Installation of Windows-NT Workstation at PC40 [Security Enhancements].
Summary
This note describes how to increase the security of the prototype Windows-NT
4.0 Workstation installation on PC40.
CONTENTS
0. Preface
1. Registry
1.1 Legal Notice
1.2 ACLs
1.3 Access to drives and printers
2. File System ACLs
2.1 System Files and Directories
2.2 General Directories
2.3 Common Application Directories
2.4 User Home Directories
3. Rights Policy
3.1 Access this computer from the network
3.2 Bypass traverse cheking
3.3 Debug Programs
3.4 Log on Locally
3.5 Shut Down the system
4. Auditing
4.1 Audit Policy
4.2 Log Files
5. BIOS and Physical Security
5.1 Limit Access to BIOS
5.2 Physical Security
0. Preface
The security measures as described below, are taken from the book "Window
NT Security Guide" by Stephen A. Sutton. 1997 Addison-Wesley Developer
Press, ISBN 0-201-41969-6.
1. Registry
1.1 Legal Notice
Add Legal Notice at logon via Edit | String... .
-
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
-
LegalNoticeCaption: Leiden University Legal Notice
-
LegalNoticeText: Only people authorized by Biophysics staff may use this
computer.
1.2 ACLs
On each of the following keys, give Everyone "Read" permission.
-
HKEY_LOCAL_MACHINE\
-
Software\Microsoft\Rpc ...and subkeys [ already so ]
-
Software\Microsoft\WindowsNT\CurrentVersion ...and:
-
AaDebug
-
Compatibility
-
Drivers
-
Embedding
-
Fonts
-
FontSubstitutes
-
GRE_Initialize
-
MCI
-
MCI Extensions
-
Ports
-
Profilelist ...and its subkeys
-
WOW ...and its subkeys
-
HKEY_CLASSES_ROOT ...and its subkeys [ already so ]
1.3 Access to drives and printers
Limit access to drives and redirection of printers.
-
Limit access to floppies and CD-ROM to the user who is logged on:
-
add value named AllocateFloppies, data type RREG_SZ, value 1 to
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\WinLogon
-
The following seems to interfere with Solstice Network Client [NOT
PERFORMED]:
Limit redirection of printers and other devices to alternate ports
to administrators:
-
change value named ProtectionMode, data type REG_DWORD, value
0 to value 0x1 in
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager
2. File System ACLs
Except when noted, apply the following changes not only to these directories,
but also to all subdirectories and existing files by checking both of these
options on the Directory Permissions window. Make the changes in the order
shon.
2.1 System Files and Directories
-
C:\
... C and its files, not subdirectories
-
Administrators : Full Control
-
CREATOR OWNER : Read
-
Users
: Read
-
SYSTEM
: Full Control
-
C:\WINNT
... WINNT directory only, plus its files
-
Administrators : Full Control
-
CREATOR OWNER : Full Control
-
Everyone
: Read
-
SYSTEM
: Full Control
-
C:\WINNT\SYSTEM[32] ( Files and Subdirectories
)
-
Administrators : Full Control
-
CREATOR OWNER : Full Control
-
Everyone
: Read
-
SYSTEM
: Full Control
-
C:\WINNT\REPAIR
( Files and Subdirectories )
-
Administrators : Full Control
-
SYSTEM
: Full Control
-
C:\WINNT\SYSTEM32\CONFIG ( Files and Subdirectories )
-
Administrators : Full Control
-
CREATOR OWNER : Full Control
-
Everyone
: List
-
SYSTEM
: Full Control
-
C:\WINNT\SYSTEM32\SPOOL ( Files and Subdirectories )
-
Administrators : Full Control
-
CREATOR OWNER : Full Control
-
Users
: Read (List is too strict for WordPerfect8)
-
Power Users : Change
-
SYSTEM
: Full Control
-
C:\WINNT\SYSTEM\DHCP ( Already same as SYSTEM32
)
-
C:\WINNT\SYSTEM\RAS
-
C:\WINNT\SYSTEM\OS2
-
C:\WINNT\SYSTEM\WINS
-
Administrators : Full Control
-
CREATOR OWNER : Full Control
-
Everyone
: Read (may need to relax to Change)
-
SYSTEM
: Full Control
-
C:\BOOT.INI
-
C:\NTLDR
-
C:\NTDETECT.COM
-
Administrators : Full Control
-
SYSTEM
: Full Control
-
C:\AUTOEXEC.BAT
-
C:\CONFIG.SYS
-
Administrators : Full Control
-
Everyone
: Read
-
SYSTEM
: Full Control
-
C:\Winnt\*unist*.exe
-
C:\Winnt\Corel\uninst
-
Everyone
: remove
-
Administrators : Full Control
-
C:\Corel\...\REMOVELAUNCHER.EXE
-
C:\Program Files\Diamond\Display\\inst16.exe, install.exe
-
C:\Program Files\Network Associates\VirusScan NT\wcmdr.exe
-
C:\Winnt\System32\Dainst.exe
2.2 General Directories
-
C:\TEMP
-
Administrators : Full Control
-
CREATOR OWNER : Full Control
-
Users
: Special (RWX)(Not Specified)
-
SYSTEM
: Full Control
2.3 Common Application Directories
Use the following ACLs for the application directories:
-
application directory
-
Administrators : Full Control
-
Backup Operators: Special Access (All)(None)
-
Users :
Read
-
SYSTEM : Full
Control
Use the following ACLs for application directories and files created on
behalf of users
-
Directories in which applications create and modify files and/or directories
regardless of the user. If possible, isolate such modified files and directories.
