NT Web Server - Security Issues

Last modified: Feb 3/96

I've recently set up a Web service based on NT as the lan and web server. Sounds like there are plenty of others doing the same thing. This is the beginning of a "faq" for Internet security measures.

I'm going to list some of the things I've done to increase security. If anyone has something to add that I'm not aware of please do! Email me at randallg@telemark.net if you have any comments, or anything to add. I'll add it to this page forthwith!

Be sure to check out a very good security reference at http://www.somarsoft.com/security.htm. It goes into a lot more detail than my summary...

For an overall guide to setting up an Internet Server with NT, check out John Neystadt's How to Create Internet Site with Windows NT only. It can be opinionated, but a lot of good pointers.

This page provided by Telemark Systems Inc.
Some significant suggestions by Russ Cooper Russ.Cooper@RC.Toronto.on.ca.

As an aside, I've been a *nix systems programmer for some years, and I must say that I've found NT to be a far easier system to administer, in terms of setting up security (as well as everything else). Like *nix, it takes some thought; unlike *nix, it doesn't require a major research effort.

Whether NT is as secure, or more secure, than *nix is a point I'm not yet qualified to debate in detail. My current suspicion is that it IS, if simple measures are taken. The big advantage of NT is that administration is so so so much easier than *nix. If you take the precautions listed here, your biggest worry is probably crackable passwords. MAKE YOUR USERS CHOOSE EFFECTIVE PASSWORDS!

Russ says: I read a message from a known hacker once who said that he had a password dictionary of over 500,000 words, and could go through them at 20,000 attempts per minute when accessing a site over the net. So, 25 minutes after finding your site, he could have tried 500,000 of the most common passwords. What I really liked in his message was, he said "after the 25 minutes expired, I had to go to work. I rarely had to work!". Moral: Passwords, without access logging and inspection of said logs, are easily cracked.

Router setup

The router processes only tcp/ip, not netbeui, so native Windows networking cannot be accessed from the Internet.

You may want to disable Netbeui over tcp/ip. If you don't need netbeui over the Internet, and you probably don't, this will prevent any attacks by Netbeui. TCP port 137 is Netbios nameservice, port 138 is Netbios datagram, and port 139 is Netbios sessions. Disable these ports for both incoming and outgoing. Check out RFC 1001 and 1002 for more information.

Remove some network bindings

Netbeui over tcpip should be disabled. In control panel->network->bindings disable these:

  • NetBIOS Interface -> WINS Client(TCP/IP) -> ethernet
  • Server -> WINS Client(TCP/IP) -> ethernet
  • Workstation -> WINS Client(TCP/IP) -> ethernet

    Disable the same things if they are bound to any RAS interfaces.

    Disable the Guest account

    I'm not sure what this account is for, and I don't know what it can do by default, but it sure doesn't need to be there.

    Rename the Administrator Account

    To something non-obvious. An intruder now has to guess that account name if he wants total control...

    Set up accounts with passwords for all local workstations

    Local WFWG computers which must access the server (ie all of them) each have a user account associated with them. The workstations can be set up to start windows without having the users enter a password each time. Here's how:

  • In control panel->network set startup options to log onto the domain
  • When wfwg starts the first time, it will ask to create a password list. Save that password list file with no password. This password is not related to the domain user password.

    Remove Share Permissions to Everyone

  • Use file manager to set shares so there is no permission for everyone.
  • Add permissions for the group Domain Users as necessary.

    Remove Network Access for Everyone

    In User Manager -> Policies -> User Rights check the right "Access this computer from the network". Remove Everyone and add Domain Users or whatever else you need.

    Notes on the Web Service

    If you use PERL for CGI programs, DO NOT REPEAT DO NOT put perl.exe into the web server's cgi bin directory. For example, O'Reilly's Website server has a directory /cgi-shl where you may think it's a good idea to put perl.exe so you can run a perl script like this: http://myserver.com/cgi-shl/perl.exe?myscript.pl

    Well guess what, anyone in the world can now execute a command line perl program on your server, for instance: http://myserver.com/cgi-shl/perl.exe?-e?'format?c:'

    Get the picture? You can practice "safe Perl" by associating a file suffix, such as ".pl" with perl.exe in the File Manager. Then execute your CGI script like this: http://myserver.com/whatever/myscript.pl

    Notes on the FTP service

    While experimenting I found that Guest could run ftp from anywhere with no password (this was before Guest was disabled). I guess you can leave FTP running if you need it.

    If you need FTP, you can set overall permissions on local resources from Server Manager -> FTP -> Security. You can get to the same security dialog via Control Panel -> FTP Server -> Security. It may be a good idea to have Internet-accessible FTP only available on a separate disk partition that you create for that purpose.

