LCZ-NT4-DC 1.1 16 May 2009 This document specifies technical security policy for implementations of Microsoft Windows NT4.0, and applies to domain controller implementations of NT4.0. 1.1 16 May 2009 FOD Revised for re-release 1.0 04 February 2003 LCZ Initial Version for public release 2001200220032009 Frank O'Dwyer To specify a baseline configuration for implementations of <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 domain controller. To provide guidance to administators, developers and security personnel in securely implementing <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 domain controller. Controls specified in this document apply to domain controller implementations of NT4.0. All of the organisation's NT4.0 domain controller systems will be subject to the policies specified within this security standard. The policies will be applied to new and existing installations. Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from your Information Security team consultancy function. This is a specific standard for NT4.0 domain controllers. Controls specific to workstation, server, and generic controls common to all are not specified in this document and are the subject of separate standards. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt. An Information Asset equates to any computerised information system or component thereof and thus includes an application, off the shelf software, hardware, media, data item, data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous. User passwords must be set to be changed following reset or after the creation of a new account Are user passwords set to be changed following reset or after the creation of a new account? Select change password at next logon for the account in question Account passwords may be compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. A Home Directory should be specified for each user. Is a home directory specified for each user? Ensure that the home directory is specified for each account unless it is to be defined in a login script Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Each user account must have the full name and description fields completed with the details of the account owner name, location and phone number Does each user account have the full name and description fields completed with the details of the account owner name, location and phone number? Complete the full name and description for each user account This information aids rapid investigation of anomalies This information aids resolution of access validation/audits A failure to be able to successfully audit access may result in unauthorised accounts going unnoticed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. All users should have a logon script Do all users have a logon script defined? For each user define a logon scipt that pertains to the group they are in or the type of user they are. Environment variables and restrictions may be bypassed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that the Guest account is disabled Is the Guest account is disabled? Ensure that the Guest account is disabled The Guest account can be used to gain access to information assets Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to lock pages in memory must be held by no one. Is the advanced user right to lock pages in memory held by no one? Ensure that no one holds this right Business information and services may be subject to a loss of availability The advanced user right to log on as a batch job must be held by no one. Is the advanced user right to log on as a batch job held by any user? Ensure that no one holds this right Business information and services may be subject to a loss of availability The user right to take ownership of files and directories must be held by administrators only Is the user right to take ownership of files and directories held by administrators only? Ensure that the administrators group holds this right Ensure that only administrator staff are members of the administrators group Business information may be subject to unauthorised disclosure Business information may be subject to a loss of availability Business information may be subject to alteration The user right to manage auditing and security log must only be available to administrators and the security group Is the user right to manage auditing and security log only available to administrators and the security group? Ensure that the administrators group holds this right Ensure that the security users group holds this right Ensure that only administrators are members of the administrators group Ensure that only security users are members of the security group Sensitive audit trail data may be lost Sensitive audit trail data may be disclosed Business information may be subject to unauthorised disclosure Business information may be subject to a loss of availability Business information may be subject to alteration The user right to backup files and directories must only be held by Backup Operators Is the user right to backup files and directories only held by Backup Operators? Ensure that only operators are in the backup operators group Ensure that the backup operators group hold the backup files and directories user right Business information may be subject to unauthorised disclosure Business information may be subject to a loss of availability The advanced user right to increase quotas must be held by administrators only Is the advanced user right to increase quotas must be held by administrators only Ensure that the administrators group holds this right Ensure that only administrator staff are members of the administrators group Business information and services may be subject to a loss of availability The user right to restore files and directories must be held by administrators and backup operators only. Is the user right to restore files and directories held by administrators and backup operators only? Ensure that the administrators and backup operators group holds this right Ensure that only administrator staff are members of the administrators group Ensure that only backup operators are members of the backup operators group Business information may be subject to unauthorised disclosure Business information may be subject to a loss of availability Business information may be subject to alteration The user right, access this computer from network should be available to everyone Is the user right, access this computer from network, available to everyone? Ensure that the everyone group holds the user access right, access this computer from the network. Business information and applications may be unavailable. User accounts must not be set such that the user cannot change their password Are user accounts set such that the user can change their password? Select change password at next logon for the account in question Account passwords may be compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. User accounts must not be set such that the password never expires Is it ensured that user accounts are not set such that their password never expires? For each account ensure that the password never expires flag is not set. Passwords that do not change are at greater risk of compromise Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Remote Acess Server must be enabled only if required If Remote Acess Server is enabled is it required? Disable remote access server if it is not required Remote access server allows users potentially to gain unauthorised remote access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. File and directory permissions must be restricted on the basis of least privilege Are file and directory permissions restricted on the basis of least privilege? Ensure that the access permitted for each file and directory permits the minimum access permissions Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The Notification Packages registry key must contain only authorised password filter or password synchronisation packages. Has the Notification Packages registry key been checked for Unauthorised/unexpected values in the Notification Packages registry key? Check the contents of the registry key \System\CurrentControlSet\Control\Lsa\Notification Packages. This key should name only authorised password filters and password synchronisation packages. It should not reference the FPNWCLNT package (see Knowledge Base Q99885). PASSFILT is an acceptable entry under this key. Passwords may be intercepted during password change. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Replication must be implemented only at the administrator level Is replicationimplemented only at the administrator level? Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. User accounts should be locked out after 3 consecutive login failures Are user accounts locked out after 3 consecutive login failures? Define in the domain policy that accounts be locked out after 3 login failures Given enough attempts any account password may be guessed Unauthorised access may result from allowing a liberal number of logon attempts Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The reset count for logon failures should be set to 7200 minutes Is the reset count for logon failures set to 7200 minutes? Define in the domain policy for reset count for logon failures be 7200 minutes Slowing down the number of guesses that can be attempted will hinder a breakin attempt. A short reset time effectively increases the number of attempts before lockout This may result in an account being compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The lockout duration should be set to forever Is the lockout duration set to forever? Define in the domain policy lockout duration to be forever Setting lockout duration to anything other than forever allows password guessing attempts to be resumed against the account after the lockout period expires Given enough time and enough attempts account passwords will be guessed Accounts may be compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.