Export (0) Print
Expand All
This topic has not yet been rated - Rate this topic

ITSEC FC2-E3 Installation of Windows NT Workstation 4.0 and Windows NT Server 4.0

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

1 This is needed for architectures that require a non NTFS boot partition. Setting this key ensures that only Administrators may change data on this partition. Adding this value for other architectures has no side effects. Note that none of the architectures in the current evaluated configuration require the use of this key and therefore its effectiveness has not been assessed as part of the evaluation.

The changes take effect the next time the computer is started.

  • The Clipbook viewer is not included in the evaluation of Windows NT, and therefore must be removed. To do this, find the file CLIPBRD.EXE in the System32 directory of your system root, and delete it.

  • Set the minimum password length as described in the "User Manager" chapter of the Windows NT Workstation or Windows NT Server System Guide. For ITSEC requirements the minimum password length must be at least 8 characters. Change the password policy of the system so that the minimum password history is 6, the maximum password lifetime is 42 days or less, the maximum number of failed logon attempts before a user is locked out shall be 5 within a 30 minute period, which shall apply forever, and the minimum password lifetime must be seven days or more. Note also that you must remove any 16-bit screen savers by using Control Panel/Desktop to identify any (either they will have [16 bit] after them or the password protected box will be greyed out), then finding the associated .SCR file and deleting it. In addition, search the system disk for any other 16-bit .SCR files and delete them. This is because 16-bit screen savers are not secure.

  • Accounts you create must all have unique usernames within a domain. The passwords for each user must also be different both from the username and from each other., and you must set the 'User must change password at next logon' flag so that users' passwords will be known only to them.

    Note: It is recommended that Administrators only use their administrator accounts to perform administrative tasks. All other activity should be performed in their normal user account.

  • Disable the Guest user account as described in the "User Manager" chapter of the Windows NT Workstation or Windows NT Server System Guide.

  • Select the "Do not move files to the Recycle Bin" option of the recycle bin properties sheet to ensure that on deletion files are permanently removed from the system.

  • If mandatory profiles are to be used then delete the directory: C:\Winnt\Profiles\Default User and all files and sub-directories contained in it. Removing this directory prevents users from being able to log on if their mandatory profile is not available.

  • Create the directory C:\Winnt\Profiles\Policies.

  • Remove the NetBIOS Interface from Control Panel -> Network -> Services. This removes NetBIOS over TCP/IP and NWLINK as described in Knowledge Base Article 102974. This does not imply that NetBIOS over NetBEUI is not available.

  • Disable the Messenger service from Control Panel -> Services, this service requires the NetBIOS interface removed in the previous step.

  • Configure the Event Logs. From the Event Viewer select Log -> Settings, for each log type set the "Do Not Overwrite Events (Clear Log Manually)" option. It is strongly recommended that the log size be increased from its default 512Kbytes.

  • Restrict the use of user rights, and advanced user rights, as described in the "User Manager" chapter of the Windows NT Workstation or Windows NT Server System Guide. Rights must be limited as shown in the following table (make only the changes specified; leave other groups as they are):

On This Page

General notes:
Characteristics of a Secure System—ITSEC and Beyond
Real World Security Problems
Windows NT—Built to be Secure
Installing and Configuring an ITSEC Compliant System
Setting up the Network with Windows NT
References

General notes:

  1. Windows NT in an ITSEC evaluated configuration is only available for Intel architecture based machines as specified in the ITSEC Certificate.

  2. This guide will make reference to the setting of registry keys. Where these keys do not exist, create them. Note also that registry keys, where created or altered, must be checked for the appropriate protection, which shall allow Administrators and System Full Control, and Everyone Read, unless otherwise specified in the text. The protection of all other registry keys must not be changed from the values set during installation.

Characteristics of a Secure System—ITSEC and Beyond

Today, computer networks are becoming increasingly important to most businesses. Networks are used to share key information and resources among many users throughout organisations of various sizes. Frequently, the information stored on network servers, such as the Microsoft™ Windows NT Server operating system, is secure information that is intended for use only by specific individuals. Therefore, the ability of these networks to prevent unauthorised access to information is paramount to the security and competitiveness of an organisation.

One measure of a secure operating system is the IT Security Evaluation Criteria used by many UK and European government institutions. Windows NT is evaluated against the FC2-E3 level of ITSEC using the configuration described in this document.

Some of the most important requirements of FC2-E3 security are:

  • The owner of a resource (such as a file or data structure) must be able to control access to the resource.

  • The operating system must protect data stored in memory for one process so that it is not randomly reused by other processes. For example, Windows NT protects memory so that its contents never are read after it is freed. In addition, when a file is deleted, users must not be able to access the file's data even when the disk space used by that file is allocated for use by another file.

  • Each user must uniquely identify him or herself. In Windows NT, this is achieved by typing a unique domain-wide logon name and password before being allowed access to the system. The system must be able to use this unique identification to track the activities of the user.

  • System administrators must be able to audit security-related events and the actions of individual users. Access to this audit data must be limited to authorised administrators.

  • The system must protect itself from external interference or tampering, such as modification of the operating system or of system files stored on disk.

In addition to meeting the ITSEC FC2-E3 requirements, there are certain "real world" security problems that a fully secure system must also solve. These real world security issues tend to fall into two categories: managing security and using security. Windows NT Workstation and Windows NT Server are intended to meet the requirements for an ITSEC FC2-E3 system while also providing excellent tools for both managing and using these comprehensive security features.

