LCZ-NT4-GSS 1.1 16 May 2009 This document specifies generic technical security policy for implementations of Microsoft Windows NT4.0, and applies to workstation, server and domain controller implementations of NT4.0, whether standalone or part of a domain. 1.1 16 May 2009 FOD Revised for re-release 1.0 04 February 2003 LCZ Initial Draft for public release 2001200220032009 Frank O'Dwyer To specify a baseline configuration for implementations of <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0. To provide guidance to administators, developers and security personnel in securely implementing <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0. Controls specified in this document apply to workstation, server, and domain controller implementations of NT4.0, whether used standalone or part of a domain. All of the organisation's NT4.0 information systems will be subject to the policies specified within this generic security standard. The policies will be applied to new and existing installations. Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from the Information Security team consultancy function. This is a generic standard. Controls specific to workstation, server, or domain controller implementations are not defined here but will be the subject of additional standards. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt. An Information Asset equates to any computerised information system or component thereof and thus includes an application, an item of off the shelf software, hardware, media, a data item, a data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous, except where a control relates to any Information Asset. The use of must or will indicates what the author considers to be a mandatory control. However, whether the controls listed here are mandatory for your organisation is entirely at your organisation's discretion and thus they should be interpreted as representing the strongest recommendation of the author. The use of should or recommended or ought indicates that the author believes that the controls in question are worthwhile and should be implemented unless such an implementation is impossible, onerous or impractical. Again, the implementation of controls so recommended in this document is entirely at your organisation's discretion. Login scripts and profiles must be accessible only by their user and administrators. Is access to login scripts and profiles restricted only to their user and administrators? Ensure the ACLs for login scripts and profiles grant access only to their user and administrators. Users will be able to run programs using the privileges of other users. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Rename the administrator to an attributable account name and assign a new password. Has the administrator account been renamed to an attributable account name and the password changed? Rename the administrator account to an individuals name Assign a new password As the admin account is certain to exist on every system it is a priority for attack Changing the password from the default helps prevent unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The guest account must be disabled. Has the guest account been disabled? Select account disabled on the main account window. Give the guest account a long random password that is not retained by anyone. Set its login hours to none. Set its expiration date to a date past. Unauthorised network access to the NT system may be possible. Unauthorised access to NT objects may result Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to load and unload device drivers must not be assigned to any users Is the advanced user right to load and unload device drivers assigned to any users? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious Replacing a device driver may be used to gain unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to create a page file must not be assigned to any users Is the advanced user right to create a page file assigned to any users? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to bypass traverse checking must not be assigned to any users Is the advanced user right to bypass traverse checking assigned to any users? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious This right permits access control on an object path to be disregarded and may result in unintended access being obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to profile single process must be assigned only to administrators Is the advanced user right to profile single process assigned only to administrators? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious The ability to profile single processes may result in unauthorised disclosure of security sensitive information Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to repace a system level process token must be assigned to no user Is the advanced user right to repace a system level process token assigned to any user? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious Such access may be used to subvert the security controls on the system Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to create permanent shared objects must not be assigned to any users Is the advanced user right to create permanent shared objects assigned to any users? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to generate security audits must not be assigned to any users other than administrators or security teams Is the advanced user right to generate security audits assigned to any users other than the administrators or security users? Identify all users who hold this right and revoke it where appropriate Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious The security audit will contain disclosure sensitive information Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to debug programs must be assigned only to adminisrators and developers Is the advanced user right to debug programs assigned only to adminisrators and developers? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious Security sensitive information may be obtained such as passwords Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The user right to shutdown the system should be assigned to local groups and not to individual users Is the user right to shutdown the system assigned to local groups and not to individual users Assign the right to a local group Assign users to the group Adnministration should be performed using roles supported through membership of groups Complex individual admin often leads to unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to profile system performance must be assigned only to administrators. Is the advanced user right to profile system performance assigned only to administrators? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious The ability to profile system performance may result in a denial of service Business information and applications may be unavailable. The advanced user right to receive unsolicited device inpurt must be assigned to no users. Is the advanced user right to receive unsolicited device input assigned to no users? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious This right can be used to obtain unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The user right to force shutdown from a remote system should be assigned to local groups and not to individual users Is the user right to force shutdown from a remote system assigned to local groups and not to individual users? Assign the right to a local group Assign users to the group Security administration is simplified by the use of roles This privilege may allow a denial of service to be executed Business information and applications may be unavailable. The advanced user right to increase scheduling priority must be assigned only to administrators Is the advanced user right to increase scheduling priority assigned only to administrators? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious The ability to increase scheduling priority can be used to hog system resource This privilege may allow an enterprise wide denial of service Business information and applications may be unavailable. The advanced user right to modify firmware environment variables must be assigned only to administrators. Is the advanced user right to modify firmware environment variables assigned only to administrators? