For the past few years, anyone who administers Windows NT/2000 servers and/or IIS Web servers has been painfully aware of how much time, effort, and planning goes into properly securing these systems. During this time, Microsoft has released dozens of patches designed to keep these systems secure from would-be attackers. Today, with information security being more important than ever, it is critical to keep up with these patches on existing Windows systems and to design new systems that are secure.
In this article and the next two articles, I will discuss the new Microsoft Security Toolkit. In this first installment, I will discuss the toolkit as it relates to Windows NT. The second article will cover Windows 2000, and the third one will examine Internet Information Server. In each article, I will provide a summary of the most important aspects of that particular section of the toolkit and discuss some of the post-service pack hot fixes that are available.
Installing a new Windows NT 4.0 Server or Workstation
Many organizations are busy installing Windows 2000 servers, but plenty are still installing new Windows NT 4.0 servers to support their day-to-day operating environments. Although I recommend installing Windows 2000 over Windows NT servers in most circumstances, Windows NT servers still have their place in the enterprise. And it is critical that these servers are properly protected against attacks from the outside.
The Microsoft Security Toolkit includes three documents that are essential to this undertaking:
- "Installing and Securing a New Windows NT 4.0 System"
- "Securing an Existing Windows NT 4.0 System"
- "Windows NT 4.0 Server Baseline Security Checklist"
For a new Windows NT 4.0 installation, you should start with the first document on this list. One of its recommendations is to perform the Windows NT installation from a network that is known to be free of corruption. I speak from experience when I stress how important this is. Recently, I had reason to install a new Windows NT 4.0 Server, and the network that it was running on was not compromised, but a firewall rule allowed access to the new server. Within minutes of the server’s baseline installation (without service packs), it was compromised by Code Red. I chose to wipe out the installation and start from scratch rather than try to fix it.
The next important piece of advice is to install only those services you plan to use on the server. For example, if the server will not be a Web server, do not install Internet Information Services.
This document also goes through a step-by-step process for installing Windows NT, securing it, and setting up any additional services that are required, such as DHCP, WINS, and IIS. It is important that you follow the instructions in this document to lessen the chances that your server is infected before the installation is completed. There are service packs, option packs, hot fixes, and security rollups included in these instructions. It is a very involved process.
Once your baseline installation is complete, you should read "Windows NT 4.0 Server Baseline Security Checklist" to see what else you need to do. Below, I will go over some of the important recommendations in the Windows NT Server checklist (some of which also pertain to NT Workstation).
The next step in your installation is to make sure that there are no obvious security issues with your server. Microsoft has provided a tool called the Network Security Hotfix Checker (Hfnetchk.exe), which checks your Windows NT installation, including Internet Information Server, SQL Server, and Internet Explorer 5.01 or later, to see what patches have been applied. This list is checked against a master list at Microsoft and returns a list of needed patches. While this is a complete list of patches that are not installed on your server, you need to double-check to see whether you need to install every recommended patch.
Securing an existing Windows NT 4.0 Server or Workstation
To secure an existing Windows NT system, you need to do four key things:
- Read the “Securing an Existing Windows NT 4.0 System” document in the Microsoft Security Toolkit.
- Disable services that are not required, such as Internet Information Server.
- Apply Service Pack 6a.
- Run Hfnetchk.exe as described above to see what you need to secure.
After all of this is done, you should apply the proper hot fixes and security rollups as you would for a base installation. Now it's time to give Microsoft's security checklist some serious consideration.
The security checklist
Regardless of whether you are installing a new server or securing an existing one, "Windows NT 4.0 Server Baseline Security Checklist" is an indispensable document to use as a guide. The checklist outlines the steps Microsoft recommends to secure a Windows NT Server installation. As we noted earlier, some of these recommendations can also be applied to Windows NT Workstation.
Here are some of the suggestions in the checklist that you should actually consider as requirements for every baseline server installation in your organization:
- Use NTFS for all disk partitions. There are very few instances where not using NTFS on a Windows NT Server or Workstation is a good idea. The only valid reason for a Workstation not to use NTFS is to support dual booting. NTFS offers advanced permissions capability and access control that is not found with the other file system formats.
- Make sure all user passwords are strong and secure and the database encrypted. This is more important than almost any other suggestion. If someone gets access to your server or workstation with Administrator rights, there is the possibility of substantial damage or theft of information. In addition, you should require strong passwords for all users and limit administrative privileges to only those users who absolutely require them. You should implement the Syskey utility, as described in the Windows NT Server security checklist.
- Disable unnecessary services, as described earlier.
- Install the latest service pack and post service pack updates, as described earlier.
- Protect files, directories, and specific registry keys with the Microsoft recommended maximum security permissions.
While these are the most important recommendations, everything on the checklist should be considered based on your specific needs.
In addition to the documents in the Security Toolkit and the Hotfix Checker tool, Microsoft offers another utility that will facilitate your security efforts. Qchain.exe is a command-line utility that allows you to install more than once hot fix at a time without rebooting in between. The only reboot is at the end of the entire hot fix process.
This article introduced the Microsoft Security Toolkit and provided an overview of its contents as it pertains to Windows NT 4.0. Most of the suggestions offered apply to both the Server and Workstation varieties of WinNT4.
Security has become an increasingly important aspect of system administration and it can consume an enormous amount of time. Microsoft has attempted to make this process somewhat easier with the release of the Security Toolkit and related tools such as Hfnetchk and Qchain.