Real World Security Problems

Windows NT products provide comprehensive tools to help administrators manage and maintain security in their environments. For example, an administrator can specifically control which users have access rights to which network resources. These resources include files, directories, servers, printers, and applications. Rights are defined on a per resource basis and can be managed centrally from any single location.

User accounts are also managed centrally. The administrator can specify group memberships, logon hours, account expiration dates, and other user account parameters via easy-to-use, graphical tools. The administrator can audit all security-related events, such as logon attempts and user access to files, directories, printers, and other resources. The system can even be set to "lock out" a user after a prescribed number of failed logon attempts. Administrators can also force password expiration, and set password complexity rules so that users are forced to choose passwords that are difficult to discover.

From the user's perspective, Windows NT security is complete, yet easy to use. A simple password-based logon procedure gives users access to the appropriate network resources. What the user does not see are internal workings, such as the system-level encryption of their password so that it is never passed over the wire in clear text. This encryption prevents unauthorised discovery of a user's clear text password through wire "sniffing".

Users are also able to define access rights for any resource they own. For example, if a user needs to share a specific document with other users, he or she can specify exactly who has read and write access to that document. These rights are easily assigned through the familiar Windows NT Explorer. Of course, access to organisational resources is fully managed only by authorised administrators.

Another example of Windows NT security capabilities is its protection of data, even while that data is in a machine's physical memory. Windows NT allows only authorised programs to access data. When such a program accesses data, that data is placed in physical memory. Despite the fact that the data is no longer only on the disk, Windows NT still protects it from unauthorised access. No unauthorised program will be able to access that data while it is in memory. Therefore, it is impossible for a rogue application to take advantage of another application's use of data while that data is in the physical memory of a machine.

Windows NT—Built to be Secure

Building a secure network operating system requires careful planning. Security features must be included throughout the system. The file system, user account directory, user authentication system, memory management, environment subsystems, and other components all require special design consideration if the system is to be secure. Microsoft made security a design goal of the Windows NT Workstation and Windows NT Server operating systems. Before the system was built, security features were designed into every facet of the operating system. This early planning and design was critical to the successful development of a secure system and ensures Microsoft's continuing ability to provide comprehensive, usable security in Windows NT Workstation and Windows NT Server.

Installing and Configuring an ITSEC Compliant System

General guidance on how to install Windows NT in a secure manner is given in the Windows NT Concepts and Planning Guide. However, note that that documentation, as well as all the other documentation provided with the retail edition of both Windows NT Workstation and Server, was designed to be very generalised. In some cases, information provided there will conflict with this document; in such cases, this document is to be considered the overriding source.

The evaluated configuration for Windows NT 4.0 includes any number of the Windows NT Server and/or the Windows NT Workstation products, acting in any one of the following roles, either stand-alone or connected via a physically protected network:

  • Microsoft Windows NT Server product:

    • Primary Domain Controller (PDC).

    • Backup Domain Controller (BDC).

    • Non-domain controller (member server).

    • Non-domain controller (non-member server).

  • Windows NT Workstation product:

    • Domain member.

    • Non-domain member.

This configuration can include multiple Windows NT domains (and their PDC and BDCs), as well as networked non-member workstations and servers attached to the same local network.

There are a few available system components that are not included in the evaluated configuration. Those product elements specifically not included in the Windows NT 4.0 evaluated configuration include:

  • POSIX and OS/2 subsystems.

  • Streams.

  • Remote Access Service.

  • DHCP.

  • Appletalk, and IPX protocols.

  • Common applications (e.g. IIS, rollback etc).

The following checklist and procedures describe the configuration of the hardware platforms referred to in the preceding sections. The checklist and procedures are written to enable you to duplicate the configuration used in the ITSEC FC2-E3 security evaluation.

Step-By-Step Checklist

  • Unpack and set up hardware.

    Follow the hardware manufacturer's manuals accompanying your computer system to unpack and connect your computer system components.

  • Protect from insecure booting

    Windows NT cannot protect a machine against being booted from a medium other than the system disc, such as a floppy. Therefore all possible external measures must be taken to prevent unauthorised persons from attempting or achieving this. Such measures could include, for example, physical security measures, environmental security measures enforced by firmware (e.g. power on passwords, booting only from the fixed disk, disablement of boot from diskette and CD drives using the BIOS, etc), and combinations thereof.

  • Install Windows NT according to the instructions provided in one of the following:

    Chapter 1 "Installing Windows NT Workstation" of Windows NT Workstation Installation Guide; or

    Part 2 "Installation" (consisting of Chapters 5 to 8) of Start Here, Basics and Installation, Microsoft Windows NT Server.

    Keep in mind the following considerations:

    • Do not customise the operating system except as specified in the items below. In particular do not install any optional components unless specifically stated.

    • For the ITSEC evaluation a UK (rather than a US) keyboard was chosen.

    • Delete all current partitions in order to get a fresh machine installation.

    • All hard-disk partitions must be formatted with NTFS. For more information about setting up disk partitions see one of the following:

      "Specifying the Disk Partitions" in Chapter 1 "Installing Windows NT Workstation" of the Windows NT Workstation Installation Guide; or

      "Configuring the Disk Partitions" in Chapter 5 "Beginning Installation" of Start Here, Basics and Installation, Microsoft Windows NT Server.

      The NTFS file system was specified since it is required for correct access control (which is not available with the FAT file system).

    • To comply with ITSEC requirements, no other operating systems can be installed on the computer.

    • All workstations and servers within a domain must have unique computer names. Consult your network administrator to receive a unique name before you install either product.

    • When setting up the network, please refer to the section at the end of this document, "Setting up networks with Windows NT", as this is a topic in its own right.

