Top Ten Windows NT/2000 Internet Security Tips

Related Reading Securing Windows NT/2000 Servers for the Internet A Checklist for System Administrators By Stefan Norberg

Much of Microsoft's success in the network operating system market is because its products are easy to use. The Windows NT server version has the familiar user interface that almost all office workers use every day. It's easy to get started, and you don't need in-depth knowledge of the operating system to install a Windows NT server. Most components are configured and started automatically--as they are in the consumer Windows 9x operating systems. These characteristics of Windows are attractive ones for an organization's internal file and print server, which are not exposed to direct attack from external networks. However, for an external Web server that serves the organization's customers and partners over the Internet, you want something quite different. A system that's exposed in this way should provide a minimum of services (such as DNS, Mail, etc.), and should be properly configured to ensure a higher level of security. A system configured in this manner is referred to as a bastion host.

1. Only install what you need. Bastion hosts should be stripped to a bare minimum. For example, there's no reason to install MS Office on a bastion host. Also, remove all unused software that comes with the operating system.



2. Disable unneeded services. Windows NT/2000 systems run a large amount of services, background processes, by default. Many of these can be attacked over the network. Make sure that you disable all unneeded services on your bastion hosts. This will limit the points of attack and you can concentrate your hardening efforts on the few running, hence attackable, services.



3. Set strict permissions. Make sure to review the default file system and registry permissions for the operating system and any applications you install. If an attacker manages to break into the system, you need to have strict file system and registry permissions to protect other resources.



4. Use additional layers of protection. Even if you configure your bastion hosts by the book, you still will need a firewall system as an additional layer of security. A firewall will make it a lot more difficult for an attacker to gain shell access or to replace file contents by exploiting a vulnerability.



5. Trust only what you verify. Don't trust the manual, the checkboxes in the graphical user interface, or the vendor's statements about the way something works. You need to test and verify everything yourself.




Note: This tip was first presented in 12 Tips on Building Firewalls by the authors of Building Internet Firewalls, 2nd Edition.




6. Don't run software as LOCAL SYSTEM. If possible, avoid running software requiring LOCAL SYSTEM privilege in NT/2000. If an attacker manages to break such an application, he'll be able to do just about anything on your system.



7. Don't run NetBIOS/SMB. Avoid running NetBIOS or SMB in the perimeter network. NetBIOS wasn't designed with security in mind and a firewall likely will not be able to protect your other hosts if one system is broken into. There are other ways of managing your hosts than using NetBIOS; products such as Windows 2000 Terminal Services, pcAnyWhere, or OpenSSH/VNC are a few examples.



8. Synchronize the clocks. Use some kind of clock-synchronization software so that all systems have the same time. This is important if you need to compare logs from different systems.



9. Configure auditing. NT and Win2K have very good auditing capabilities. Make sure to configure and enable auditing on your systems. Auditing will help you track changes made to the system.



10. Use remote logging. Often, attackers cover their tracks by removing the log files from the system when they're done. Use a remote logging mechanism to get the log entries off the system immediately.

Remember, on a bastion host you always want to limit the number of running services and components. And you need to understand what you're doing, too. It's almost impossible to have both ease of use and a "secure by default" system configuration.

Stefan Norberg is an independent network security consultant based in Stockholm, Sweden. He has built everything from large firewalls to highly available Unix clusters. He has designed and implemented Internet firewalls using building blocks like Cisco IOS, HP-UX, Linux, and Windows NT/2000. When he finds spare time, Stefan enjoys spending it with his wife Marianne and daughter Matilda.

Related Reading Securing Windows NT/2000 Servers for the Internet A Checklist for System Administrators By Stefan Norberg

Copyright © 2009 O'Reilly Media, Inc.