a modification to the TCB.
WARNING: The C2-evaluated configuration requires that the directories and files identified above be continuously controlled at least to the degree specified. Other files or directories can effectively have any access control.
Protect the registry
The default permissions grant Full Control to Administrators and SYSTEM and Read access to Everyone for the following registry subkeys and all their subkeys:
HKEY_LOCAL_MACHINE \Hardware
HKEY_LOCAL_MACHINE \Software
HKEY_LOCAL_MACHINE \System
HKEY_USERS.Default
The default permissions do not restrict who has remote access to the registry. Only administrators should have remote access to the registry. The Registry Editor supports remote access to the Windows NT registry. To restrict network access to the registry:
Add the following key to the registry:
Hive
HKEY_LOCAL_MACHINE \SOFTWARE
Key
\CurrentControlSet\Control\SecurePipeServers
Value Name
\winreg
Select winreg, click the Security menu, and then click Permissions.
Set the Administrators permission to Full Control, make sure no other users or groups are listed, then click OK.
The security permissions (ACLs) set on this key define which users or groups can connect to the system for remote registry access.
Restrict access to public Local Security Authority (LSA) information
In the C2 configuration, you need to be able to identify all users. Therefore you should restrict anonymous users from being able to obtain public information about the LSA component of the Windows NT Security Subsystem. The LSA handles aspects of security administration on the local computer, including access and permissions.
To implement this restriction, create and set the following registry entry:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
CurrentControlSet\Control\LSA |
Value Name |
RestrictAnonymous |
Type |
REG_DWORD |
Value |
1 |
Restrict null session access over named pipes
Restricting null session access over named pipes helps prevents unauthorized access over the network. To add these restrictions, make the following changes to the registry:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
CurrentControlSet\Services\LanmanServer\Parameters |
Value Name |
NullSessionPipes and NullSessionShares |
Type |
REG_MULTI_SZ |
Value |
remove all values |
Restrict untrusted users' ability to plant Trojan horse programs
Trojan horses can take advantage of the Run utility if it is unguarded. There are some Trojan horses that are written to execute during an Uninstall operation. To restrict the ability of users to plant Trojan horse programs:
Use the Registry Editor to find the following keys:
Hive
HKEY_LOCAL_MACHINE \SOFTWARE
Key
Microsoft\Windows\CurrentVersion
Values
Run, RunOnce, Uninstall (if present), AEDebug and all their subkeys
Select each subkey, click the Security menu, and then click Permissions
For each subkey set the permissions for Everyone and all untrusted users to a maximum of Read, and then click OK.
Allow only Administrators to create new shares
This allows the administrator to control who can access a computer from its network interface and what information is shared over the network interface. To prevent non-administrators from creating shares, do the following:
Use the Registry Editor to find the following registry subkey:
Key
HKLM\SYSTEM
Subkey
CurrentControlSet\Services\LanmanServer\Shares
Select Shares and all its subkeys, click the Security menu, and then click Permissions.
For Shares and each of its subkey, set the permissions for Everyone and all untrusted users to a maximum of Read, and then click OK.
Disable caching of logon information
Windows NT 4.0 has the capability to cache logon information in short-term memory. If the domain controller cannot be found during logon and the user has logged on to the system in the past, it can use those credentials to log on. If the Administrator disables a user's domain account, the user could still use the cache to log on by disconnecting the net cable. To prevent this, Administrators should disable the cache. This results in a somewhat longer logon time, but prevents hackers from tapping logon information from short-term memory.
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
Microsoft\Windows NT\CurrentVersion\Winlogon |
Value Name |
CachedLogonsCount |
Type |
REG_SZ |
Value |
0 |
Restrict printer driver installation to Administrators and Power Users only
Who can add printer drivers is controlled by the value of a registry entry. The value should be set to 1 to allow only administrators to install printer drivers on servers and domain controllers, and Administrators and Power Users to install them on workstations.
To restrict who can add printer drivers, create the following registry entry:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers |
Value Name |
AddPrintDrivers |
Type |
REG_DWORD |
Value |
1 |
The subkey will not exist if no printers are installed on the system. In that case, you will need to create the subkey before creating an entry for AddPrintDrivers.
Set the paging file to be cleared at system shutdown
Clearing the paging file ensures that no unsecured data is contained in the paging file when the shutdown process is complete. To force Windows NT to clear the page file at shutdown
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
CurrentControlSet\Control\Session Manager\Memory Management |
Value Name |
ClearPageFileAtShutdown |
Type |
REG_DWORD |
Value |
1 |
Restrict floppy drive and CD-ROM drive access to the interactive user only
Only the currently logged-on user should be able to access floppy disk drives and CD-ROM drives. To ensure this, allocate the drives at logon. To restrict floppy and CD-ROM drive access to the logged-on user, use the Registry Editor to create and set the values for the following registry entries:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
Microsoft\Windows NT\CurrentVersion\Winlogon |
Value Name |
AllocateFloppies and AllocateCdRoms |
Type |
REG_SZ |
Value |
1 |
If the entry does not exist, or is set to any other value, floppy devices will be available for shared use by all processes on the system.
These values take effect at the next logon. If a user is already logged on when the values are set, they will have no effect for that logon session. The user must log off and log on again to cause the device or devices to be allocated.
