Export (0) Print
Expand All
2 out of 2 rated this helpful - Rate this topic

Microsoft Windows NT 4.0 C2 Configuration Checklist

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

Last Updated: 05 April 2000

This checklist outlines the steps you should take to duplicate the C2-evaluated configuration of Windows NT Server 4.0. Note that following this checklist does not make your installation C2-compliant; it merely assures you that the software configuration matches the configuration that the NCSC evaluated.

For additional security, you are free to use these steps as a starting point. For example, you may be able to improve security further by applying more restrictive ACLs or shutting down additional services that you're not using. These guidelines must be followed to gain C2 certification, but you can always exceed the specifications as long as you don't violate the guidelines in doing so.

IMPORTANT: Remember that a C2-compliant system consists of hardware, software, application programs, and network services. This checklist will explain how to configure the OS, and it provides references to material that can help you properly configure your hardware, applications, and network services. Making these changes will not necessarily render your systems invulnerable, but doing so does guarantee that you will meet the software configuration requirements for C2 evaluation.

IMPORTANT: This checklist contains information about editing the registry. Before you edit the registry, make sure you understand how to restore it if a problem occurs. For information about how to do this, view the "Restoring the Registry" Help topic in Regedit.exe or the "Restoring a Registry Key" Help topic in Regedt32.exe.

Step 1: General Information

Server Name

Asset #

 

Setup Date

 

Manufacturer

 

Location

 

Set up by

 

Step 2: Background and Planning

Step

 

iecl01

Read any applicable security policies for your organization

 

iecl01

Decide whether you need C2 evaluation or compliance

 

iecl01

Select the appropriate C2-evaluated role

 

iecl01

Review the C2 Administrator's and User's Security Guide

 

iecl01

Subscribe to Microsoft's Security Notification Service

Step 3: Hardware Configuration & Installation

Step

 

iecl01

Unpack & set up hardware

 

iecl01

Set power-on password

 

iecl01

Enable hardware boot protection

Step 4: Windows NT 4.0 Initial Configuration

Step

 

iecl01

Install Windows NT

 

iecl01

Reboot Windows NT and log on as Administrator

 

iecl01

Install printer and tape drivers

 

iecl01

Verify video drivers

 

iecl01

Install Service Pack 6a

 

iecl01

Install C2 Update

 

iecl01

Remove the NetBIOS Interface service

 

iecl01

Disable unnecessary devices

 

iecl01

Disable unnecessary services

 

iecl01

Remove OS/2 and POSIX subsystems

 

iecl01

Disable DirectDraw

Step 5: Windows NT 4.0 Security Configuration

Step

 

iecl01

Disable Guest account

 

iecl01

Secure base objects

 

iecl01

Enable NetBT to open TCP and UDP ports exclusively

 

iecl01

Secure additional base named objects

 

iecl01

Protect kernel object attributes

 

iecl01

Protect files and directories

 

iecl01

Protect the registry

 

iecl01

Restrict access to public Local Security Authority (LSA) information

 

iecl01

Restrict null session access over named pipes

 

iecl01

Restrict untrusted users' ability to plant Trojan horse programs

 

iecl01

Allow only Administrators to create new shares

 

iecl01

Disable caching of logon information

 

iecl01

Restrict printer driver installation to Administrators and Power Users only

 

iecl01

Set the paging file to be cleared at system shutdown

 

iecl01

Restrict floppy drive and CD-ROM drive access to the interactive user only

 

iecl01

Modify user rights membership

 

iecl01

Set auditing (if enabled) for base objects and for backup and restore

 

iecl01

Disable blank passwords

 

iecl01

Restrict system shutdown to logged-on users only

 

iecl01

Set security log behavior

 

iecl01

Restart the computer

 

iecl01

Update the system Emergency Repair Disk

Windows NT 4.0 C2 Compliance Checklist: Further Details

Background and Planning

Read any applicable security policies for your organization

Having a security policy is paramount. You need ready answers to questions like:

  • How do we react to a break-in?

  • Where are the backups stored?

  • Who is allowed to access the server?

  • What level of physical security is appropriate?