    • When the Administrator Account Setup dialog box appears, do not supply a blank password for the Administrator account. That is, do not simply leave the password field blank. You must provide a password that is at least 8 characters long and cannot be easily guessed (i.e. the password must contain both alpha and numeric characters). The password policy for normal users can be established at a later time, but the attributes of the Administrator password cannot be enforced at this stage. Note that, to maintain the environmental assumptions in security target for Microsoft Windows NT 4.0, the Administrator password must be different on each machine.

    • When the Local Account Setup dialog box appears, you can create a user account for routine computer use. If you choose to create a local account, keep in mind that this account is placed by default in the Administrators group, which gives the user the ability to create user accounts. For more information about the capabilities of users logged on as members of the Administrators group, see the Windows NT Workstation or Windows NT Server System Guide. Note that, to maintain the environmental assumptions in security target for Microsoft Windows NT 4.0, each username/password must be unique across the domain. Procedures should be established to ensure that the probability of two or more accounts having the same password at any time is low.

    • Create an Emergency Repair Disk. This makes it easier to recover your system if the operating-system configuration databases become corrupt. The Emergency Repair Disk must be treated with the same care and protection as other backup material such as tapes or floppies.

  • Start Windows NT and log on as Administrator.

    Restart your computer and start Windows NT. Log on to the Administrator account. This account has sufficient capability for you to perform the remainder of the configuration steps.

    Install the Microsoft Windows NT 4.0 Workstation and Server Service Pack 3.

    • If installing the Service Pack from floppy disks, insert disk 1 in the appropriate drive. If installing from a compact disc, insert the CD in the CD-ROM drive.

    • From the Start Menu, select Run.

    • To start the installation program, type <drive>:\i386\update (where <drive> is the drive letter of the drive containing the installation disk or CD) in the Command Line text box. Follow the instructions provided by the installation program.

    • Do not create an UNINSTALL directory. This is necessary so that attackers are prevented from exploiting known vulnerabilities related to old system files.

    The administrator may monitor the Microsoft Web site for new hot fixes. Hot fixes (and NT service packs) can be found at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/ or be requested through Microsoft representatives. The following hot fixes may be installed in the evaluated configuration:

    The following hot fix must be installed in the evaluated configuration:

    For customers unable or unwilling to download these hotfixes they are orderable on various media (e.g. CDRom, Floppy disk) through Microsoft support in the UK (see Knowledge Base article 214802).

    The details of any hotfixes installed should be recorded together with the date and time so that the installed configuration can be determined. Hotfix installation is described in Knowledge Base Articles 184305 and 166839, these articles also explain how to generate a list of installed hostfixes.

  • Required settings for Evaluated Configuration.

    The installation of Windows NT needs to be modified in order for it to meet the evaluated configuration. Use the Registry Editor as described in the Windows NT Resource Guide to apply the following changes:

    Description of Setting

    Configuration Change (HKLM = HKEY_LOCAL_MACHINE)

    Remove POSIX and OS/2 subsystems

    Delete \winnt\system32\os2 directory and all subdirectories

    Delete the OS2.EXE, OS2SS.EXE, OS2SRV.EXE, PSXSS.EXE, PSXDLL.DLL files from \winnt\system32

    Delete \HKLM\SOFTWARE\Microsoft\OS/2 Subsystem for NT and all subkeys

    Delete \HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Environment\ Os2LibPath key value

    \HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems

    Delete OS2 and Posix key values

    Delete OS2 and Posix from Optional values

    Secure base objects

    \HKLM\SYSTEM\CurrentControlSet\Control\Session Manager

    Add/change key value: ProtectionMode

    data type: REG_DWORD

    value: 1

    Restrict anonymous users from being able to obtain public LSA information

    \HKLM\SYSTEM\CurrentControlSet\Control\LSA

    Add/change key value: RestrictAnonymous

    data type: REG_DWORD

    value: 1

    Restrict Null Session Access over Named Pipes

    \HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

    Remove all entries from the following two key values:

    NullSessionPipes

    NullSessionShares

    Restrict untrusted users from being able to plant trojan horse programs in these locations

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Run

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\

    Uninstall (if present)

    Change the access control entry for Everyone in the above Registry keys and all subkeys to Read. Do not modify any other access control entries.

    Disable caching of logon information

    \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Add/change key value: CachedLogonsCount

    data type: REG_SZ

    value: 0

    Only Administrators can create shares

    \HKLM\SYSTEM\CurrentControlSet\Services\LanmanServer\Shares

    Set the following permissions on the above key and all subkeys:

    Administrators Full Control

    SYSTEM Full Control

    Everyone Read

    Disable direct draw

    \HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\DCIAdd/change

    key value: Timeout

    data type: REG_DWORD

    value: 0

    Restrict print driver installation to allow only Administrators to install print drivers on servers/DCs, and Administrators and Power Users to install them on workstations

    \HKLM\SYSTEM\CurrentControlSet\Control\Print\Providers

    \LanMan Print Services\ServersAdd/change

    key value: AddPrintDrivers

    data type: REG_SZ

    value: 1

    Clear the paging file when the system shuts down

    \HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemoryManagement

    Add/change key value: ClearPageFileAtShutdown

    data type: REG_DWORD

    value: 1

    Set to configure the system to shutdown when the security log gets full

    \HKLM\SYSTEM\CurrentControlSet\Control\LSA

    Add/change key value: CrashOnAuditFail

    data type: REG_DWORD

    value: 1

    Note: knowledge base article 140058 describes how to recover a machine that has crashed following audit trail exhaustion. In addition it should be noted that a Blue screen will now be generated when attempting to shut down a machine as explained in knowledge base article 178208. Local procedures should be established to ensure that end-users do not attempt to reboot their machines when this event occurs.