You can often accomplish this by giving these directories the ACL:
-
CREATOR OWNER: Change
-
SYSTEM : Full Control
-
Files modified by the application regardless of the user. You can often
accomplish this by giving these files the ACL:
-
User: Change
-
SYSTEM: Ful Control
Now apply the application directory ACLs to the following directories.
-
Acrobat3
-
Bc3
-
Bp7
-
Corel
-
gstools
-
localtexmf
-
Maplev4
-
MATLABR11
-
Origin50
-
Program Files
-
Common Files
-
Diamond
-
GnuPlot
-
ISIS Draw 2.2
-
Microsoft Office
-
National Instruments
-
Netscape
-
Network Associates
-
Pfe
-
Plus!
-
Solstice
-
Windows NT
-
WinEdt
-
WinRM8
-
Winsock FTP
-
WinZip
-
Psp
-
Real
-
texmf
-
Winspirs
Set permissions on C:\Program Files\Netscape\Netscape Navigator\Users
-
Administrators: Full Control (All)(All)
-
Backup Operators: Special Access (All)(None)
-
CREATOR OWNER: Full Control (All)(All)
-
Users:
-
Special Directory Access: Write, Execute (WX)
-
Special File Access: Write (W)
-
SYSTEM: Full Control (All)(All)
Set permissions on ...
C:\Program Files\Netscape\Netscape Navigator\Program\Plugins
-
Administrators: Full Control (All)(All)
-
Backup Operators: Special Access (All)(None)
-
Users: Add & Read (RWX)(RX)
-
SYSTEM: Full Control (All)(All)
Set permissions on C:\Program Files\Plus!\Microsoft Internet\cache,
history (may need to run Internet Explorer first to create directories.)
-
Administrators: Full Control (All)(All)
-
Backup Operators: Special Access (All)(None)
-
Users: Change (RWXD)(RWXD)
-
SYSTEM: Full Control (All)(All)
Relax the following entries for Users ...
-
Bc3\Bin\Tcdef.dsk, Tcdefw.dsk
-
Bp7\Bin\Bpw.cfg, BPW.dsk
-
Program Files\WinEdt\WinEdt.ini
-
localtexmf\fonts
-
C:\Winnt\isisaihp.ini, isisaim.ini
-
C:\Winnt\nsreg.dat
-
C:\Winnt\psp.ini, pspbrowse.ini
Change Borland C++ IDE Shortcuts Working on Program Tab to empty.
See:
-
All Users | Handy | Tools | Borland C++ IDE and
-
All Users | Programs | Borland C++ 3.0 | Borland C++ IDE
2.4 User Home Directories
Optional local user home directories are on drive D:.
-
D:\
-
Administrators : Full Control
-
CREATOR OWNER : Read
-
Authenticated Users: Read
-
SYSTEM
: Full Control
-
D:\people
-
Administrators : Special (All)(Not Specified)
-
CREATOR OWNER : Full Control
-
Authenticated Users: Add & Read
-
SYSTEM
: Full Control
3. Rights Policy
Use the User Manager to manage the Right Policy (Policies | User Rights).
When adding useres, select the PC, not the domain (Biophysics).
Check "Show advanced user rights".
3.1 Access this computer from the network
Change Everyone to Users.
3.2 Bypass traverse cheking
Enable only for full administrators (and SYSTEM user: not found).
3.3 Debug Programs
Remove Administrators
3.4 Log on Locally
Remove Everyone and Guests.
3.5 Shut Down the system
Remove Everyone.
4. Auditing
Select the events to audit and limit the size of the System, Security
and Application logs.
4.1 Audit Policy
In User Manager select Policies | Audit... and set the following.
Audit These Events
| Success Failure Note
-----------------------------+-----------------------------------------
Logon and Logoff
V V
File and Object Access
Use of User Rights
User and Group Management
V V
Security Policy Changes
V V
Restart, Shutdown and System V
V
Process Tracking
4.2 Log Files
From Event Viewer select Log | Log Settings... and set the following
for System, Security and Application logs.
Maximum Log Size: 512 Kilobytes (default)
(•) Overwrite Events as Needed
( ) Overwrite Events Older than 7 days
( ) Do Not Overwrite Events (Clear Log Manually)
5. BIOS and Physical Security
5.1 Limit Access to BIOS
Make shure the PC can only boot from C and that this setting can only
be changed by an authorized person.
-
BIOS Features Setup: Boot Sequence: C only
-
Supervisor Password: xxxxxx
5.2 Physical Security
Attach a special cable to the PC's case and secure the PC with a lock,
e.g. to a table.