Good sources of policy information may be found at SANS Institute, Baseline Software, Inc. and O'Reilly & Associates' Practical Unix & Internet Security

Decide whether you need C2 evaluation or compliance

Armed with a knowledge of your security policy, you can decide whether you need a fully C2-evaluated installation, based on evaluated hardware, or whether a configuration that follows the C2 requirements but has not been formally evaluated may suffice.

Review the C2 Administrator's and User's Security Guide

The C2 Administrator's and User's Security Guide contains full details on all aspects of the C2 evaluation for Windows NT 4.0. If you need additional information about deploying an evaluated configuration, the Guide is the best place to start. In particular, you should review the guide to choose the appropriate C2 configuration for your needs.

Subscribe to the Microsoft Security Notification Service

WARNING: You MUST keep on top of new security issues as they arise.

You can stay abreast of Microsoft-related security issues and fixes here. You will receive notice of security issues by email.

You should also consider placing a 'favorites shortcut' to the Microsoft TechNet Security Web site. To do so, follow these steps:

  1. Open Internet Explorer on your desktop

  2. Navigate to http://www.microsoft.com/technet/security/default.mspx

  3. Select Favorites on the menu, then choose Add to Favorites

  4. Check 'Make Available Offline'

  5. Select Customize | Next | Yes (links to other pages) | '2' links deep

  6. Next | Select 'I would like to create a new schedule' | use the defaults | finish

  7. OK

  8. Select Properties | Download | uncheck 'Follow links outside of this page's Web site'

  9. OK

  10. Close

If you now click on the Favorites icon in the toolbar, you can drag the 'Microsoft TechNet Security' link to your desktop. A small red mark will appear on the icon when there is new security news.

Hardware Configuration & Installation

Unpack and set up hardware

The Compaq ProLiant platform, models 5100, 6500, 7000, and 8000, was used in evaluating Windows NT for C2 compliance. Follow the hardware manufacturer's manuals accompanying your computer system to unpack and connect your computer system components. Physically secure the hardware to the extent necessary, including using optical fiber if cabling must pass through unsecured areas, or isolating the network in a secure building if very high security is needed.

  • To test processor integrity, you can obtain a suite of diagnostic integrity tests for i386 processors by contacting Microsoft Product Support Services, and referring to Microsoft Knowledge Base article 240049, "How to Obtain Diagnostic i386 Processor Integrity Tests Required by the C2 TFM for Windows NT 4.0." Contact information for Microsoft Product Support Services is available at http://support.microsoft.com/support/contact/default.asp.

  • To test peripheral integrity, use the peripheral integrity tests that are shipped with your hardware (as documented by the vendor) to test the integrity of the peripheral in the evaluated configuration.

Set power-on password

Set the power-on password for your computer by following the vendor's instructions. Normally, this involves going into the computer's BIOS setup (and perhaps a special utility, like Compaq's SmartStart) .

NOTE: An intruder who can physically open your computer's central processing unit (CPU) can adjust hardware switches to disable the power-on password. Access to the internal components of the CPU would also permit temporary installation of a drive from which a less secure OS, or a version of Windows NT that lacks your security settings, can be used to start the computer. Options for preventing unauthorized access to internal components include locking the case (if the model permits it) or locking away the entire CPU in a well-ventilated area, possibly with a controlled or locked opening to allow use of the floppy drive or drives.

Enable hardware boot protection

Configure each Windows NT Workstation to boot only with a BIOS setup password and only from the fixed disk. For Windows NT Server, this configuration is not available; instead you should physically protect each Server machine as described under "Restricting the Boot Process" in Chapter 2 of C2 Administrator's and User's Security Guide.

Windows NT 4.0 Initial Configuration

Install Windows NT

For additional information on installing Windows NT, see the instructions in Part 2, "Installation," in Windows NT Server Start Here or Windows NT Workstation Start Here. Keep in mind the following considerations:

  • If you install systems by disk duplication (e.g., by using the xcopy command), do not use "after-GUI replication," where the copy is made after the graphical user interface (GUI) appears. Microsoft supports disk duplication for Windows NT 4.0 only if the disk is duplicated at the point in the setup process after the second reboot and before the GUI portion of Windows NT 4.0 setup.

