The network-configuration changes that you make through the registry are a bit trickier than the changes you make through the GUI. When you work with the registry, you need to be extremely careful. Incorrectly editing the registry can permanently corrupt your system. Here are the steps to change the necessary registry settings:
- Configure the Server service. Because you disabled this network service, you can't use the GUI to set the Minimize Memory Used, Balance, Maximize Throughput for File Sharing, or Maximize Throughput for Network Applications option. Instead, you need to change the configuration in the registry.
If the bastion host will run an application, you need to set the Maximize Throughput for Network Applications option for the Server service. To do so, open regedit and go to the HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\Lanman Server\ Parameters\Size subkey. As the Microsoft article "How to Optimize Windows NT Server Using the Registry" (http://support.microsoft.com/support/
directory/article.asp?id=kb;en-us; q232271) explains, the possible values for this entry are 1 (Minimize Memory Used), 2 (Balance), and 3 (Maximize Throughput for File Sharing and Maximize Throughput for Network Applications). Set the Size entry to the value of 3.
Because the Size entry specifies both the Maximize Throughput for File Sharing and Maximize Throughput for Network Applications options, you need to set the HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControl Set\Control\Session Manager\Memory Management\LargeSystemCache entry. The possible values for this entry are 0 (Maximize Throughput for Network Applications) and 1 (Maximize Throughput for File Sharing). Set the LargeSystemCache entry to the value of 0.
- Configure the TCP/IP stack to protect against SYN attacks. SYN attacks target the TCP protocol, so you need to protect your bastion host's TCP/IP stack. In regedit, go to the HKEY_ LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\Tcpip\Parameters subkey. Create an entry with the name SynAttackProtect, set the value type to REG_DWORD, and set the entry to the value of 2. The Microsoft article "Internet Server Unavailable Because of Malicious SYN Attacks" (http://support.microsoft.com/support/directory/article.asp?id=kb;en-us;q142641) provides a complete explanation of the SYN attack and how adding this registry entry protects against it. For background information about TCP/IP configuration parameters in the registry, see the Microsoft article "TCP/IP & NBT Configuration Parameters for Windows NT and Windows 2000" (http://support.microsoft.com/directory/article.asp?id=kb;en-us;q120642).
Run Setup.cmd
Now that you've installed NT and the application, removed the unnecessary network services, disabled unnecessary local services, and changed the network configuration, you're ready to use setup.cmd. Setup.cmd, which I wrote for use on NT 4.0 servers, performs the following tasks:
- Deletes the NT Virtual DOS Machine (VDM).
- Deletes the POSIX subsystem.
- Deletes the OS/2 subsystem.
- Deletes the command.com, debug .exe, edlin.exe, rcp.exe, rexec.exe, rsh.exe, and sysedit.exe files, which are typically security risks.
- Uses the Microsoft Management Console (MMC) Security Configuration Manager snap-in to apply the bastionhost.inf file to your system. This snap-in reads bastionhost.inf as a configuration file and configures the system accordingly.
Before you run setup.cmd, you need to make several preparations. First, you need to download and install the Security Configuration Manager snap-in. You can download this snap-in from http://www.microsoft.com/ntserver/ nts/downloads/recommended/scm/default.asp. If you're unfamiliar with installing and using this tool, see the Microsoft article "Downloading and Using the Security Configuration Manager Tool" (http://support.microsoft.com/support/kb/articles/q245/2/16.asp).
Next, you need to download bastion-host.inf and setup.cmd from the Code Library on the Security Administrator Web site (http://www.secadministrator.com). Make sure that bastionhost.inf and setup.cmd are in the same location as the Security Configuration Manager snap-in's executable (secedit.exe) and DLLs (esent.dll and scedll.dll). All these files will easily fit on a disk if you prefer to execute them from a removable medium.
After you have all the files in place, you need to review and customize the bastionhost.inf and setup.cmd files. Bastionhost.inf contains configuration settings, such as settings for system access parameters, the RestrictAnonymous parameter, Security logs, and privilege rights. Review the settings to make sure they fit your needs, and make any necessary changes. At a minimum, you need to rename the Administrator account and guest account in the system access section, which Listing 1, page 15, shows. Callout A in Listing 1 highlights the lines you need to change.
In addition to reviewing bastionhost.inf, you need to review setup.cmd to make sure that the script isn't deleting any file or component that your application might need. For example, if you're running a 16-bit application, you need to keep the VDM on your bastion host. To keep the script from deleting specific files or components, you can simply add the Rem command at the beginning of each applicable line. For example, Listing 2, page 15, shows how you can stop the script from deleting the VDM. You must reapply setup.cmd every time you add a hotfix or install a service pack.
Test the Application
Now that you've built the bastion host, you need to test your application. If the application fails, you have two options: Peel back the security layers by troubleshooting each stage in reverse order or start over and test your application after each stage. After you have the application working, you need to test your application and update your configuration regularly.
A Smart Countermeasure
Building a bastion host is a crucial step in preparing a server for functioning on the Internet. Because NT is a favorite target of intruders, having an NT server with a highly secure OS is a smart countermeasure.
End of Article
Prev. page
1
2
[3]
next page -->
