Copyright © 2001, 2002, 2003, 2009 Frank O'Dwyer
![[Important]](../../../images/important.gif) | Important |
|---|---|
All of these Security Standards and Security Policies are copyrighted. THEY ARE NOT IN THE PUBLIC DOMAIN. They are however distributed under a liberal open-source license, see Publishing these Security Standards and Policies. | |
16 May 2009
| Revision History | ||
|---|---|---|
| Revision 1.1 | 16 May 2009 | FOD |
| Revised for re-release | ||
| Revision 1.0 | 04 February 2003 | LCZ |
| Initial Version for public release | ||
Abstract
This document specifies technical security policy for implementations of Microsoft™ Windows™ NT4.0, and applies to domain controller implementations of NT4.0.
This standard contains 22 baseline controls, and 0 above baseline controls, for a total of 22 controls.
Table of Contents
- 1. Introduction
- 2. User Configuration
- 2.1. User Administration
- 2.1.1. User passwords must be set to be changed following reset or after the creation of a new account
- 2.1.2. A Home Directory should be specified for each user.
- 2.1.3. Each user account must have the full name and description fields completed with the details of the account owner name and phone number
- 2.1.4. All users should have a logon script
- 2.2. Default Accounts
- 2.3. Privileges
- 2.3.1. The advanced user right to lock pages in memory must be held by no one.
- 2.3.2. The advanced user right to log on as a batch job must be held by no one.
- 2.3.3. The user right to take ownership of files and directories must be held by administrators only
- 2.3.4. The user right to manage auditing and security log must only be available to administrators and the security group
- 2.3.5. The user right to backup files and directories must only be held by Backup Operators
- 2.3.6. The advanced user right to increase quotas must be held by administrators only
- 2.3.7. The user right to restore files and directories must be held by administrators and backup operators only.
- 2.3.8. The user right, access this computer from the network, should be available to everyone
- 2.4. Authentication/Password Configuration
- 3. Network Security Configuration
- 4. Configuration
- 5. Auditing and Monitoring
- 6. Checklist
Table of Contents
The objectives of this document are:
To specify a baseline configuration for implementations of <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 domain controller.
To provide guidance to administators, developers and security personnel in securely implementing <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 domain controller.
Controls specified in this document apply to domain controller implementations of NT4.0.
All of the organisation's NT4.0 domain controller systems will be subject to the policies specified within this security standard. The policies will be applied to new and existing installations.
Compliance with this standard will not provide “in depth” security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from your Information Security team consultancy function.
This is a specific standard for NT4.0 domain controllers. Controls specific to workstation, server, and generic controls common to all are not specified in this document and are the subject of separate standards.
Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt.
Your feedback to improve this document is welcome. Please let me know of your experiences in applying the controls and guidance in this standard. Are the controls effective, easy to implement, too onerous, clear, unclear, something missing? Does an exceptional case need to be covered? Let me know. Please send your comments to frankodwyer AT netscape.net. Your comments will be used to produce better free security standards for the IT community.
I also request that you give feedback where you think the controls and guidance is correct. This will let us gauge whether or not specific controls are controversial or broadly acceptable to the community, and will help us to resolve cases where we have conflicting feedback on particular content.
This document may be reproduced and distributed in whole or in part, free of charge, subject to the following conditions:
All copyright and trademark notices, and this permission notice must be preserved complete on all complete or partial copies.
Any translation or derivative work of this document must be approved by Frank O'Dwyer in writing before distribution.
If you distribute this guide in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.
Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given.
Neither Frank O'Dwyer's name nor the names of any contributors may be used to endorse or promote products derived from this document without specific prior written permission.
THIS DOCUMENT IS PROVIDED BY FRANK O'DWYER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FRANK O'DWYER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
I would like to be informed of any plans to publish or distribute these documents, just so I know how they're being used and where they are becoming available. If you are publishing or distributing or planning to publish or distribute any of these documents, please send mail to frankodwyer AT netscape.net
This document should be read and applied in conjunction with the technology specific security standards that are available from the frankodwyer.com web site. Please note that some of the documents below are currently under development and as such may not as yet be available. Check back frequently for updates to this document and those documents listed below.
Generic Security Standards
http://www.frankodwyer.com/standards/index.html#generic
Data Protection European Union Security Standard
http://www.frankodwyer.com/standards/index.html#generic
Application Service Provider Security Standards
Generic Unix Security Standards
http://www.frankodwyer.com/standards/index.html#os
Windows NT4.0 Generic Security Standards
http://www.frankodwyer.com/standards/index.html#os
Windows NT4.0 Workstation Security Standards
http://www.frankodwyer.com/standards/index.html#os
Windows NT4.0 Server Security Standards
http://www.frankodwyer.com/standards/index.html#os
Windows NT4.0 Domain Security Standards
Oracle Security Standards
Table of Contents
- 2.1. User Administration
- 2.1.1. User passwords must be set to be changed following reset or after the creation of a new account
- 2.1.2. A Home Directory should be specified for each user.