    WARNING: Duplicating the system in the wrong part of the setup process will copy the entire tree structure of Windows NT, affecting security, hardware, and other areas of the product. Security is impossible because the two installations have the same primary SID, and thus users on one system can access accounts on the other. (Windows NT 3.51 CPS and Windows NT 4.0 Deployment Tools are not simple copies, and they do configure the OS correctly.)

    Choose the Custom Setup option.

  • As you proceed through the steps of Setup, use the default settings except for the following:

    1. All hard-disk partitions must be formatted with NTFS.

    2. Do not install any other operating systems on the computer.

    3. When the Administrator Account Setup dialog box appears, provide a strong password. Select a password that is at least nine characters long. This makes it much harder to guess than eight characters or less owing to the way Windows NT creates the hash of the password. Also, use punctuation and other non-alphabetic characters in the first 7 characters. -- Never leave the password field blank.

    4. When the Local Account Setup dialog box appears, you can create a user account for routine computer use. If you choose to create a local account, keep in mind that this account is placed by default in the Administrators group, which gives the user the ability to create user accounts.

    5. Create an emergency repair disk. This makes it easier to recover your system if the operating-system configuration databases become corrupt. Secure the ERD, as it contains security-critical information.

    6. During the network portion of the installation process, make the following selections:

      1. For installations of Windows NT Server, do not install Internet Information Server (IIS).

      2. When the Network Protocol dialog appears, select only TCP/IP.

      3. Do not use DHCP. Instead, use a static IP address appropriate for your network.

      4. Workstations and member servers may or may not be part of a domain; either option is appropriate.

Reboot Windows NT and log on as Administrator

Log on to the Administrator account. This account has sufficient capability for you to perform the remainder of the configuration steps.

Install printer and tape drivers

If any printers or tape devices are to be installed, install those devices and their drivers before installing Service Pack 6a. If a tape or printer device is added at a later time, re-install Service Pack 6a after the drivers have been installed.

Verify video driversThe only video driver in the evaluated configuration is vga.sys. To verify that the correct video driver is loaded, right click on the desktop. From the context menu, choose Properties, select the Settings tab, then click the Display Type button. If the current files list includes any driver other than vga.sys, click the Change button and choose the VGA compatible display adapter. This change will require a reboot.

Install Service Pack 6a

Windows NT 4.0 Service Pack 6a incorporates all improvements that were made in Service Packs 1 through 5, and it is a prerequisite for achieving C2 compliance.

Install C2 Update hotfix

Install the post-Service Pack 6a "C2 Update" hotfix to ensure that:

The C2 update is available at the Microsoft Download Center:

The update also can be ordered on various media through Microsoft Product Support Services. Information on contacting Microsoft Product Support is available at http://support.microsoft.com/support/contact/default.asp.

Remove the NetBIOS Interface service

Use the Remove button on the Services tab of the Network control panel, to remove the NetBIOS Interface network service. This service was not included in the evaluation, and it cannot be present on a system being considered for C2 certification

Disable unnecessary devices

All devices must be disabled except those listed in Table 1 (and the NetBIOS Interface, because the associated service was disabled in the previous step). The devices in Table 1 have been evaluated, and it is acceptable to enable all of them (or a subset of them) to remain in the evaluated configuration. Do not install any devices or drivers not explicitly listed in the table.

Service name

Service driver name

AFD Networking Support Environment

afd.sys

atapi

atapi.sys

Beep

beep.sys

Cdfs

cdfs.sys

Cdrom

cdrom.sys

Compaq NetFlex-3 Driver

netflx3.sys

cpqarray

cpqarray.sys

Disk

disk.sys

Fastfat

fastfat.sys

Floppy

floppy.sys

HP 4mm DAT tape device

hpt4qic.sys

i8042 Keyboard and PS/2 Mouse Port

i8042prt.sys

keyboard class driver

kbdclass.sys

KSecDD

ksecdd.sys

Microsoft NDIS System Driver

ndis.sys

Mouse Class Driver

mouclass.sys

Msfs

msfs.sys

Mup

mup.sys

NetDetect

netdetect.sys

Npfs

npfs.sys

Ntfs

ntfs.sys

Null

null.sys

Parallel

parallel.sys

Parport

parport.sys

Rdr

rdr.sys

Serial

serial.sys

Srv

srv.sys

symc810

symc810.sys

TCP/IP Service

tcpip.sys

Vga

vga.sys

VgaSave

vga.sys

VgaStart

vga.sys

WINS Client (TCP/IP)

netbt.sys

Tape

tape.sys

4mm tape drive

4mmdat.sys

Table 1: List of device drivers that may be enabled for a C2 configuration

 

Note: Disable devices before services. Some devices depend on services and therefore cannot be disabled if the service is not present.