    Set when auditing Restore and Backup privilege.

    \HKLM\SYSTEM\CurrentControlSet\Control\LSA

    Add/change key value: FullPrivilegeAuditing

    data type: REG_BINARY

    value: 1

    Set to audit base objects.

    \HKLM\SYSTEM\CurrentControlSet\Control\LSAAdd/change key value: AuditBaseObjects data type: REG_DWORD value: 1

    Modify logical security packages

    \HKLM\SYSTEM\CurrentControlSet\Control\LSA

    Delete key value: Notification packages

    Unless the organisational security policy is to use the built-in logical security mechanism to enforce password selection criteria, then:

    Add/change key value: Notification packages

    data type: REG_MULTI_SZ

    value: passfilt.dll

    Set NTLM security to response only

    \HKLM\SYSTEM\CurrentControlSet\Control\LSA

    Add/change key value: LMCompatibilityLevel

    data type: REG_DWORD

    value: 2

    \HKLM\SYSTEM\CurrentControlSet\Control\LSA\MSV1_0

    Add/change key value: NtlmMinClientSec

    data type: REG_DWORD

    value: 0

    Add/change key value: NtlmMinServerSec

    data type: REG_DWORD

    value: 0

    Ensure only the interactive user can access floppy drives.

    \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Add/change key value: AllocateFloppies

    data type: REG_SZ

    value: 1

    Ensure only the interactive user can access CD-ROM drives.

    \HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

    Add/change key value: AllocateCdRoms

    data type: REG_SZ

    value: 1

    Restrict system shutdown to logged on users only.

    \HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon

    Add/change key value: ShutdownWithoutLogon

    data type: REG_SZ

    value: 0

    Restrict logon parameters

    \HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon

    Add/change key value: DontDisplayLastUsername

    data type: REG_SZ

    value: 1

    Delete key value: DefaultPassword

    Disable automatic logon

    \HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon

    Add/change key value: AutoAdminLogon

    data type: REG_SZ

    value: 0

    Restrict guest access to the event log files

    \HKLM\SYSTEM\CurrentControlSet\Services\EventLog\[LogFileName]

    For each [LogFileName]:Add/change key value: RestrictGuestAccess

    data type: REG_SZ

    value: 1

    Restrict network access to the registry

    \HKLM\SYSTEM\CurrentControlSet\Control

    Add key name: SecurePipeServers

    class: REG_SZ

    \HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers

    Add key name: winreg

    class: REG_SZ

    \HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

    Add key value: Description Data

    data type: REG_SZ

    value: Registry Server

    \HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg

    Add key name: AllowedPaths class: REG_SZ

    \HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg\AllowedPaths

    Add

    key value: Machine

    data type: REG_MULTI_SZ

    value: System\CurrentControlSet\Control\ProductOptions

    System\CurrentControlSet\Control\Print\Printers

    System\CurrentControlSet\Services\Eventlog

    Software\Microsoft\Windows NT\CurrentVersion

    System\CurrentControlSet\Services\Replicator

    description: Allow machines access to listed locations in the registry provided that no explict access restrictions exist for that location.

    Configure Server Message Block authentication protocol

    On server:

    \HKLM\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters

    Add key value: EnableSecuritySignature

    data type: REG_DWORD

    value: 1

    Add key value: RequireSecuritySignature

    data type: REG_DWORD

    value: 1

    On workstation:

    \HKLM\SYSTEM\CurrentControlSet\Services\Rdr\Parameters

    Add key value: EnableSecuritySignature

    data type: REG_DWORD

    value: 1

    Add key value: RequireSecuritySignature

    data type: REG_DWORD

    value: 1

    Prevent user from running Task Manager

    \HKEY_CURRENT_USER \Software \Microsoft \Windows \Current Version\Policies\System\

    Add/Change key value: DisableTaskMgr

    data type: REG_DWORD

    value: 1

    Disable auto-reboot after crash

    \HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \CrashControl

    Add/Change key value: AutoReboot

    data type: REG_DWORD

    value: 0

    Add/Change key value: LogEvent

    data type: REG_DWORD

    value: 1

    Remove "hidden" administrative shares

    \HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services \LanManServer \Parameters

    Add/Change key value: AutoShareServer(server)

    data type: REG_DWORD

    value: 0

    Add/Change key value: AutoShareWks(workstation)

    data type: REG_DWORD

    value: 0

Protect access to the boot partition 1
\HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Lsa
Add/Change key value: Protect System Partition
data type: REG_DWORD
value: 1

User Right

Default Membership on Workstation and Server

Changes for Eval Config Membership

Access this computer from network

BUILTIN\Administrators

BUILTIN\Power Users

Everyone

No change made.

Act as part of the operating system

(none)

No change made. Do not assign to any user.

Add workstations to domain

(none)

No change made.

Back up files and directories

BUILTIN\Administrators

BUILTIN\Backup Operators

(only Domain Controllers: BUILTIN\Server Operators)

No change made. Note that this user right (equivalent to the SeBackupPrivilege) is extremely powerful and its use should be strictly limited.

Bypass traverse checking

Everyone

No change made.

Change the system time

BUILTIN\Administrators

(if not Domain Controllers: BUILTIN\Power Users)

(only Domain Controllers: BUILTIN\Server Operators)

No change made.

Create a pagefile

BUILTIN\Administrators

No change made.

Create a token object

(none)

No change made. Do not assign to any user.

