SQL Server Magazine

Step 12: Perform System Audits
Auditing can detect suspicious activity before it escalates into a major problem. Actions that are important to audit are failed logon attempts, failed attempts to access sensitive data, and changes to security settings. You can also audit successful logons and find out whether a user is accessing unauthorized accounts after hours or while someone is on vacation. Depending on your network usage and policies, you can monitor suspicious activity by auditing the successful use of user rights, user and group management, security policy changes, and system restart and shutdown events. You can activate system auditing by using the following steps:

1. Log on with an account belonging to the Administrator group.
2. Click Start, and choose Programs, Administrative Tools, User Manager.
3. Choose the Policies menu, and select Audit.
4. Select Audit These Events.
5. Enable the options you want to use. The Success check box enables logging for successful operations, and the Failure check box enables logging for unsuccessful operations (Table 4 lists the available options).
6. Click OK to close the dialog box, then close User Manager when you're finished.
7. Enable file and directory auditing by adjusting their individual properties using Explorer.

Step 13: Audit Base Objects
Auditing base objects adds a level of protection because it logs sensitive object access to the event logs. However, you can't start generating audits just by setting this value; the administrator must turn on auditing for the Object Access category in User Manager. This setting tells the Local Security Authority (LSA) that it must create base objects with a default system audit control list. To audit base system objects, use the AuditBaseObjects entry (type REG_DWORD and data value of 1) in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Registry key.

Step 14: Audit Privileges
By default, the system includes certain privileges that you can't audit, even when you turn on privilege auditing. NT leaves these privileges disabled to control audit log growth. However, you can audit these privileges if you want to detect account tampering. Table 5 lists these privileges and default assignments. Auditing the first item in Table 5 won't provide you with any useful information because it's a privilege granted to everyone. Regarding item 2, only programmers can debug programs. Item 3, item 4, and item 5 are highly sensitive rights, and should not be granted to any user or group unless absolutely necessary. Item 6 and item 7 are used during normal system operations. To audit these privileges, you can use the FullPrivilegeAuditing entry (type REG_BINARY and data value of 1) in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa Registry key.

Step 15: Disable Caching Logon Credentials
By default, NT caches the logon credentials for the last user. With this feature, a user can log on to the system even if the system is disconnected from the network and the domain controllers are unavailable. Because I installed my system as a standalone server in a separate workgroup, I didn't worry about domain controllers and caching. However, to be on the safe side, I made an adjustment.

The credential cache is protected, but you can disable this cache completely if your environment requires a high level of security. To disable credential caching, use the CachedLogonsCount entry (type REG_DWORD and data value of 0) in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Win-dowsNT\CurrentVersion\Winlogon Registry key.

Step 16: Enable TCP/IP Filtering Security
As a final step to secure my system, I employed the built-in TCP/IP filter. I shut down all ports except port 80 for the intrusion test, which made the task quick and easy. If you're planning to use the TCP/IP filter and you have FrontPage, PPTP, Simple Mail Transfer Protocol (SMTP), Post Office Protocol (POP) mail, or other Internet services, you'll need to open the associated ports so that those services can work correctly. To activate TCP/IP filtering, go to Control Panel and open the Network applet. Select the Protocols tab and view the TCP/IP protocol properties. Click Advanced on the IP Address tab, and select the Enable Security check box. Click Configure, and select all three Permit Only options (i.e., TCP ports, Internet Control Message Protocol--ICMP ports, and User Datagram Protocol--UDP ports). This selection will activate filtering for all three packet types. Click Add under TCP ports, and add port 80 for the Web server. Open any other ports you need to open.

When you enable ICMP and UDP ports (by selecting the Permit Only options) without adding ports, NT will not accept any of these packet types, effectively blocking almost all system traffic. (The system will still respond to ping packets.)

Some Sound Advice
Most of the modifications I made to my system addressed network access. However, you can modify your system further to strengthen overall security. For instance, you can employ system keys that are part of SP3, or use two or more network cards (one for internal private use and one for Internet public use) and bind only certain services to the internal private cards to ease administration. Most important, you must consistently monitor event logs and clear or save them. Thus, you need to set an acceptable log size and keep sufficient log records so that no logs roll off before you inspect them.

To adjust your log properties, open Event Viewer and select Log Settings from the Log menu. A dialog box in which you can make your adjustments will pop up.

If you want to examine the list of security issues that have surfaced with NT and other BackOffice products over the last year or so, or learn more about NT security, visit my Web sites at http://www.ntsecurity.net and http://www.ntshop.net.

This article is adapted from Mark's book, Internet Security with Windows NT (Duke Press at http://www.dukepress.com).

End of Article

Prev. page     1 2 3 [4]     next page -->