Microsoft Windows NT(r) Security Checklist version 1.0
 
 

Note: This checklist is meant as an aid to Windows NT Administrators in securing a Standalone or Networked Windows NT Server. Please note that a C-2 compliant Windows NT Server must be a Standalone Server. This checklist is far from complete, and additional versions will be forthcoming as I get the time to add new procedures. These procedures are meant in NO WAY to replace a secure Firewall, they are however added security measures that may be implemented to enhance external network traffic security coming through a Firewall as well as added means of protection from inside network traffic.

If you any tips, suggestions or procedures to add to this list, feel free to email them to me at comptech@monte.k12.co.us
 
 

Account Related Procedures:

1. Rename the Administrator account

2. Make Administrative passwords very difficult (Do NOT use real words. Use a coded phrase, such as EgbDF for Every Good Boy Does Fine. Also, break up the use of caps/non-caps and use a minimum of 10 characters)

3. Create a new account named 'Administrator'

4. Disallow all hours on the 'fake' Administrator's account logon hours

5. Set 'fake' Administrator's account 'Logon To' option to a low-priority workstation

6. Account Policies are critical-Set them!

Password Restrictions:

* Maximum Password Age (35)

* Minimum Password Age (3)

* Minimum Password Length (7-8)

* Password Uniqueness (3)

Enable Account Lockout:

* Lockout after x bad logon attempts (3-4)

* Reset Count after x minutes (25)

* Lockout duration field (Forever or 30)

Other:

* Forcibly disconnects remote users from server when logon hours expire (Set to disconnect systems that were not logged off)

* User must log on in order to change password (Set to prevent users whose passwords have expired from logging on)

7. Setting User Rights Policies (User Rights Policies can be fairly broad, therefore only the more pertinent ones are provided here)

* Access this computer from the Network-Remove the 'Guest' account as well as any others that may be necessary for your site

* Act as part of the Operating System-Remove any standard users

* Force Shutdown from a Remote System-Administrators/Server Operators only

* Load and Unload Device Drivers-Administrators only

* Log on Locally-Use only for people that need direct access to the server (Administrators, Server Operators, Domain Admins, IUSR)

* Shut Down the System-Administrators and Server Operators only

8. Setting Auditing Policies (Success/Failure)

* Logon and Logoff-important for tracking user logons

* File and Object Access

* Use of User Rights

* User and Group Management

* Security Policy Changes

* Restart, Shutdown and System

* Process Tracking

9. Remove any old/unused/unnecessary user accounts

10. Check user accounts for any accounts marked 'Password Never Expires' and the reason why

11. Check user accounts for any disabled accounts-why are they disabled, and can they be deleted

12. Check logon hours-set if necessary

13. Check Profile Directory (also delete, if user is deleted)

14. Check the Logon To-Does user need access to all computers or only a few

15. Set account expirations for graduating students, temp employees or any temporary account

16. Set Administrative and Network 'test' accounts to expire

17. Periodically evaluate Operator and Administrator Group members

18. All Administrators should have 2 accounts, one for administrative and one for normal usage. Only use Administrative when necessary

19. When taking over a system, change administrative username and password immediately

20. Create back door administrative account and password with 3-part password and give to 3 people

21. When NT Workstation is added, Domain Admins are added to the NT Workstation's Administrator group-determine if this is appropriate for your NT Workstation
 
 

Operating System Procedures:

22. Check Services-Run as few as possible or run under a less privileged account than the 'system' account

23. Logoff all NT Servers (do not do the 'Lock Workstation' option)

24. Remove the 'Administrator' and 'Everyone' from the 'Access this computer from the network' option
 
 

Physical Security Procedures:

25. Password System CMOS/BIOS

26. Disable all Floppy Disk Drives

27. Review backup policies and procedures

28. Ensure a UPS is on all critical NT Servers
 
 

File System Procedures:

29. Set User Rights

30. Set Audits

31. Enable individual Directory auditing if necessary

32. Separate publicly from privately accessible files

33. Remember that 'Everyone' is added to all shared folders by default-remove if inappropriate

34. Public file sharing directories should be isolated with read only. Create a drop box with only write permissions for uploadable files and always check for viruses

35. On Application servers, Programs and Data should be in different locations

36. Program directories should have permission to read and execute, not to write to prevent viruses being written into a directory where it can then write

37. Never share the root directory of a drive, except for CD-ROMS

38. Install new software on isolated test systems before implementing, especially downloadable software.

39. Periodically check all file share permissions for correctness

40. Use encryption if necessary
 
 

C-2 Compliance

1. The system should not be a dual boot system

2. OS/2 and POSIX subsystems should not be installed

3. All drives must be formatted for NTFS, not FAT

4. Security log should not overwrite old events

5. Do NOT allow blank passwords

6. Disable the 'Guest' account
 
 

Copyright(c) 1998, Matrix Computer Consultants

Microsoft Windows NT(r) is a registered trademark of Microsoft Corporation

If you any tips, suggestions or procedures to add to this list, feel free to email them to me at comptech@monte.k12.co.us