Windows NT Server provides a number of security measures to protect your organization, from simple things, such as ensuring the correct use of passwords, to sophisticated measures, such as screening calls upon dial-in. Are you using all of the necessary features to keep your network secure?
What to do with old user accounts
Do you have a user who has recently left your organization? Your position as the system administrator requires that you terminate access to that account on the network. You have two ways to go about doing this: the hard way or the easy way.
- Deleting user accounts: This is a permanent action to take when a user has left your organization. Once the account is deleted, the information stored within that account, such as permissions and security identifier (SID), is erased. Once the SID is erased, an administrator can’t reinstate the account simply by creating a new account with the same name. It will require a different SID, and NT will consider it a different account.
- Disable user accounts: This is the safe way to go when an employee leaves the organization. You can disable the account rather than deleting it, which can save you the effort of starting from scratch when you hire a new employee. By doing this, you will not have to create a new user account, reassign appropriate access permissions, user rights, and group memberships. The only work required is to rename the account. Note, however, that some permissions may have to be changed, unless the network is set to grant permissions via groups instead of individuals.
Controlling users via User Properties
In a moderate- to high-security environment, it is advisable to control certain aspects of user access via the User Properties dialog box. Table 1 suggests settings for various security needs.
|User property||Minimal security||Moderate security||High Security|
|Hours of access||No restrictions||Restrict temporary employees to office hours||Restrict all users to office hours only|
|Logon To||No restrictions||Restrict temporary employees to computers they normally work on||Restrict all users to one computer|
|Account Expiration||Temporary employees only||Temporary employees only||Set expiration date for temporary employees|
|Dial-in (RAS)||No restrictions||Limit to the Callback number set by the caller||Limit to the preset Callback number|
Rename the administrator account
Another important step in securing your network is to rename the administrator account with a less obvious name. The administrator account offers an easy way for unauthorized users to break in to the network by guessing passwords. Unauthorized users like to hack the administrator account for three reasons:
- The account name, Administrator, is a given, so it is easy to try to access that account by guessing the password.
- It is impossible to disable the Administrator account.
- You can’t lock out the Administrator account even after repeated logon attempt failures.
While renaming the administrator account on Windows NT 4.0 doesn’t present a problem to the administrator, doing so on NT 3.5x could keep certain utilities from operating correctly because they depend on the name being unchanged. In addition, international versions of NT could also be adversely affected by a name change.
Passwords are a great thing if used correctly
One of the hardest things to do in an organization is to get users to comply with policies requiring hard-to-guess passwords and frequent password changes. To set up a hard-to-guess password, it is suggested that users use the following guidelines:
- Passwords should be at least six characters long.
- Passwords must not contain the user’s name or any part of the user’s full name.
- Passwords should contain at least three of the following four classes: English uppercase letters A-Z, English lowercase letters a-z, westernized Arabic numbers 0-1, and special characters such as *, ?, and #.
There are some additional steps that may help keep the passwords safe:
- Educate users not to write down their passwords.
- Have users avoid obvious passwords, such as the names of the user’s children or spouse.
- Do not distribute user accounts and passwords in the same communication. For example, if you were to send users their password in e-mail, send it separately from the account name that they must use.
Use NT to your advantage
Using hard-to-guess passwords is a step in the right direction, but you can also bolster Windows NT Server security by using the account lockout feature. This will make it extremely difficult for a person to break in to an account.
When this feature is enabled, the account will lock if someone makes a certain number of incorrect logon attempts. Once this occurs, only the administrator can take off the block, or a certain time period must pass before access to the account is permitted once again.
Keep Windows NT holes patched
Microsoft offers security enhancements by offering service packs and security patches from its Web site. It's a good idea to monitor the site for the newest upgrades and to implement them when they're suitable for your organization.
Have you ever had a security breach on your network? Maybe you have a security success story. Tell us about it by posting a comment below or sending us a note .
Ed Engelking is a TechRepublic Web editor with a concentration on enterprise administration and support issues. He's also the co-owner of UCANweb.com.