I've recently set up a Web service based on NT as the lan and web server. Sounds like there are plenty of others doing the same thing. This is the beginning of a "faq" for Internet security measures.
I'm going to list some of the things I've done to increase security. If anyone has something to add that I'm not aware of please do! Email me at randallg@telemark.net if you have any comments, or anything to add. I'll add it to this page forthwith!
Be sure to check out a very good security reference at http://www.somarsoft.com/security.htm. It goes into a lot more detail than my summary...
For an overall guide to setting up an Internet Server with NT, check out John Neystadt's How to Create Internet Site with Windows NT only. It can be opinionated, but a lot of good pointers.
This page provided by Telemark Systems Inc.
Some significant suggestions by Russ Cooper Russ.Cooper@RC.Toronto.on.ca.
As an aside, I've been a *nix systems programmer for some years, and I must say that I've found NT to be a far easier system to administer, in terms of setting up security (as well as everything else). Like *nix, it takes some thought; unlike *nix, it doesn't require a major research effort.
Whether NT is as secure, or more secure, than *nix is a point I'm not yet qualified to debate in detail. My current suspicion is that it IS, if simple measures are taken. The big advantage of NT is that administration is so so so much easier than *nix. If you take the precautions listed here, your biggest worry is probably crackable passwords. MAKE YOUR USERS CHOOSE EFFECTIVE PASSWORDS!
Russ says: I read a message from a known hacker once who said that he had a password dictionary of over 500,000 words, and could go through them at 20,000 attempts per minute when accessing a site over the net. So, 25 minutes after finding your site, he could have tried 500,000 of the most common passwords. What I really liked in his message was, he said "after the 25 minutes expired, I had to go to work. I rarely had to work!". Moral: Passwords, without access logging and inspection of said logs, are easily cracked.
The router processes only tcp/ip, not netbeui, so native Windows networking cannot be accessed from the Internet.
You may want to disable Netbeui over tcp/ip. If you don't need netbeui over the Internet, and you probably don't, this will prevent any attacks by Netbeui. TCP port 137 is Netbios nameservice, port 138 is Netbios datagram, and port 139 is Netbios sessions. Disable these ports for both incoming and outgoing. Check out RFC 1001 and 1002 for more information.
Netbeui over tcpip should be disabled. In control panel->network->bindings disable these:
Disable the same things if they are bound to any RAS interfaces.
I'm not sure what this account is for, and I don't know what it can do by default, but it sure doesn't need to be there.
To something non-obvious. An intruder now has to guess that account name if he wants total control...
Local WFWG computers which must access the server (ie all of them) each have a user account associated with them. The workstations can be set up to start windows without having the users enter a password each time. Here's how:
In User Manager -> Policies -> User Rights check the right "Access this computer from the network". Remove Everyone and add Domain Users or whatever else you need.
If you use PERL for CGI programs, DO NOT REPEAT DO NOT put perl.exe into
the web server's cgi bin directory. For example, O'Reilly's Website server has
a directory /cgi-shl where you may think it's a good idea to put perl.exe so
you can run a perl script like this:
http://myserver.com/cgi-shl/perl.exe?myscript.pl
Well guess what, anyone in the world can now execute a command line perl program on your server, for instance:
http://myserver.com/cgi-shl/perl.exe?-e?'format?c:'
Get the picture? You can practice "safe Perl" by associating a file suffix, such as ".pl" with perl.exe
in the File Manager. Then execute your CGI script like this:
http://myserver.com/whatever/myscript.pl
While experimenting I found that Guest could run ftp from anywhere with no password (this was before Guest was disabled). I guess you can leave FTP running if you need it.
If you need FTP, you can set overall permissions on local resources from Server Manager -> FTP -> Security. You can get to the same security dialog via Control Panel -> FTP Server -> Security. It may be a good idea to have Internet-accessible FTP only available on a separate disk partition that you create for that purpose.
Or, kathey@birdbrain.com suggests: Creating the permissions for a specific account so that they can only read from and write to a specific directory. It dumps you in my c:\ftp directory and you can't change directories because you don't have permission. Pretty handy in my opinion. Given the above setup FTP becomes pretty secure. But it still has the major hole that the password is sent in the clear.
Speaking of passwords being sent in the clear. You might add a section about POP3 stuff. I know the EMWAC free mail software supports POP3 but doesn't support APOP which is a way of verifying the user without sending the password in the clear. In my opinion, the code is so easy there is no reason why a POP3 implementer shouldn't have APOP in his package.
On that note, I've done that on my systems. I have a user group called "Internet Users" who are not in the "Domain Users" group and only have this permission: Access this computer from the network. Their home directories are set with change permission to their IDs only. They can FTP in but can't see anything else on the disk except their own home and any subdirectories they create.
Note: a lot of people seem to think that NT's ftp service cannot put users right into their own directory when they log in. This works fine for me, so it is possible...
To tighten security if you are using modem dial-up into your system. Under the key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RemoteAccess\Parameters\
AuthenticateRetries
EnableAudit
NetbiosGateway\EnableNetbiosSessionsAuditing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan\Parameters\Logging
Look closely at using MS-CHAP encrypted passwords, and if your clients are NT boxes also, then use data encryption as well. This information can be found in the RAS help under the PPP Parameters heading. PPP has logging as well.
Set up RAS to automatically dial-back to a specific phone number which you will enter for each of your RAS users. Do not set it up to dial back to a user supplied phone number as its quite possible that your hacker is using somebody else's switch to get to your line anyway.
In User Manager -> Policies -> Audit Policy select all failure events, and successful Logon and Logoff, User and Group Management, Security Policy Changes, and Restart...
Check the security log regularly. If your local workstations stay in Windows most of the time, there shouldn't be too many events to plough through.
This is an amazingly useful program that comes with the NT3.51 Resource Kit (icon is called C2 Security Config). It checks a list of security items in your system, and tells you of any that violate the C2 standard. You may not need C2 security, but it is a very good resource - there is no excuse to not use it...
There is a C2 page at the MS site: http://www.microsoft.com/NTServer/c2bltn.htm
Russ says: You might want to point out somewhere just what C2 means. I will try and find an "official" definition that you can use, but for now, FYI, C2 only covers the logging of events. It doesn't imply any greater security beyond the normal encryption, it simply means that every attempt to access a secured resource will be logged. Therefore, if the administrator doesn't take physical action on the logging events, no additional benefit is achieved. So, setting low thresholds on the number of login attempts, long durations between failed attempts, long passwords (which make password cracking programs work less efficiently), and passwords that include lower case, upper case, and digits (all in a single password, every time) are the only way that C2 gives any real value. As I said, I'll find an official definition and send it to you.
THE KANE SECURITY ANALYST (KSA) FOR MICROSOFT WINDOWS NT
The KSA will thoroughly assess the overall security status of a Novell and Windows NT network and report security in six areas: password strength, access control, user account restrictions, system monitoring, data integrity and data confidentiality. The KSA provides the expertise of seasoned security specialists and streamlines the analysis process. New version features include the ability to completely assess security on Microsoft Windows NT networks. This is important since organizations migrating to NT have had difficulty understanding NT's security attributes. The KSA addresses both the complexity of NT and the lack of tools to assess its security.
There's one NT firewall product that's just been announced (Jan96). See the web site at http://www.raptor.com.