Several reader requests have presented a serious dilemma. You have asked for more information about securing Windows NT. The dilemma is: how do I cover all the important points of this broad and complex subject, within the confines of a magazine column, without neglecting the one thing that might save your network from penetration or abuse? My answer, for now at least, is to pass along my assessment of the available sources for more detailed information, while highlighting some of the more obvious steps you should be taking to tighten up NT (see the two lists in the sidebar and the three NT security books reviewed later in the columm).

Out of the Box

NT security actually means many things to many people, depending on how they are using NT. For some offices NT means peer-to-peer networking with NT Workstation, among trusted colleagues whose main security concerns might be virus infections from downloaded files and attacks over the network's Internet connection. For some companies, NT Server is the main platform for multiple mission critical networks that must be protected from all manner of attacks, including insider abuse. In some cases, NT Server is the platform for the company's Web server, requiring a particular blend of security settings that allow restricted public access.

Some offices decided to grow into NT from Windows for Workgroups, others opted to migrate to NT from Novell NetWare 3.x, yet others chose NT for a new network built from scratch. I have heard people cite the security of NT as a major factor in all three scenarios, frequently referring to its "Department of Defense C2 security" (C2 is a red herring to which I will return later). So it is worth repeating that NT is "not locked down out of the box, especially on Windows NT Workstation." The books, tips, and sources cited here will help you lock it down.

NT Security Books

One example is the Display Last Logged-on User setting. By default, Windows NT displays, in the logon dialog box, the username of the last user logged into the system. Charles notes that, while this is helpful for users, "This could, however, be a security risk in that the username of a valid user might be leaked to an intruder. Though such an intruder would still have to determine the corresponding password, it would be more secure to hide the name of the last user." In order to do so, he recommends setting the following registry key:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\
CurrentVersion\WinLogon\DontDisplayLastUserName

Setting a value of 1 for this key will not permit the system to display the last user name. He also notes that this key can be set using the Microsoft C2 configuration utility within the Windows NT resource kit.

Charles shows you how to protect files, printers, and user accounts, and solve problems with servers, workstations and popular NT add-ons. NT's auditing features are well-covered, as are the tricky issues of remote access with RAS. He describes how to use NT as an Internet host and assess the security of an existing NT system. Charles is both articulate and readable and he is no stranger to writing about security issues, having written and presented many papers on computer viruses. While this book is based on NT 3.51, almost all of the content applies directly to NT 4.0, making this a good choice for administrators working with both versions.

Approaching the problem from a slightly different perspective, Tom Sheldon's Windows NT Security Handbook (Osborne McGraw-Hill, $34.99) is firmly rooted in the author's network design and management experience, which parallels that of many people who now find themselves charged with securing NT networks. Tom looks at security as a certified network engineer, who also happens to be a very good writer and teacher, with numerous networking books and seminars to his credit.

While some security professionals, approaching the subject from a broad security perspective and viewing NT security as a narrow subset of a larger problem, might quibble with some of Tom's observations about security in general, there is no faulting his grasp of the subject. He takes you through the issues with the confidence that comes from practical experience and he speaks NT security in terms that NT administrators will readily understand. The book is very thorough and includes chapters on firewalls and NT web server security. The building blocks of security, such as public key encryption, are clearly explained and Appendix E makes a great security checklist for administrators.

There is another good checklist in Windows NT Security Guide by Stephen A. Sutton (Addison-Wesley, $29.95). In fact, there is so much to learn about NT security that buying two, or even all three, of the books reviewed here, would not be overkill. With Sutton's book you get much more of the traditional system security perspective, including one of the best explications of the trusted computing base and government security evaluation that I have come across. If you ever wondered what C2 really means and why it is important, but not that important, this is the book to read.

Sutton is president of Trusted Systems Services, an Illinois-based security consultancy which maintains a very helpful web site at www.trustedsystems.com. He approaches NT as "A time-worn veteran of high-end secure systems for the Defense community." For readers who share all or part of that background, this would be the NT security book to start with. But it also works as a text for the regular NT user who needs to be brought up to speed on security, and administrators looking to assess and review the security of their NT systems.

Where to begin?

1. Legal Logon Warnings
Windows NT has the ability to display your choice of message box before a user logs on. Use this to notify potential users of their legally liability if they attempt unauthorized use of the computer.

To set this up assign the following Registry key values on the system to be protected (before editing the Registry be sure to back it up -- if you are not clear on how to do this, run and read regedit.hlp). You can also accomplish this particular task with the System Policy Editor in Windows NT 4.0 or the C2CONFIG.EXE program.

