|
Installing and Securing Windows NT 4.0
CAUTION: The information contained below is aimed towards securing the NT Operating System. This information represents a "high security" posture and may break or disrupt performance on your own machine. The suggestions listed on this page may not be suitable for your environment. Test all changes on a non-production host before applying them to your production machine. Security-Focus is not responsible for any damage that may result from applying these suggestions.
Enable Auditing
| 21 |
The NT Operating System ships with a very powerful auditing mechanism. Unfortunately, few people enable logging. Even fewer review their logs on a regular basis. Try some of the followingsettings. Don't worry, there is no perfect combination of settings. Any two vendors you ask will have a different recommendation for audit policies. Keep trying different combinations until you are comfortable with the results. |
| Logon and Logoff | Logging failed logon access attempts is highly recommended. For sensitive servers, enable succesful logon event |
| File and Object Access | Enabling this check will not capture any events until you apply auditing to specific files and directories (via Explorer). Consider logging access to your sensitive files |
| Use of User Rights | This setting will capture events when a user completes or attempts to complete actions that required a specific user right. Enable as needed |
| User and Group Management | This event will capture creation and modification of users, and the management of groups. Use this to track your administrator activities (authorized or otherwise) |
| Security Policy Changes | This event will capture changes to the audit policy settings. Use this to determine when someone has disabled auditing. |
| Restart, Shutdown and System | As it suggests. Helpful in diagnosing system problems |
| Process tracking | Be very, very careful when enabling this check. It will generate a large number of log entries and may negatively impact system performance. Use only as needed |
Set Account Policies
| 22 |
The Default posture for NT account policies is not suitable for a secure system. Set the following options according to your corporate policy. |
| Maximum Password Age | Set to your corporate policy. 60 or 90 days may be appropriate |
| Minimum Password Age | Though this may not seem important, users may take advantage of the 'Allow Changes Immediately' setting to bypass your Password Uniqueness setting. (If you require five unique password, users may change their password five times within one minute until they are back to their original password.) Set this value to at least one day - forcing users to change their password once a day for 5 days until they are back at their original password. |
| Minimum Password Length | Seven. (Not Six, Not Eight. Seven) Period. |
| Password Uniqueness | Set to your corporate policy. 6 or 7 may be appropriate |
| Account Lockout | It's there for a reason. Use it. The majority of unauthorized accesses via password guessing can be thwarted by enabling accout lockout. A must for Internet connected systems. Account Lockout may not be feasible in all environments, refer to your corproate policy. Don't forget to enable this on your local NT Workstation |
| Lockout After 'X' Bad Logon Attempts | Set to your corporate policy. 5 may be appropriate |
| Reset Count After 'X' Minutes | 5 minutes minimum. 1 hour recommended |
| Lockout Duration | Set to Forever for critical hosts. Set to one day for remaining hosts. (There are 1440 minutes in 24 hrs) |
| User must log on in order to change password | Set to corporate policy. If in doubt, leave unchecked |
<< PREVIOUS
INDEX
NEXT >>
|