Create permanent shared objects

(none)

No change made.

Debug programs

BUILTIN\Administrators

Remove the BUILTIN\Administrators group. This right is not auditable and should not be assigned to any user, including system administrators.

Force shutdown from a remote system

BUILTIN\Administrators

(if not Domain Controllers: BUILTIN\Power Users)

(only Domain Controllers: BUILTIN\Server Operators)

No change made.

Generate security audits

(none)

No change made. Do not assign to any user.

Increase quotas

BUILTIN\Administrators

No change made.

Increase scheduling priority

BUILTIN\Administrators

(if not Domain Controllers: BUILTIN\Power Users)

No change made.

Load and unload device drivers

BUILTIN\Administrators

No change made.

Lock pages in memory

(none)

No change made.

Log on as a batch job

(none)

No change made.

Log on as a service

(none)

No change made.

Log on locally

BUILTIN\Administrators

BUILTIN\Backup Operators

(if not Domain Controllers: BUILTIN\Power Users,
BUILTIN\Guests, BUILTIN\Users)

(only Domain Controllers: BUILTIN\Server Operators,
BUILTIN\Account Operators, BUILTIN\Print Operators)

(only Workstations: Everyone)

No change made.

Manage auditing and security log

BUILTIN\Administrators

No change made.

Modify firmware environment values

BUILTIN\Administrators

No change made.

Profile single process

BUILTIN\Administrators

(if not Domain Controllers: BUILTIN\Power Users)

No change made.

Profile system performance

BUILTIN\Administrators

No change is required.

Replace a process level token

(none)

No change made. Do not assign to any user.

Restore files and directories

BUILTIN\Administrators

BUILTIN\Backup Operators

(only Domain Controllers: BUILTIN\Server Operators)

No change made.

Shut down the system

BUILTIN\Administrators

BUILTIN\Backup Operators

(if not Domain Controllers: BUILTIN\Power Users,
BUILTIN\Guests, BUILTIN\Users)

(only Domain Controllers: BUILTIN\Server Operators
BUILTIN\Account Operators, BUILTIN\Print Operators)

(only Workstations: Everyone)

No change made.

Take ownership of files or other objects

BUILTIN\Administrators

No change made.

  • Protect operating system files and directories.

    Use Windows NT Explorer to set directory permissions as specified in the following table. Leave the 'replace permissions on subdirectories' box unchecked and the 'replace permissions on existing files' box checked, unless explicity stated

    Directory/File

    Default Untrusted User Permission

    Changed Untrusted User Permission (other existing ACEs are not to be modified)

    C:\ directory only

    Everyone Change

    Everyone Read

    C:\autoexec.bat

    C:\config.sys

    C:\io.sys

    C:\msdos.sys

    Everyone Full Control

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\program files\

    directory, all existing files, and subdirectories

    Everyone Full Control

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\temp\

    directory, all existing files, and subdirectories

    Everyone Change

    Everyone Add

    C:\winnt\

    directory and all existing files

    Everyone had Full Control on the directory and on some of the files and Read on the rest

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\config\ directory only

    Everyone Change

    Everyone Read

    C:\winnt\cursors\

    directory and all existing files

    Everyone Change

    Everyone Read

    C:\winnt\fonts\

    directory and all existing files

    Everyone Change

    Everyone Read

    C:\winnt\help\ directory only

    Everyone Change

    Everyone Read

    C:\winnt\help\ all files only

    Everyone had a combination of Full Control, Change, and Read

    Everyone Read

    add:Administrators Full Control

    SYSTEM Full Control

    C:\winnt\inf\ directory only

    Everyone Change

    Everyone Read

    C:\winnt\inf\ all files only

    Everyone had Full Control on all *.PNF files and Change or Read on the rest

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\Java\

    directory, all existing files, and subdirectories

    Everyone Full Control

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\media\ directory only

    Everyone Change

    Everyone Read

    C:\winnt\media\ all files only

    Everyone had Full Control on all *.RMI files and Read on the rest

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\pif\

    directory and all existing files

    Everyone Full Control

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\profiles\ directory only

    Everyone Full Control

    Everyone Read

    add:Administrators Full Control

    SYSTEM Full Control

    C:\winnt\profiles\ policies

    Everyone Full Control

    Everyone Read

    add:Administrators Full Control

    SYSTEM Full Control

    C:\winnt\repair\

    directory and all existing files

    Everyone had Full Control on setup.log file and Read on everything else

    Everyone Read

    add:

    Administrators Full Control

    C:\winnt\ShellNew\

    directory and all existing files

    Everyone Full Control

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\system\ directory only

    Everyone Change

    Everyone Read

    C:\winnt\system\ all files only

    Everyone Full Control
    (except setup.inf)

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\system32\ directory only

    Everyone Change

    Everyone Read

    C:\winnt\system32\ all files only

    Everyone had Full Control on a few files, Change on many files, and Read on the rest

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    except C:\winnt\system32\backup.exe

     

    Administrators Full ControlSYSTEM Full Control

    C:\winnt\system32\CertServ\

    directory, all existing files, and subdirectories

    Everyone Change

    Everyone Read

    C:\winnt\system32\config\

    directory and all existing files

    Everyone had Full Control on directory and most files

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\system32\DNS\

    directory, all existing files, and subdirectories

    Everyone Change

    Everyone Read

    C:\winnt\system32\drivers\

    directory, all existing files, and subdirectories

    Everyone Full Control

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\system32\LLS\

    directory and all existing files

    Everyone Change

    Everyone Read

    C:\winnt\system32\ras\

    directory and all existing files

    Everyone Change

    Everyone Read

    C:\winnt\system32\Setup\

    directory and all existing files

    Everyone Change

    Everyone Read

    C:\winnt\system32\viewers\ directory and all existing files

    Everyone Change

    Everyone Read

    C:\winnt\system32\wins\

    directory and all existing files

    Everyone Full Control

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    C:\winnt\profiles\

    directory and all existing files (create if does not exist).