Disable unnecessary services

All services except those listed in Table 2 are to be disabled. Note that Microsoft DNS Server and WINS are only enabled on servers on which they are installed. Note also that when Plug and Play is disabled, the Devices menu is not accessible from Control Panel. To remain in the evaluated configuration, it is acceptable to have all of the listed services (or a subset of them) enabled and running. Do not install any trusted services (or applications) not explicitly listed in the table.

WARNING: Only the services shown in Table 2 are part of the C2 configuration. If you add or remove other services, your system will no longer meet C2 requirements. In addition, because the C2-evaluated configuration doesn't include any auditing capacity for service installation, removal, or configuration, you can't effectively manage services with your server in a C2 configuration. If you need to remove, add, or reconfigure the services listed in Table 2, you can do so, then revert back to a C2-safe configuration.

Service

Computer Browser

Microsoft DNS Server (only on servers that have it installed)

Netlogon

NTLM SSP

RPC Locator

RPC Service

TCP/IP NetBIOS Helper

Spooler

Server

WINS

Workstation

Event Log

Table 2: services that may be enabled for a C2 configuration.

Remove OS/2 and POSIX subsystems

These subsystems were not included in the evaluated configuration, and therefore full C2 compliance cannot be achieved unless they are removed. First, delete the \winnt\system32\os2 directory and all its subdirectories. Then make the following registry changes:

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\OS/2 Subsystem for NT

Action

Delete all sub keys

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager\Environment

Value Name

Os2LibPath

Action

Delete

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager\SubSystems

Value Name

Optional

Action

Delete Values

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager\SubSystems

Action

Delete entries for Posix and OS/2

The changes will take effect on the next reboot. (Note: The Subkeys "Microsoft\OS/2 Subsystem for NT" and "Os2LibPath" will be recreated after the system reboots, but as long as the "optional" subkey remains empty, the OS2 subsystem is in fact removed.)

Disable DirectDraw

This prevents direct access to video hardware and memory. To disable DirectDraw, use the Registry Editor to set the value of the following registry entry:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\GraphicsDrivers\DCI

Value Name

Timeout (REG_DWORD)

Action

Set to 0

Windows NT 4.0 Security Configuration

Disable Guest account

By default the Guest account is disabled at startup. If the Guest account is enabled, disable it. Disabling accounts is described under "Disabling and Enabling User Accounts" in User Manager for Domains Help and User Manager Help.

Secure base objects

This step is necessary to further heighten security of the base objects. Among other things, it prevents users from gaining local administrator privileges by way of a dynamic-link library (DLL). This issue is explained in more detail in Microsoft Security Bulletin 99-006. Use the registry editor to make the following change to implement this security:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager

Value Name

ProtectionMode

Type

REG_DWORD

Value

1

Secure additional base named objects

This step is necessary to heighten security of additional base named objects such as RotHintTable or ScmCreatedEvent, not addressed by the ProtectionMode key entry above. To implement this setting, make the following registry change:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager

Value Name

AdditionalBaseNamedObjectsProtectionMode

Type

REG_DWORD

Value

1

Enable NetBT to open TCP & UDP ports for exclusive access

It is a TCSEC C2 requirement that an unprivileged user mode application should not be able to listen to TCP and UDP ports used by Windows NT services, regardless of the cryptographic protection applied to the Windows NT service traffic through the ports.

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Services\NetBT\Parameters

Type

Add new REG_DWORD value named EnablePortLocking

Value

1

Protect kernel object attributes

This step is necessary to ensure that the object manager may change attributes of a kernel object in the object table for the current process if and only if the previous mode of the caller is kernel mode.