Note: Windows NT allows all users access to the floppy disk drive, and therefore any user can read and write the contents of any floppy disk in the drive. In general this is not a concern, because only one user is logged on at a time. However, in rare instances, a program started by a user can continue running after the user logs off. When another user logs on and puts a floppy disk in the drive, this program can secretly transfer sensitive data from the floppy disk. If this is a concern, restart the computer before using the floppy disk drive.
Modify user rights membership
Use User Manager for Domains to restrict the use of user rights as shown in Table 3.
User Right |
Domain Controllers |
Member Servers |
Workstations |
|---|---|---|---|
Access this computer from network |
(anyone) |
(anyone) |
(anyone) |
Act as part of the operating system |
(no one)Do not assign to any user. |
(no one)Do not assign to any user. |
(no one)Do not assign to any user. |
Add workstations to domain |
(no one) |
(no one) |
(no one) |
Back up files and directories |
trusted users |
trusted users |
trusted users |
Bypass traverse checking |
(anyone) |
(anyone) |
(anyone) |
Change the system time |
trusted users |
trusted users |
trusted users |
Create a pagefile |
trusted users |
trusted users |
trusted users |
Create a token object |
(no one)Do not assign to any user. |
(no one)Do not assign to any user. |
(no one)Do not assign to any user. |
Create permanent shared objects |
(no one) |
(no one) |
(no one) |
Debug programs |
(no one)This right is not auditable and should not be assigned to any user, including system administrators. |
(no one)This right is not auditable and should not be assigned to any user, including system administrators. |
(no one)This right is not auditable and should not be assigned to any user, including system administrators. |
Force shutdown from a remote system |
trusted users |
trusted users |
trusted users |
Generate security audits |
(no one)Do not assign to any user. |
(no one)Do not assign to any user. |
(no one)Do not assign to any user. |
Increase quotas |
trusted users |
trusted users |
trusted users |
Increase scheduling priority |
trusted users |
trusted users |
trusted users |
Load and unload device drivers |
trusted users |
trusted users |
trusted users |
Lock pages in memory |
(no one) |
(no one) |
(no one) |
Log on as a batch job |
trusted users(as needed) |
trusted users(as needed) |
trusted users(as needed) |
Log on as a service |
trusted users(as needed) |
trusted users(as needed) |
trusted users(as needed) |
Log on locally |
trusted users |
(anyone) |
(anyone) |
Manage auditing and security log |
trusted users |
trusted users |
trusted users |
Modify firmware environment values |
trusted users |
trusted users |
trusted users |
Profile single process |
trusted users |
trusted users |
trusted users |
Profile system performance |
trusted users |
trusted users |
trusted users |
Replace a process level token |
(no one)Do not assign to any user. |
(no one)Do not assign to any user. |
(no one)Do not assign to any user. |
Restore files and directories |
trusted users |
trusted users |
trusted users |
Shut down the system |
trusted users |
(anyone) |
(anyone) |
Take ownership of files or other objects |
trusted users |
trusted users |
trusted users |
Table 3: Recommended user rights settings
Set auditing (if enabled) for base objects and for backup and restore
Certain programming objects (i.e., base named objects) are not audited by default when auditing of object and file access is enabled. Likewise, the Backup and Restore user rights are not audited by default when use of user rights auditing is enabled. Administrators need to adjust the size of the event log file accordingly to anticipate the increase in auditable events. To enable auditing of base named object and the Backup/Restore user rights, make the following changes:
- To set auditing for base objects:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
CurrentControlSet\Control\Lsa |
Value Name |
AuditBaseObjects |
Type |
REG_DWORD |
Value |
1 |
- To set auditing for backup and restore privileges:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
CurrentControlSet\Control\Lsa |
Value Name |
FullPrivilegeAuditing |
Type |
REG_BINARY |
Value |
0x01 (hex) |
Disable blank passwords
Blank passwords are unacceptable in a C2 configuration. You can prohibit blank passwords using User Manager or User Manager for Domains. Under the "Policies...Account..." menu, ensure that "Permit Blank Password" is not checked.
Set security log behavior
Use Event Viewer to set security log behavior. Choose Do Not Overwrite Events (Clear Log Manually). Optionally, you can also force Windows NT to halt when it cannot generate an audit event record. Also optionally, you can set the registry key to enable auditing of the use of all rights. In addition, you can force the system to shut down when the security log is full by making the following change:
Hive |
HKEY_LOCAL_MACHINE \SOFTWARE |
Key |
CurrentControlSet\Control\Lsa |
Value Name |
CrashOnAuditFail |
Type |
REG_DWORD |
Value |
1 |
Restart the computer
Restarting the computer saves and executes all the changes you made in the preceding steps.
Update the system Emergency Repair Disk
You should update the system's Emergency Repair Disk (ERD) to reflect these changes. For instructions, see "Update Repair Info" in Repair Disk Utility Help. (Run rdisk.exe, then click Help.) Remember to use the emergency repair disk, rather than the Restore utility, if system files are lost. Backup and Restore do not copy system access control lists (SACLs). The emergency repair disk does restore this information.
THE INFORMATION PROVIDED IN THIS CHECKLIST IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.