    Everyone Full Control

    Everyone Read

    add:

    Administrators Full Control

    SYSTEM Full Control

    Several critical operating system files exist in the root directory of the system partition on Intel 80486 and Pentium-based systems. Note that these are hidden files; use Windows NT Explorer to make them visible, then after modifying their permissions return them to the hidden state. These files must be protected with the following permissions:

    File

    Modified Permission

    \BOOT.INI

    \NTDETECT.COM

    \NTLDR

    Administrators: Full Control
    SYSTEM: Full Control

  • Employ auditing

    Using User Manager, employ auditing for all ITSEC required resources and activities. These are

    • Logon and Logoff

    • File and Object Access (including creation and deletion) to those resources (files and directories typically) which are subject to the administration of rights

    • Use of User Rights

    • User and Group Management

    • Security Policy Changes

    • Restart Shutdown and System

    Using Windows NT Explorer, employ auditing for all file and directory resources for which auditing must be employed. Note that the dialogue box has checkboxes for 'replace permissions on all files' and 'Replace permissions on all subdirectories'. Note if you check both, all files in the current directory, and all files in all subdirectories, as well as the directories themselves, will be amended. This will be installation dependent; contact your security officer for details. The following audit settings must be applied in the evaluated configuration:

    Directory/File

    Audit Permissions ([S]uccess, [F]ailure)

    C:\WINNT\system32\config\AppEvent.Evt

    Everyone Read (S, F), Write(S, F)

    C:\WINNT\system32\config\SecEvent.Evt

    Everyone Read (S, F), Write(S, F)

    C:\WINNT\system32\config\SysEvent.Evt

    Everyone Read (S, F), Write(S, F)

    Both successful and failed events must be audited. Other types of auditing may be required by your system; consult your security officer.

  • Protect Registry keys.

    Use the Registry Editor, as described in the Windows NT Resource Guide, to change the protections of the following keys:

    Registry Entry (HKLM = HKEY_LOCAL_MACHINE)

    Default Untrusted User Permission

    Changed Untrusted User Permission (other existing ACEs are not to be modified)

    HKLM\SOFTWARE

    Everyone RD---qscen-

    Everyone Read

    HKLM\SOFTWARE\Classes (+subkeys)

    Everyone RD---qscen-

    Interactive RD---qscen-

    Everyone ReadInteractive Read

    HKLM\SOFTWARE

    \Compaq (+subkeys)

    \Description (+subkeys)

    \Microsoft

    Everyone RD---qscen-

    Everyone Read

    HKLM\SOFTWARE\Microsoft

    \Active Setup (+subkeys)

    \Browser (+subkeys)

    \Cryptography (+subkeys)

    \Direct3D (+subkeys)

    \DirectPlay (+subkeys)

    \DirectX

    \DNS (+subkeys)

    \Internet Explorer (+subkeys)

    \Jet

    \LanmanServer (+subkeys)

    \LanmanWorkstation (+subkeys)

    \Ncpa (+subkeys)

    \NetBT (+subkeys)

    \RPCLOCATOR (+subkeys)

    \Tcpip (+subkeys)

    \TcpipCU (+subkeys)

    Everyone RD---qscen-

    Everyone Read

    HKLM\SOFTWARE\Microsoft\Windows

    Everyone R----qscen-

    Everyone Read

    HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion

    Everyone R----qscen-

    Everyone Read

    HKLM\SOFTWARE\Microsoft\

    Windows\CurrentVersion

    \App Paths (+subkeys)

    \Controls Folder (+subkeys)

    \Explorer (+subkeys)

    \Internet Settings (+subkeys)

    \MS-DOS Emulation (+subkeys)

    \Nls (+subkeys)

    \Reliability

    \RenameFiles (+subkeys)

    \Setup (+subkeys)

    \ShellScrap (+subkeys)

    \URL (+subkeys)

    Everyone R----qscen-

    Everyone Read

    HKLM\SOFTWARE\Microsoft\Windows Messaging Subsystem

    Everyone R----qscen-

    Everyone Read

    HKLM\SOFTWARE\Microsoft\Wins

    and all subkeys

    Everyone RD---qscen-

    Everyone Read

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\AeDebug

    \Compatibility

    \Drivers

    \drivers.desc

    \Embedding

    \Fonts

    \FontSubstitutes

    \GRE_Initialize

    \MCI

    \MCI Extensions

    \Midimap

    \Ports

    \ProfileList (+subkeys)

    \Type 1 Installer\type 1 Fonts

    \WOW (+subkeys)

    Everyone R----qscen-

    Everyone Read

    HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Network

    \World Full Access Shared Parameters

    Everyone RDWO-qscenl

    Everyone Read

    add:

    Administrators Full

    SYSTEM Full

    HKLM\SOFTWARE\Windows 3.1 Migration Status

    and all subkeys

    Everyone RD---qscen-

    Everyone Read

    HKLM\SYSTEM\CurrentControlSet\Services

    \Afd (+ subkeys)

    \Alerter (+ subkeys)

    \Browser (+ subkeys)

    \Compaq (+ subkeys)

    \DHCP (+ subkeys)

    \DNS (+ subkeys)

    \LanmanServer (+ subkeys)