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

\CurrentControlSet\Control\Session Manager

Action

Add new REG_DWORD value named EnhancedSecurityLevel

Value

1

Remove Shutdown button from logon dialog

Set the following value in the Registry to remove the shutdown option at logon:

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

\Microsoft\Windows NT\Current Version\Winlogon

Value Name

ShutdownWithoutLogon

Type

REG_SZ

Value

0

Protect files and directories

Use the ACL Editor in Windows NT Explorer to change access on the system drive (by default "C:\") to grant Full Control permission to Administrators and SYSTEM, and to grant Read permission to Everyone, with the following exceptions:

Directory

Users

Maximum access

c:\temp

Creator Owner

Full Control

c:\temp

Everyone

Add

c:\winnt\profiles\<user> directory and subdirectories

user

Full Control

c:\winnt\profiles\administrator directory and subdirectories

Everyone

None: delete from the ACL

c:\winnt\repair directory and its files

Everyone

None: delete from the ACL

Several critical operating system files exist in the root directory (System32) of the system partition on Intel 80486 and Pentium-based systems. These files must be protected with the following permissions:

File

C2-Level Permissions

BOOT.INI
NTDETECT.COM
NTLDR

Administrators: Full Control SYSTEM: Full Control

AUTOEXEC.BAT
CONFIG.SYS

Everybody: Read Administrators: Full Control SYSTEM: Full Control

All TCB used program and library files are stored on the system drive (by default "C:"). Nearly all TCB files are stored in the system directory (by default "\WINNT") and its subdirectories. In addition, the three files (boot.ini, ntdetect.com, ntldr) in the root directory of the system drive (by default "C:\") are also TCB files. Modification of these three files or any files in the system directory should be considered a modification to the TCB.

WARNING: The C2-evaluated configuration requires that the directories and files identified above be continuously controlled at least to the degree specified. Other files or directories can effectively have any access control.

Protect the registry

The default permissions grant Full Control to Administrators and SYSTEM and Read access to Everyone for the following registry subkeys and all their subkeys:

  • HKEY_LOCAL_MACHINE\Hardware

  • HKEY_LOCAL_MACHINE\Software

  • HKEY_LOCAL_MACHINE\System

  • HKEY_USERS\.Default

The default permissions do not restrict who has remote access to the registry. Only administrators should have remote access to the registry. The Registry Editor supports remote access to the Windows NT registry. To restrict network access to the registry:

  1. Add the following key to the registry:

    Hive

    HKEY_LOCAL_MACHINE\SYSTEM

    Key

    \CurrentControlSet\Control\SecurePipeServers

    Value Name

    \winreg

  2. Select winreg, click the Security menu, and then click Permissions.

  3. Set the Administrators permission to Full Control, make sure no other users or groups are listed, then click OK.

The security permissions (ACLs) set on this key define which users or groups can connect to the system for remote registry access.

Restrict access to public Local Security Authority (LSA) information

In the C2 configuration, you need to be able to identify all users. Therefore you should restrict anonymous users from being able to obtain public information about the LSA component of the Windows NT Security Subsystem. The LSA handles aspects of security administration on the local computer, including access and permissions.

To implement this restriction, create and set the following registry entry:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\LSA

Value Name

RestrictAnonymous

Type

REG_DWORD

Value

1

Restrict null session access over named pipes

Restricting null session access over named pipes helps prevents unauthorized access over the network. To add these restrictions, make the following changes to the registry:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Services\LanmanServer\Parameters

Value Name

NullSessionPipes and NullSessionShares

Type

REG_MULTI_SZ

Value

remove all values

Restrict untrusted users' ability to plant Trojan horse programs

Trojan horses can take advantage of the Run utility if it is unguarded. There are some Trojan horses that are written to execute during an Uninstall operation. To restrict the ability of users to plant Trojan horse programs:

  1. Use the Registry Editor to find the following keys:

    Hive

    HKEY_LOCAL_MACHINE\SOFTWARE

    Key

    Microsoft\Windows\CurrentVersion

    Values

    Run, RunOnce, Uninstall (if present), AEDebug and all their subkeys

  2. Select each subkey, click the Security menu, and then click Permissions

  3. For each subkey set the permissions for Everyone and all untrusted users to a maximum of Read, and then click OK.

Allow only Administrators to create new shares

This allows the administrator to control who can access a computer from its network interface and what information is shared over the network interface. To prevent non-administrators from creating shares, do the following:

  1. Use the Registry Editor to find the following registry subkey:

    Key

    HKEY_LOCAL_MACHINE\SYSTEM

    Subkey

    CurrentControlSet\Services\LanmanServer\Shares

  2. Select Shares and all its subkeys, click the Security menu, and then click Permissions.

  3. For Shares and each of its subkey, set the permissions for Everyone and all untrusted users to a maximum of Read, and then click OK.