- 2.1.3. Each user account must have the full name and description fields completed with the details of the account owner name and phone number
- 2.1.4. All users should have a logon script
- 2.2. Default Accounts
- 2.3. Privileges
- 2.3.1. The advanced user right to lock pages in memory must be held by no one.
- 2.3.2. The advanced user right to log on as a batch job must be held by no one.
- 2.3.3. The user right to take ownership of files and directories must be held by administrators only
- 2.3.4. The user right to manage auditing and security log must only be available to administrators and the security group
- 2.3.5. The user right to backup files and directories must only be held by Backup Operators
- 2.3.6. The advanced user right to increase quotas must be held by administrators only
- 2.3.7. The user right to restore files and directories must be held by administrators and backup operators only.
- 2.3.8. The user right, access this computer from the network, should be available to everyone
- 2.4. Authentication/Password Configuration
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-UC-2 | 1.0 | baseline | mandatory |
User passwords must be set to be changed following reset or after the creation of a new account
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-UC-7 | 1.0 | baseline | recommended |
Ensure that the home directory is specified for each account unless it is to be defined in a login script
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-UC-6 | 1.0 | baseline | mandatory |
Each user account must have the full name and description fields completed with the details of the account owner name, location and phone number
Where this control is not applied, the following residual risks exist:
This information aids rapid investigation of anomalies
This information aids resolution of access validation/audits
A failure to be able to successfully audit access may result in unauthorised accounts going unnoticed
Business information may be accidentally or maliciously altered.
Business information may be disclosed.
Business information and applications may be unavailable.
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-UC-1 | 1.0 | baseline | recommended |
For each user define a logon scipt that pertains to the group they are in or the type of user they are.
Where this control is not applied, the following residual risks exist:
Environment variables and restrictions may be bypassed
Business information may be accidentally or maliciously altered.
Business information may be disclosed.
Business information and applications may be unavailable.
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-UC-5 | 1.0 | baseline | recommended |
Where this control is not applied, the following residual risks exist:
The Guest account can be used to gain access to information assets
Business information may be accidentally or maliciously altered.
Business information may be disclosed.
Business information and applications may be unavailable.
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-PRIV-7 | 1.0 | baseline | mandatory |
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-PRIV-8 | 1.0 | baseline | mandatory |
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-PRIV-4 | 1.0 | baseline | mandatory |
The user right to take ownership of files and directories must be held by administrators only
Ensure that the administrators group holds this right
Ensure that only administrator staff are members of the administrators group
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-PRIV-3 | 1.0 | baseline | mandatory |
The user right to manage auditing and security log must only be available to administrators and the security group
Ensure that the administrators group holds this right
Ensure that the security users group holds this right
Ensure that only administrators are members of the administrators group
Ensure that only security users are members of the security group
Where this control is not applied, the following residual risks exist:
Sensitive audit trail data may be lost
Sensitive audit trail data may be disclosed
Business information may be subject to unauthorised disclosure
Business information may be subject to a loss of availability
Business information may be subject to alteration
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-PRIV-2 | 1.0 | baseline | mandatory |
The user right to backup files and directories must only be held by Backup Operators
Ensure that only operators are in the backup operators group
Ensure that the backup operators group hold the backup files and directories user right
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-PRIV-6 | 1.0 | baseline | mandatory |
Ensure that the administrators group holds this right
Ensure that only administrator staff are members of the administrators group
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-PRIV-5 | 1.0 | baseline | mandatory |
The user right to restore files and directories must be held by administrators and backup operators only.
Ensure that the administrators and backup operators group holds this right
Ensure that only administrator staff are members of the administrators group
Ensure that only backup operators are members of the backup operators group
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-PRIV-1 | 1.0 | baseline | recommended |
Ensure that the everyone group holds the user access right, access this computer from the network.
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-UC-3 | 1.0 | baseline | recommended |
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-UC-4 | 1.0 | baseline | mandatory |
Where this control is not applied, the following residual risks exist:
Passwords that do not change are at greater risk of compromise
Business information may be accidentally or maliciously altered.
Business information may be disclosed.
Business information and applications may be unavailable.
Table of Contents
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-NETW-1 | 1.0 | baseline | mandatory |
Where this control is not applied, the following residual risks exist:
Remote access server allows users potentially to gain unauthorised remote access
Business information may be accidentally or maliciously altered.
Business information may be disclosed.
Business information and applications may be unavailable.