    \LanmanWorkstation (+subkeys)

    \LicenseService (+ subkeys)

    \LmHosts (+ subkeys)

    \Messenger (+ subkeys)

    \NetBT (+ subkeys)

    \NtLmSsp (+ subkeys)

    \ProtectedStorage (+ subkeys)

    \Rdr (+ subkeys)

    \Replicator (+ subkeys)

    \RPCLOCATOR (+ subkeys)

    \Srv (+ subkeys)

    \Tcpip (+ subkeys)

    \Vga (+ subkeys)

    \Wins (+ subkeys)

    Everyone R----q-cen-

    Everyone Read

    HKLM\SYSTEM\CurrentControlSet\Services\EventLog

    \[LogFileName] (for each file)

    Everyone R----q--en---r

    Administrators Full

    SYSTEM Full

    Delete: Everyone

    \HKLM\SYSTEM\CurrentControlSet\Control \SecurePipeServers\winreg

    Administrators Full

    Administrators Full

    Replicator Read

    HKEY_USERS.DEFAULT\Software\Microsoft\Windows NT\CurrentVersion

    \Program Manager\Common Groups

    Everyone RD---qscen-

    Everyone Read

    HKLM\Software\Microsoft\Windows\CurrentVersion \Explorer\BitBucket

    Administrators Full

    SYSTEM Full

    CREATOR OWNER Full

    Everyone S

    Everyone Read

  • Check enabled devices are within evaluated configuration, using Control Panels – Devices:

    Only devices that are found on the Windows NT Installation CD may be enabled in the evaluated configuration.

  • Check enabled services are within evaluated configuration, using Control Panels – Services.

    The following services may be enabled and they shall be set to start up automatically within the evaluated configuration:

    Service

    Alerter

    Computer Browser

    EventLog

    Microsoft DNS Server (only on servers with it installed)

    Netlogon

    NTLM SSP

    RPC Locator

    RPC Service

    Protected Store

    Plug & Play

    DHCP Client

    Server

    Spooler

    TCP/IP NetBIOS Helper

    WINS (only on servers with it installed)

    Workstation

  • Restart the computer.

  • (Optional) Install applications (such as Microsoft Office 97) as required.

    For Microsoft Office 97 please refer to the Microsoft Knowledge Base articles Security Requirements When Using NTFS Partitions (ID: 169387), Windows NT 4.0: Saving the AutoRecovery File is Postponed (ID: 174162) and Troubleshooting Office Programs Under Windows NT 4.0 (ID: 178565). Note that these documents also contain further references to other knowledge base articles, and can be accessed at http://support.microsoft.com/support.

    Warning: The installation of any program or application which is in addition to Microsoft Windows NT 4.0 is not covered by the ITSEC evaluation configuration as stated in the security target for Microsoft Windows NT 4.0. The installation of any applications is entirely optional and at your own risk.

    It is the responsibility of the organisational security policy to ensure the trustworthiness and the origin of any applications and programs which are installed, in addition to Microsoft Windows NT 4.0 with Service Pack 3, and the that user accounts or groups have the appropriate access to these applications and programs.

    However, this optional step is included in this set of instructions in order to provide administrators with an indication of the order in which the installation of applications should occur.

  • If additional applications and programs have been installed then restart the computer.

  • Update the Emergency Repair Disk.

    Remember to use the Emergency Repair Disk, rather than the Restore utility, if system files are lost. Backup and Restore do not copy System Access Control Lists (SACLs). The Emergency Repair Disk does restore this information.

Procedure Checklist

Feel free to photocopy the following ITSEC Configuration Checklist and use it to keep track of the steps as you complete them. It is an abbreviation of the steps detailed earlier in this document.

ITSEC Configuration Checklist

Action

 

NTIT01

Unpack and set up hardware

 

NTIT01

Protect from insecure booting

 

NTIT01

Install Windows NT

 

NTIT01

Start Windows NT and log on as Administrator

 

NTIT01

Install the Microsoft Windows NT 4.0 Workstation and Server Service Pack 3

 

NTIT01

Install Euro currency, Year 2000 and Ginafix hot fixes. Record the date & time of each install.

 

NTIT01

Update to required setting for Evaluated Configuration

 

NTIT01

Delete CLIPBRD.EXE, the Clipbook viewer

 

NTIT01

Set minimum password length and other password characteristics

 

NTIT01

Use unique account names, passwords, machine names, groups names, and domain names

 

NTIT01

Disable Guest account

 

NTIT01

Remove the NetBIOS Interface

 

NTIT01

Restrict use of user rights

 

NTIT01

Protect operating system files and directories

 

NTIT01

Employ auditing

 

NTIT01

Protect Registry keys

 

NTIT01

Check enabled devices are within evaluated configuration

 

NTIT01

Check enabled services are within evaluated configuration

 

NTIT01

Restart the computer

 

NTIT01

(Optional) Install applications (such as Microsoft Office 97) as required.

 

NTIT01

Restart the computer if optional applications are installed.

 

NTIT01

Update the Emergency Repair Disk

Setting up the Network with Windows NT

ITSEC considerations

Windows NT can be set up in a wide variety of configurations. Workstations may be set up either within workgroups or as part of domains; servers may be set up as either Primary Domain Controllers, Backup Domain Controllers, or Servers (sometimes known as 'Member' servers.