Disable caching of logon information

Windows NT 4.0 has the capability to cache logon information in short-term memory. If the domain controller cannot be found during logon and the user has logged on to the system in the past, it can use those credentials to log on. If the Administrator disables a user's domain account, the user could still use the cache to log on by disconnecting the net cable. To prevent this, Administrators should disable the cache. This results in a somewhat longer logon time, but prevents hackers from tapping logon information from short-term memory.

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

Microsoft\Windows NT\CurrentVersion\Winlogon

Value Name

CachedLogonsCount

Type

REG_SZ

Value

0

Restrict printer driver installation to Administrators and Power Users only

Who can add printer drivers is controlled by the value of a registry entry. The value should be set to 1 to allow only administrators to install printer drivers on servers and domain controllers, and Administrators and Power Users to install them on workstations.

To restrict who can add printer drivers, create the following registry entry:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\Print\Providers\LanMan Print Services\Servers

Value Name

AddPrinterDrivers

Type

REG_DWORD

Value

1

The subkey will not exist if no printers are installed on the system. In that case, you will need to create the subkey before creating an entry for AddPrintDrivers.

Set the paging file to be cleared at system shutdown

Clearing the paging file ensures that no unsecured data is contained in the paging file when the shutdown process is complete. To force Windows NT to clear the page file at shutdown

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\Session Manager\Memory Management

Value Name

ClearPageFileAtShutdown

Type

REG_DWORD

Value

1

Restrict floppy drive and CD-ROM drive access to the interactive user only

Only the currently logged-on user should be able to access floppy disk drives and CD-ROM drives. To ensure this, allocate the drives at logon. To restrict floppy and CD-ROM drive access to the logged-on user, use the Registry Editor to create and set the values for the following registry entries:

Hive

HKEY_LOCAL_MACHINE\SOFTWARE

Key

Microsoft\Windows NT\CurrentVersion\Winlogon

Value Name

AllocateFloppies and AllocateCdRoms

Type

REG_SZ

Value

1

If the entry does not exist, or is set to any other value, floppy devices will be available for shared use by all processes on the system.

These values take effect at the next logon. If a user is already logged on when the values are set, they will have no effect for that logon session. The user must log off and log on again to cause the device or devices to be allocated.

Note: Windows NT allows all users access to the floppy disk drive, and therefore any user can read and write the contents of any floppy disk in the drive. In general this is not a concern, because only one user is logged on at a time. However, in rare instances, a program started by a user can continue running after the user logs off. When another user logs on and puts a floppy disk in the drive, this program can secretly transfer sensitive data from the floppy disk. If this is a concern, restart the computer before using the floppy disk drive.

Modify user rights membership

Use User Manager for Domains to restrict the use of user rights as shown in Table 3.

User Right

Domain Controllers

Member Servers

Workstations

Access this computer from network

(anyone)

(anyone)

(anyone)

Act as part of the operating system

(no one)Do not assign to any user.

(no one)Do not assign to any user.

(no one)Do not assign to any user.

Add workstations to domain

(no one)

(no one)

(no one)

Back up files and directories

trusted users

trusted users

trusted users

Bypass traverse checking

(anyone)

(anyone)

(anyone)

Change the system time

trusted users

trusted users

trusted users

Create a pagefile

trusted users

trusted users

trusted users

Create a token object

(no one)Do not assign to any user.

(no one)Do not assign to any user.

(no one)Do not assign to any user.

Create permanent shared objects

(no one)

(no one)

(no one)

Debug programs

(no one)This right is not auditable and should not be assigned to any user, including system administrators.

(no one)This right is not auditable and should not be assigned to any user, including system administrators.

(no one)This right is not auditable and should not be assigned to any user, including system administrators.

Force shutdown from a remote system

trusted users

trusted users

trusted users

Generate security audits

(no one)Do not assign to any user.

(no one)Do not assign to any user.

