Password age is an important setting that many managers tend to ignore, especially in smaller networks. That’s a mistake, because invoking this option forces users to change their passwords regularly.
But keep your accounts under close surveillance for unusual usage statistics. For that matter, a regular inventory of all your user accounts is a good idea, especially in larger networks where more than one administrator has the right to add or remove users. Delete dead accounts and passwords.
2. Organize and document user permissions in functional groups.
Many network managers often neglect the importance of each user name. This is an extremely important facet not only of network security but of network organization in general. Be careful during the process of assigning user names and be sure to document the process.
User names are as central to the NT security model as passwords are. Proper user names and passwords work in conjunction during the logon process to ensure legitimate access and grant validation. We’ve heard of network managers allowing users to pick their own user names, but that practice certainly isn’t recommended. It’s best to take care of assigning user names yourself.
First, the user name needs to be unique within its own NT domain and should be unique to the network in general. And just like with passwords, don’t be afraid of longer names–you’ve got 20 characters to work with in NT. Once you’ve assigned user names and passwords for full network access, you can begin to implement NT security by placing users into groups, each of which will have its own set of permissions. This makes organization easier and has the side benefit of allowing you to set user permissions en masse. You can then increase group resources fairly easily by defining appropriate “trust” relationships.
3. Change the name of the Admin user account.
Anyone who has installed NT Server knows that the system default installs a powerful “superuser” account called the Administrator account. You can’t delete this account, and its password by default is blank. This is a favorite hacker trick, and one that is fairly easy to exploit. You’d think this trick could be blocked automatically by a trained administrator, but that’s just the problem with NT. Because it’s so easy to use, lots of first-time network builders leave even obvious doors like this one open.
You can get sneaky and change not only the password, but the account name as well. Make it difficult for a hacker trying to figure out which account is the Admin account.
Another useful trick takes this one step further. After you change the name of the original Admin account, create a new account and call it Admin. Give it a good password and absolutely no permissions for network resources.
4. Set lockout limits and activity logging.
Users typically hate lockout limits, but they’re invaluable for keeping your network secure. Lockout limits deactivate network accounts after a certain number of failed attempts to log in, due either to a faulty user name or a faulty password. The usual number of tries before lockout is three, but this option must be activated by you to take effect. It also means that someone with rights to activate user accounts must be present during business hours in case a legitimate user manages to lock himself or herself out. You’ll need someone with those rights to reactivate the account; otherwise, it’s useless for at least 24 hours. Even this option is risky. Unless you’re watching for hack attempts, an outside predator could attempt access three times a day without anyone being the wiser. It’s best to allow only an administrator to reactivate locked-out accounts.
To keep track of account lockouts and other possible signs of hacker activity, you need to activate account logging. Just head for the Policy menu in the User Manager for Domains (standard Admin Tools). You need to check the Event Log regularly to find them. The system won’t alert you.
5. Make good use of NTFS.
For server machines in an NT environment, you’d be nuts to use anything other than NTFS. You’ve got the option to use FAT, but you can’t protect files on FAT volumes. NTFS has built-in security options to protect your files. NTFS supports file and directory security, and this security policy can efficiently address very large disk volumes. If that’s not enough, NTFS is Unicode-compliant and has built-in features that will protect your data in case of system corruption or failure.
On a new disk, an NTFS volume extends full control to file permissions to the group Everyone. Any subsequent directories or file additions inherit these permissions, so you’d be well advised to change these defaults after formatting any new NTFS drive. You can do this by clicking on the Other option in the Security tab.
6. Lock it up.
Physical security is another overlooked method of keeping your network secure. Leaving servers, hubs, switches, and remote-access modems out in the open is common practice at many small and medium-size network sites, due mostly to space constraints. It may cost a bit to keep these components under lock and key, but if you’re paying attention to network security, the benefit will be huge.
Let’s face it. Most hackers don’t gain access by dialing in and zapping test passwords at your system. These guys do research, and that often means snooping around your office. And what about disgruntled employees, malevolent building-maintenance workers, or even security people? The list of folks who have access to computers you leave out in the open is long and often undistinguished. Cutting down on physical access is mandatory for a truly secure network.
7. Install Service Pack 3.
Windows NT is presently on Service Pack 3, with number 4 in beta (We recommend avoiding that one until it ships.) Service Pack 3 should be installed on all your servers and consistently reinstalled every time you add new software or hardware. The security benefits provided by SP3 are huge, including Server Message Block (SMB) Signing, password filtering, and the ability to restrict anonymous users. It also lets you use a system key to encrypt your password data.
SMB (also known as the Common Internet File System) is an authentication protocol that gives access to mutual authentication, which means both the client and the server must agree on who they are before a connection is established. Similarly, password filtering lets you force restrictions on user password choices. Even more critical is anonymous-account management. Windows NT uses anonymous accounts for things like RAS communications, which certainly implies a high security risk. With SP3, you get the ability to restrict access to these accounts. The SP3 system-key feature is great. Once this is in place, you won’t be able to boot the NT server at all without the key. Even better, these keys use strong encryption to protect all the password data stored in the Security Accounts Manager (SAM) database.
8. Stay on top of specific Microsoft security-hole fixes.
Although service packs are critical to server health and security, they aren’t all that timely. New versions are released periodically, but hackers work on a much speedier and less predictable timetable. Fortunately, the folks in Redmond keep a sharp eye out for new hacker attack methods as they are discovered and reported. Solutions and hot fixes to these problems are posted on Microsoft’s Web site and are also published monthly in the TechNet CD-based support series (a service we highly recommend you check out if you work with Microsoft operating systems on a regular basis).
9. Secure the NT Registry.
Windows NT’s Registry is by default more secure than that of Windows 95/98. You can assign key security to the Registry as you would to a disk volume. This blocks general outside access, and you can even assign administrative rights to users or groups that do have Registry access.
But even with appropriately set Registry access settings, there are other problems. For example, users recently discovered a major security hole within the NT Registry. This problem revolves around security keys that assign specific programs or services to run automatically after the server boots. Under a default Windows NT Server installation, all users have access to these keys, making it relatively simple for hackers to set one to run one of their own programs every time a server boots. You can find a fix for this problem by contacting Microsoft, checking your TechNet CD (posted May 1998), or looking it up in the Microsoft Knowledge Base at www.support.microsoft.com.
10. One for later: Perform a security audit.
Remember that security is not a fixed asset; Staying current and avoiding future problems requires a regular security audit.
Normally, this is a time-consuming, specialized, and difficult task–even in Windows NT. Fortunately, there are excellent third-party applications available to help make this process easier and even automate it to some degree. Two great examples of such software are Security Dynamics Technologies’ Kane Security Analyst (KSA) for Windows NT and RealSecure 2.0 from Internet Security Systems (ISS). Although RealSecure does offer this kind of functionality, it protects you from hacker attacks by means of its database of more than 100 NT defense mechanisms.
KSA will check your NTFS volumes for proper permission controls, data integrity, and overall security. If you want to make use of automated auditing, it’s simply a matter of defining what areas you want KSA to check on a periodic basis. Once that’s done, the system will provide you with a series of regular reports on the security status of your network that cover six general categories: password strength, access control, user-account restrictions, system monitoring, data integrity, and data confidentiality. Remember that KSA is limited as to what kinds of suspicious activity it will alert you to. That means you’ll have to take the time to read these reports and make decisions based on their information.