Specifically for ITSEC, workstations must be configured to take part in a domain, unless the workstation is entirely standalone. They may not be configured as part of a workgroup. When installing a Windows NT Workstation for networked use, during the network setup you must check Domain, not Workgroup, and supply an account name and password on the domain you wish to join which has the 'Add workstations to domain' user right. If you do not know of such an account, stop your installation and request information from your network administrator. When setting up for standalone use, you may select 'Workgroup' rather than 'Domain', but you may not then connect it to a network.

Installing the network

As part of the installation process for either Windows NT workstation or for Windows NT Server, you may configure the network. It is not required that you connect to the network, but if you do, read this information on how to configure your systems in an ITSEC secure manner. Please consult the 'Windows NT Workstation Installation Guide' or 'Windows NT Server Installation Guide' for detailed instructions on how to install the products.

General considerations for both products

  • Ensure your network adapter is in the evaluated configuration, is correctly installed, and connected to the physical network to which you wish it to be connected.

  • During the setup process, Windows NT should correctly detect the network adapter. If it does not, or cannot find a network adapter at all, please contact your support provider for assistance.

  • The IIS software should not be installed.

  • You will be asked which protocols you wish to run. The ITSEC configuration is to specify TCP/IP and NetBEUI, but NOT NWLink IPX/SPX Compatible Transport. Consult your network administrator to see which protocols you should enable. Do not add support for Appletalk or Remote Access Services (RAS) as these are not covered under ITSEC.

  • In the TCP/IP Properties dialog box only the IP Address tab was used. The DNS, WINS address, DHCP Relay, and Routing tabs were not used.

  • You will be asked to provide other information which varies depending on the protocol(s) you have chosen; this information will be network specific, and again you must consult your network administrator for the values you must enter.

  • Ensure that all your workstations, servers, users, and groups have unique names within a domain. Consult with your network administrator to ensure that this is so.

  • Any error messages at any time during the installation and setup process must be reported to your network administrator. Note down the text of any messages you see, as this will help the administrator in diagnosing your problem.

  • When creating network shares, the ACL for the share should be changed to remove access from Everyone and replace it with Authorised Users, using the same access conditions.

Windows NT Workstation specific considerations

  • Windows NT Workstation can join either a Workgroup or a Domain, and you will be asked during the installation procedure which you wish to join. Workgroups are not covered by ITSEC, and you should answer Domain in most cases. The sole exception is where you are installing a standalone workstation; in this instance while you may answer Domain, the workstation will not be able to find the domain you have asked to join, and you will not then be able to proceed with the installation. Therefore answer Workgroup; do not attempt subsequently to connect this machine to a network, for if you do you will not be ITSEC compliant.

Windows NT Server specific considerations

  • Windows NT Server can be installed in three different ways; Primary Domain Controller (PDC), Backup Domain Controller (BDC), and Server (also known as Member Server).

  • When creating shares, ensure that you put appropriate permissions on BOTH the share itself AND the files contained in the share.

Windows NT Server Trusts

  • Where your system includes more than one domain, it may be desirable to set up a trust relationship between them. This will allow global accounts and groups from one domain to be allocated permissions in the other, as well as allowing logon from any workstation, regardless of whence the logon occurs or where the account is stored. It is beyond the scope of this document to describe in detail the types of domain trust model you can employ - please see the Windows NT Concepts and Planning Guide for further information. Follow the Windows NT Server Installation Guide for procedures on how to set up trust relationships between domains. Note that when you set up a trust you will need to exchange a password between yourself and the manager of the domain that you wish to set up a trust with. You must do this in a secure manner, to ensure that the password is not inadvertently disclosed to a third party. After the initial trust is set up, the computers change the password themselves.

References

This configuration document the authors has taken recommendations from the following industrial recognised publications into the account:

  • Windows NT Security Step by Step, A Survival Guide for Windows NT Security: A consensus document by security professionals from Seventy-seven large user organisations. Version 1.4. The SANS Institute. March 1998.

  • Installation & Configuration of ITSEC E3-C2 NT v4 Clampdown. Corporate Headquarters Office Technology System (CHOTS). Issue 3. March 1997.

  • The Hardening of Microsoft Windows NT Operating System Version 4.0. Micheal Espinola Jr. March 1998.

  • Secure Windows NT Installation and Configuration Guide. Windows NT for Navy IT-21. Nov 1997.

  • Windows NT Security Guidelines, A study for NSA Research by Trusted Systems Services. March 1998.

  • Windows NT 4.0 Configuration for C2 Evaluation for the current US C2 Evaluation of Windows NT

  • Windows NT 4.0 Evaluation configuration for the current Russian Evaluation of Windows NT

  • ITSEC FC2-E3 Installation of Windows NT Workstation 3.51 and Windows NT Server 3.51 Version 2.0. Jun 1996

  • Documentation from Microsoft Internal Windows NT Security Team SecureNT Initiative. On going.

Trademarks

OS/2 is a trademark of International Business Machines Corporation

Compaq is a trademark of Compaq Computer Corporation

Posix is a trademark of the Open Software Foundation

Document History

1.0 30th November 1998

First version, based on 'ITSEC FC2-E3 Installation of Windows NTTM Workstation 3.51 and Windows NT ServerTM 3.51' Version 2.0, 28th June 1996.

2.0 January 1999

Second version, updated in response to comments from the NT 4.0 evaluators.

2.1 February 1999

Minor updates in response to evaluator comments on second version.

2.2 April 1999

Fix typo in configuration check list: replacing "TBD" hotfix with "Ginafix" hotfix.

2.3 Jun 1999

Updated the method for obtaining the y2k fix.

2.4 Jun 1999

Fix some typos.

Did you find this helpful?
(1500 characters remaining)
Thank you for your feedback
Show:
© 2014 Microsoft. All rights reserved.