    Or, kathey@birdbrain.com suggests: Creating the permissions for a specific account so that they can only read from and write to a specific directory. It dumps you in my c:\ftp directory and you can't change directories because you don't have permission. Pretty handy in my opinion. Given the above setup FTP becomes pretty secure. But it still has the major hole that the password is sent in the clear.

    Speaking of passwords being sent in the clear. You might add a section about POP3 stuff. I know the EMWAC free mail software supports POP3 but doesn't support APOP which is a way of verifying the user without sending the password in the clear. In my opinion, the code is so easy there is no reason why a POP3 implementer shouldn't have APOP in his package.

    On that note, I've done that on my systems. I have a user group called "Internet Users" who are not in the "Domain Users" group and only have this permission: Access this computer from the network. Their home directories are set with change permission to their IDs only. They can FTP in but can't see anything else on the disk except their own home and any subdirectories they create.

    Note: a lot of people seem to think that NT's ftp service cannot put users right into their own directory when they log in. This works fine for me, so it is possible...

    RAS parameters you can adjust

    To tighten security if you are using modem dial-up into your system. Under the key:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\

    AuthenticateRetries

  • Sets the maximum amount of retries after unsuccessful login attempt. Set this to 2 (default)

    EnableAudit

  • Enables auditing of RAS connections in Event Logger. Set this to 1 (default)

    NetbiosGateway\EnableNetbiosSessionsAuditing

  • Enables RAS auditing of the establishment of Netbios sessions between the remote clients the the Windows NT servers. Set this to 1 (0 is default = off)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\Logging

  • Logs all communcations from serial ports to the device connected to them during command mode. Information is stored in DEVICE.LOG in the systemroot\SYSTEM32\RAS\ directory. Set this to 1 (0 is default = off)

    Look closely at using MS-CHAP encrypted passwords, and if your clients are NT boxes also, then use data encryption as well. This information can be found in the RAS help under the PPP Parameters heading. PPP has logging as well.

    Set up RAS to automatically dial-back to a specific phone number which you will enter for each of your RAS users. Do not set it up to dial back to a user supplied phone number as its quite possible that your hacker is using somebody else's switch to get to your line anyway.

    Keep track of logons and security failures

    In User Manager -> Policies -> Audit Policy select all failure events, and successful Logon and Logoff, User and Group Management, Security Policy Changes, and Restart...

    Check the security log regularly. If your local workstations stay in Windows most of the time, there shouldn't be too many events to plough through.

    Run the C2 Configuration Manager

    This is an amazingly useful program that comes with the NT3.51 Resource Kit (icon is called C2 Security Config). It checks a list of security items in your system, and tells you of any that violate the C2 standard. You may not need C2 security, but it is a very good resource - there is no excuse to not use it...

    There is a C2 page at the MS site: http://www.microsoft.com/NTServer/c2bltn.htm

    Russ says: You might want to point out somewhere just what C2 means. I will try and find an "official" definition that you can use, but for now, FYI, C2 only covers the logging of events. It doesn't imply any greater security beyond the normal encryption, it simply means that every attempt to access a secured resource will be logged. Therefore, if the administrator doesn't take physical action on the logging events, no additional benefit is achieved. So, setting low thresholds on the number of login attempts, long durations between failed attempts, long passwords (which make password cracking programs work less efficiently), and passwords that include lower case, upper case, and digits (all in a single password, every time) are the only way that C2 gives any real value. As I said, I'll find an official definition and send it to you.

    Suggestions if you think you have been intruded

  • Change your RAS telephone number.
  • Check that all of your domain accounts are accounted for, and that no new accounts have been created.
  • Change all the passwords in your domain and any trusted domains.
  • Rename your Administrator account.
  • Check your RAS users list and verify that all the accounts that should have access to RAS are the only ones there, make sure these passwords are changed right away.

    NT Security Products

    THE KANE SECURITY ANALYST (KSA) FOR MICROSOFT WINDOWS NT

    The KSA will thoroughly assess the overall security status of a Novell and Windows NT network and report security in six areas: password strength, access control, user account restrictions, system monitoring, data integrity and data confidentiality. The KSA provides the expertise of seasoned security specialists and streamlines the analysis process. New version features include the ability to completely assess security on Microsoft Windows NT networks. This is important since organizations migrating to NT have had difficulty understanding NT's security attributes. The KSA addresses both the complexity of NT and the lack of tools to assess its security.

    NT Firewall Products

    There's one NT firewall product that's just been announced (Jan96). See the web site at http://www.raptor.com.


    This page provided by Telemark Systems Inc.