(no one)Do not assign to any user.

Increase quotas

trusted users

trusted users

trusted users

Increase scheduling priority

trusted users

trusted users

trusted users

Load and unload device drivers

trusted users

trusted users

trusted users

Lock pages in memory

(no one)

(no one)

(no one)

Log on as a batch job

trusted users(as needed)

trusted users(as needed)

trusted users(as needed)

Log on as a service

trusted users(as needed)

trusted users(as needed)

trusted users(as needed)

Log on locally

trusted users

(anyone)

(anyone)

Manage auditing and security log

trusted users

trusted users

trusted users

Modify firmware environment values

trusted users

trusted users

trusted users

Profile single process

trusted users

trusted users

trusted users

Profile system performance

trusted users

trusted users

trusted users

Replace a process level token

(no one)Do not assign to any user.

(no one)Do not assign to any user.

(no one)Do not assign to any user.

Restore files and directories

trusted users

trusted users

trusted users

Shut down the system

trusted users

(anyone)

(anyone)

Take ownership of files or other objects

trusted users

trusted users

trusted users

Table 3: Recommended user rights settings

     

Set auditing (if enabled) for base objects and for backup and restore

Certain programming objects (i.e., base named objects) are not audited by default when auditing of object and file access is enabled. Likewise, the Backup and Restore user rights are not audited by default when use of user rights auditing is enabled. Administrators need to adjust the size of the event log file accordingly to anticipate the increase in auditable events. To enable auditing of base named object and the Backup/Restore user rights, make the following changes:

  • To set auditing for base objects:

    Hive

    HKEY_LOCAL_MACHINE\SYSTEM

    Key

    CurrentControlSet\Control\Lsa

    Value Name

    AuditBaseObjects

    Type

    REG_DWORD

    Value

    1

  • To set auditing for backup and restore privileges:

    Hive

    HKEY_LOCAL_MACHINE\SYSTEM

    Key

    CurrentControlSet\Control\Lsa

    Value Name

    FullPrivilegeAuditing

    Type

    REG_BINARY

    Value

    0x01 (hex)

Disable blank passwords

Blank passwords are unacceptable in a C2 configuration. You can prohibit blank passwords using User Manager or User Manager for Domains. Under the "Policies...Account..." menu, ensure that "Permit Blank Password" is not checked.

Set security log behavior

Use Event Viewer to set security log behavior. Choose Do Not Overwrite Events (Clear Log Manually). Optionally, you can also force Windows NT to halt when it cannot generate an audit event record. Also optionally, you can set the registry key to enable auditing of the use of all rights. In addition, you can force the system to shut down when the security log is full by making the following change:

Hive

HKEY_LOCAL_MACHINE\SYSTEM

Key

CurrentControlSet\Control\Lsa

Value Name

CrashOnAuditFail

Type

REG_DWORD

Value

1

Restart the computer

Restarting the computer saves and executes all the changes you made in the preceding steps.

Update the system Emergency Repair Disk

You should update the system's Emergency Repair Disk (ERD) to reflect these changes. For instructions, see "Update Repair Info" in Repair Disk Utility Help. (Run rdisk.exe, then click Help.) Remember to use the emergency repair disk, rather than the Restore utility, if system files are lost. Backup and Restore do not copy system access control lists (SACLs). The emergency repair disk does restore this information.

THE INFORMATION PROVIDED IN THIS CHECKLIST IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. MICROSOFT DISCLAIMS ALL WARRANTIES, EITHER EXPRESS OR IMPLIED, INCLUDING THE WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. IN NO EVENT SHALL MICROSOFT CORPORATION OR ITS SUPPLIERS BE LIABLE FOR ANY DAMAGES WHATSOEVER INCLUDING DIRECT, INDIRECT, INCIDENTAL, CONSEQUENTIAL, LOSS OF BUSINESS PROFITS OR SPECIAL DAMAGES, EVEN IF MICROSOFT CORPORATION OR ITS SUPPLIERS HAVE BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES. SOME STATES DO NOT ALLOW THE EXCLUSION OR LIMITATION OF LIABILITY FOR CONSEQUENTIAL OR INCIDENTAL DAMAGES SO THE FOREGOING LIMITATION MAY NOT APPLY.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.