Table of Contents
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-ACCESS-1 | 1.0 | baseline | mandatory |
Ensure that the access permitted for each file and directory permits the minimum access permissions
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-ADM-2 | 1.0 | baseline | mandatory |
The Notification Packages registry key must contain only authorised password filter or password synchronisation packages.
Check the contents of the registry key \System\CurrentControlSet\Control\Lsa\Notification Packages.
This key should name only authorised password filters and password synchronisation packages. It should not reference the FPNWCLNT package (see Knowledge Base Q99885). PASSFILT is an acceptable entry under this key.
Where this control is not applied, the following residual risks exist:
Passwords may be intercepted during password change.
Business information may be accidentally or maliciously altered.
Business information may be disclosed.
Business information and applications may be unavailable.
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-ADMIN-1 | 1.0 | baseline | mandatory |
Table of Contents
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-AUDIT-1 | 1.0 | baseline | recommended |
Define in the domain policy that accounts be locked out after 3 login failures
Where this control is not applied, the following residual risks exist:
Given enough attempts any account password may be guessed
Unauthorised access may result from allowing a liberal number of logon attempts
Business information may be accidentally or maliciously altered.
Business information may be disclosed.
Business information and applications may be unavailable.
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-AUDIT-2 | 1.0 | baseline | recommended |
Define in the domain policy for reset count for logon failures be 7200 minutes
Where this control is not applied, the following residual risks exist:
Slowing down the number of guesses that can be attempted will hinder a breakin attempt.
A short reset time effectively increases the number of attempts before lockout
This may result in an account being compromised
Business information may be accidentally or maliciously altered.
Business information may be disclosed.
Business information and applications may be unavailable.
ID | Version | Level | Enforcement |
|---|---|---|---|
NT4D-AUDIT-3 | 1.0 | baseline | recommended |
Where this control is not applied, the following residual risks exist:
Setting lockout duration to anything other than forever allows password guessing attempts to be resumed against the account after the lockout period expires
Given enough time and enough attempts account passwords will be guessed
Accounts may be compromised
Business information may be accidentally or maliciously altered.
Business information may be disclosed.
Business information and applications may be unavailable.
User Configuration | ||
User Administration | ||
Control ID | Checklist Question | Your Answer |
| NT4D-UC-2 | Are user passwords set to be changed following reset or after the creation of a new account? | |
| NT4D-UC-7 | Is a home directory specified for each user? | |
| NT4D-UC-6 | Does each user account have the full name and description fields completed with the details of the account owner name, location and phone number? | |
| NT4D-UC-1 | Do all users have a logon script defined? | |
Default Accounts | ||
Control ID | Checklist Question | Your Answer |
| NT4D-UC-5 | Is the Guest account is disabled? | |
Privileges | ||
Control ID | Checklist Question | Your Answer |
| NT4D-PRIV-7 | Is the advanced user right to lock pages in memory held by no one? | |
| NT4D-PRIV-8 | Is the advanced user right to log on as a batch job held by any user? | |
| NT4D-PRIV-4 | Is the user right to take ownership of files and directories held by administrators only? | |
| NT4D-PRIV-3 | Is the user right to manage auditing and security log only available to administrators and the security group? | |
| NT4D-PRIV-2 | Is the user right to backup files and directories only held by Backup Operators? | |
| NT4D-PRIV-6 | Is the advanced user right to increase quotas must be held by administrators only | |
| NT4D-PRIV-5 | Is the user right to restore files and directories held by administrators and backup operators only? | |
| NT4D-PRIV-1 | Is the user right, access this computer from network, available to everyone? | |
Authentication/Password Configuration | ||
Control ID | Checklist Question | Your Answer |
| NT4D-UC-3 | Are user accounts set such that the user can change their password? | |
| NT4D-UC-4 | Is it ensured that user accounts are not set such that their password never expires? | |
Network Security Configuration | ||
Network Interface Considerations | ||
Control ID | Checklist Question | Your Answer |
| NT4D-NETW-1 | If Remote Acess Server is enabled is it required? | |
Configuration | ||
Files and File Permissions | ||
Control ID | Checklist Question | Your Answer |
| NT4D-ACCESS-1 | Are file and directory permissions restricted on the basis of least privilege? | |
Administration | ||
Control ID | Checklist Question | Your Answer |
| NT4D-ADM-2 | Has the Notification Packages registry key been checked for Unauthorised/unexpected values in the Notification Packages registry key? | |
| NT4D-ADMIN-1 | Is replicationimplemented only at the administrator level? | |
Auditing and Monitoring | ||
Events to be alerted in real-time | ||
Control ID | Checklist Question | Your Answer |
| NT4D-AUDIT-1 | Are user accounts locked out after 3 consecutive login failures? | |
| NT4D-AUDIT-2 | Is the reset count for logon failures set to 7200 minutes? | |
| NT4D-AUDIT-3 | Is the lockout duration set to forever? | |