Key: HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
Value: LegalCaption (REG_SZ): Your message box title

Key: HKLM\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon
Value: LegalNoticeText (REG_SZ): Your message box text

2. Don't Use Admin Accounts for General Work
People who do administrative work on the system may also use it for general activity (like word processing or email). To avoid accidental changes to protected resources don't perform general work while logged on with administrative privileges. Create and use a separate account for non-admin work.

3. Rename the Administrator Account
The name of the built-in Administrator account should be immediately changed to something less obvious. This account is a favorite target for interlopers attempting entry by repeatedly guessing passwords, because it is the one account that can never be locked out by repeated failed logon attempts. By renaming the account, you force attackers to guess the account name as well as the password.

4. Track a Dummy Administrator Account
If you create and maintain a dummy account, with low privilege, called "Administrator" you can monitor it for patterns of attempted access. This can show up inappropriate activity by insiders as well as outside attackers.

5. Account Lockout on Administrator Account
The NT Administrator account cannot be locked out by failed logon attempts, a precaution against such attacks disabling all privileged accounts on a system, thus denying legitimate access. With the PASSPROP utility from the Resource Kit, you can enable account lockout on the Administrator account. The command is:

PASSPROP /ADMINLOCKOUT

Even if the Administrator account is locked out, it can still be used to logon interactively to any domain controller, which prevents total lockout of the system.

6. Log off Domain Controllers
You can use NBTSTAT.EXE to determine the name of a user logged on interactively on a Windows system, which includes an administrator working on a domain controller. So consider logging off domain controllers as soon as you have completed any administrative tasks (also consider performing administrative tasks remotely from another Windows NT system when feasible).

7. The Guest Account
Get rid of the Guest account altogether, or at least prohibit Guest from Writing or Deleting any files, directories, or Registry keys (with the possible exception of a separate Guest directory where information can be left). A better idea is to remove the built-in Guest (you can use C2CONFIG.EXE for this) and create a very limited access account for visitors, with a non-obvious name (for example, use Joe Higgins rather than Visitor).

8. The Secure Attention Sequence
Make sure all users know to always press CTRL+ALT+DEL before logging on. This helps defeat password sniffing programs that present themselves as a waiting logon screen. By pressing CTRL+ALT+DEL you get the secure logon screen provided by Windows NT (also be sure to turn off Display Last Logged-on User, as described in the article).

9. Logging Off and Locking Down
Make sure all users know to either log off or lock their workstation whenever they are away from the computer for any length of time. Logging off is ore secure because the password to a valid account is required to log back on. For automatic locking, enable a password protected 32-bit screen saver with a low timeout value, such as 5 minutes. For Windows 95 machines on your network consider a third party secure screen saver with an instant-on hot zone, such as Mike Cobb's HideThat (www.cobweb.oc.uk -- yes, he's my brother, but it is still a good program).

10. Do Not Rest Yet
Here are 5 further steps to take and re-take:

a. Regularly check that all of NT's password control features have been implemented, including password strength, length, and freshness.

b. Periodically check for and disable inactive user accounts.

c. Be sure you are auditing failed and successful security events, such as login and logoff attempts, file and object access, use of user rights, account management, security policy changes, restart and shutdown, and process tracking.

d. Keep the number of users with administrator privileges to a minimum.

e. Regularly check trust relationships to make sure users in all domains are abiding by your security policy.

Top 10 NT Security Resources

2. Read Microsoft's take on NT security by downloading and viewing all 95 slides in the PowerPoint presentation at:
www.microsoft.com/ntserver/info/securityguide.htm
(you will need PowerPoint 97 to read it -- but don't bother with the online animation program, I couldn't get it to work).

3. Read the parallel whitepaper, "Securing Windows NT Installation" which can be seen at, or downloaded from, www.microsoft.com/workshop/prog/security/guidesecnt.htm

4. Join the relevant security mailing lists. Internet Security Systems has done the world a big favor by pulling together a bunch of list info at www.iss.net/vd/maillist.html. ISS hosts several lists including one called NT Security that is a "must read" for NT security administrators. However, you might want to start with the Digest version to prevent excessive mail volume. As with most lists it is a good idea to get a feel for the participants before posting your own messages to the list.

5. Visit www.somarsoft.com and read their NT security white paper, then download and use their DumpAcl product.

6. Check out the tools at www.securityserver.com/category/@winnt5.htm.

7. Check out the detailed analysis of password cracking issues, relative to reports of NT password hacking, at: www.osp.nl/infobase/ntpass.html

8. Read at least one of the books reviewed in the article and use its security checklist, plus the C2CONFIG.EXE program, that comes with the NT Resource Kit, to adjust security settings.

9. Read Microsoft's response to some NT security scares:   www.microsoft.com/ntserver/info/securityupdate.htm

10. Check the updated list of NT vulnerabilities at www.infilsec.com

And Even More Help Is Available: