Step 5: Activate Screen Savers
If you enforce a policy of using the NT screen-saver feature, enable the Password-Protected option, and set the activation time to a low value (i.e., 1 minute to 10 minutes). When a user walks away from a computer without logging off, the screen saver will automatically activate, thus protecting the system from unwanted access. The effort users expend continually deactivating screen savers is worth the level of safety that you obtain from using them. However, heavily animated screen savers on a server unnecessarily use CPU cycles so a blank screen saver will serve you better.

Step 6: Protect the Registry
NT stores all initialization and configuration information in the Registry. Some processes modify their own keys, and you can modify other keys by using a Registry editor. Because you can configure the NT Registry from a remote location, you need to restrict access to it. To restrict access, create the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Control\ SecurePipeServers\winreg Registry key. The security permissions set on this key define which users or groups can access the Registry remotely. By default, NT Workstation doesn't define this key or restrict remote access to the Registry. The NT Server default setting permits only administrators to access the Registry remotely. However, you might consider not letting anyone access the Registry remotely, including administrators.

Step 7: Secure the Event Logs
By default, NT lets guests and anonymous users view the System Log and Application Log. By default, NT also protects the Security Log from guest access. However, users who have the Manage Audit Logs user right can view the Security Log. The event log service uses the RestrictGuestAccess entry (type REG_DWORD) in the HKEY_LOCAL_MACHINE\ SYSTEM\CurrentControlSetServices\ EventLog\Log Name Registry key to restrict guest access to these logs. To restrict anonymous and guest access, you can set the value for each log to 1. The change will take effect the next time the system reboots. You can also change the user access permissions on the Registry key so that users other than those who can access the Administrator and system accounts cannot access this key. Otherwise, an intruder can reset the Registry key value and permit unwanted access to the logs.

Step 8: Hide the Name of the Last User
By default, NT leaves the name of the last user to log on in the Username field of the logon dialog box, which makes it more convenient for a frequent user to log on. However, this username also provides 50 percent of the puzzle needed to break into a system locally. You can use a Registry editor to create the Don't-DisplayLastUserName entry (type REG_SZ and data value of 1) in the HKEY_LOCAL_MACHINE\ SOFTWARE\Microsoft\WindowsNT\ CurrentVersion\Winlogon Registry key so that the username doesn't appear in the logon dialog box.

Step 9: Restrict Anonymous Network Access to the Registry
SP3 for NT 4.0 includes a security enhancement that restricts anonymous (null session) logons that connect to specific named pipes. SP3 provides the NullSessionPipes entry (type REG_MULTI_SZ) in the HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\LanManServer\ Parameters Registry key, which defines the list of named pipes that are exempt from this restriction. Microsoft's Support Online article "Can No Longer Access the Registry With Null Sessions" (http://support.microsoft.com/support/kb/articles/q143/1/38.asp) provides complete details about modifying this key.

Step 10: Restrict Anonymous Lookup
NT has a feature that lets anonymous users list domain usernames and count share names. Users who want enhanced security have asked Microsoft for help in restricting this feature. SP3 for NT 4.0 (and a hotfix for Windows NT 3.51) lets you restrict this feature. To implement your restrictions, you can use the RestrictAnonymous entry (type REG_DWORD and data value of 1) in the HKEY_LOCAL_MACHINE\ SYSTEM\ CurrentControlSet\ Control\Lsa Registry key.

Step 11: Remove Default Administrator Shares
Windows and DOS don't display shares ending in a dollar sign ($). You can use this method to hide any shares that you don't want users to see or make administrative shares invisible to network browsers. You can connect to hidden shares only if you know the exact share name.

Default administrative shares can't be removed by unsharing them. Likewise, deleting a share will remove it only temporarily (the share will reappear the next time you reboot the system). To permanently remove administrative shares, you can edit the appropriate Registry key. For NT Server, the Registry key is HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\ LanManServer\ Parameters\ AutoShareServer. For NT Workstation, the Registry key is HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters\AutoShareWks. Change the value to 3D0 and reboot the system.

Prev. page     1 2 [3] 4     next page



You must log on before posting a comment.

If you don't have a username & password, please register now.

Reader Comments

I read Mark Joseph Edwards’ “16 Steps to Building a Secure Web Server” (September 1998). I’m trying to get Step 8: Hide the Name of the Last User to work. I’ve created a REG_SZ value(Don’tDisplayLastUserName, according to the article) in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win-dowsNT\CurrentVersion\Winlogon Registry key and set the value to 1, but the setting does not seem to work on my Backup Domain Controller (BDC) Web server. Does this value apply to only a Windows NT server configured as a standalone server?<br> --Norman Jee<br><br><i>

The key is DontDisplayLastUserName—–no apostrophe in Dont. My apologies for this oversight in the article. Thanks for pointing out the error.<br> --Mark Joseph Edwards</i>

Norman Jee- August 06, 1999

 
 

ADS BY GOOGLE