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious Modification of such variables may result in abnormal or unauthorised function Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to act as part of the operating system must be assigned to no one. Is the advanced user right to act as part of the operating system assigned to any one? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious Acting as part of the operating permits privileged action to be undertaken Privileged action may be used to subvert operating system controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to create a token object must not be assigned to any users Is the advanced user right to create a token object assigned to any users? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious The ability to create a token object may undermine the authentication system Unauthorised access may be obtained Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The user right to logon locally should be assigned to local groups and not to individual users. Is the user right to logon locally assigned to local groups and not to individual users? Assign the right to a local group Assign users to the group Managing access rights by role simplfiies administration Complex administration often results in unauthorised access. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The user right to change the system time should be assigned to local groups and not to individual users. Is the user right to change the system time assigned to local groups and not to individual users? Assign the right to a local group Assign users to the group Reconstructing a set of events requires coinfidence in time sequencing Certain elements of security infrastructure are sensitive to time Changing the system time nay mask unauthorised activity Changing the system time may result in unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The advanced user right to logon as a service must be assigned only to administrators Is the advanced user right to logon as a service assigned only to administrators? Identify all users who hold this right and revoke it. Identify all applications who hold this right and determine why they need it and revoke it for all those where this requirement is clearly spurious The ability to create processes as a services can be used to subvert the security controls and gain unauthorised access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ant-virus software must be installed and maintained on all mahines. Is ant-virus software installed and maintained on all machines? Install anti-virus software on all machines. Ensure that the virus engine and signature data files are maintained up to date Virus infections can often subvert system security controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Ensure that a legal notice appropriate to your jurisdiction is displayed in the legal notice placeholded for display prior to logon Ensure that a legal notice appropriate to your jurisdiction is displayed in the legal notice placeholded for display prior to logon Determine the most appropriate legal noice to implement for your jurisdiction Populate the legal notice placeholder with this message for display prior to logon Legal action following a subjected breach may prove problematic Monitoring of authorised use may prove problematic Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. FTP should not be installed or if part of the default image it should be disabled Is FTP installed or if part of the default image is it disabled? Build a server, w/s or domain controller image that does not include ftp by default Alternatively, disable ftp on w/s, servers and controllers where not needed Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Sensitive data files must be encrypted. Are sensitive data files encrypted? Use an encryption tool or an encrypted file system to store sensitive data files. Sensitive data files will be accessible using non-standard tools when the NT operating system does not have control. Sensitive data files which have been deleted may be accessible using non-standard tools when the NT operating system does not have control. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Enable clearing of the system page file at shutdown. Has clearing of the system page file at shutdown been enabled? Set the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SessionManager\Memory Management\ClearPageFileAtShutdown to 1. Sensitive information, including local and remote passwords and business information, may remain in the pagefile after shutdown. This may be recoverable by an attacker who has physical access to the machine. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. NT must be the only operating system installed. The system must not be set up to dual-boot other operating systems. Is NT the only operating system installed? Remove other operating systems by formatting partitions to NTFS prior to installation. Ensure that boot.ini automatically boots NT, and that it lists no other operating systems. Filesystems will not be protected by NT ACLs. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Only authorised users must be able to boot the system from alternative media (CD, floppy disk). Has access to alternative boot mechanisms been physically and/OR BIOS password restricted? Ensure that the BIOS boot order boots from the hard disk before CD, floppy, or other bootable devices. Assign a BIOS password to prevent changes to the boot order, and restrict access to the BIOS password to authorised personnel. NT ACLs may be bypassed by booting an alternative operating system. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. For unattended setups the $WinNT$.inf file should be deleted. For unattended setups, has the $WinNT$.inf file been deleted after installation? Ensure any $WinNT$.inf files are removed after an unattended installation. The username and password of the user used to add the machine to the domain may be exposed. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Do not install by duplicating a previous disk image, unless the disk image copy tool used is NT-aware and capable of assigning a unique machine SID after duplication. For installations using disk image duplication, has the machine been assigned a unique SID? Do not install using a disk image duplication. Or, if using disk image duplication, ensure that the disk image duplication tool is NT-aware and able to assign unique machine SIDs after duplication. Machines and user accounts will have duplicate SIDs, undermining the security enforcement of NT. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. All filesystem partitions must be formatted prior to installation as NTFS. Are all partitions formatted as NTFS? Choose Format as NTFS from setup menus. Do not use FAT partitions during installation, format as NTFS during installation. Filesystems will not be protected by NT ACLs. Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Do not use HPFS or FAT file structures. Always use NTFS. Are there any FAT or HPFS partitions on the system? Opt for using NTFS alone during system commissioning Other file structures do not consistently support windows NT access control The use of other file structures may be used to subvert security controls Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Security event logging must be enabled and not set to overwrite events Is security event logging enabled and set so as not to overwrite events? Switch security event logging on Configure event logging so as not to overwrite events Reconstruction of a sequence of a sequence of events requires events to be recorded Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. File auditing for group everyone should be set up to record failed attempts for read, write, execute and success and failure for delete, change permissions and take ownership. Has file auditing been set up for group everyone? Set up file auditing for group everyone as follows; Read - Audit failed attempts Write - Audit failed attempts Execute - Audit failed attempts Delete - Audit failure and success Change Permissions - Audit failure and success Take Ownership - Audit failure and success Reconstructing a sequence of events requires certain events to be recorded Failing to record certain events may allow a breach or a failure to go undetected Failing to record certain events may prevent successful recovery from a breach or a failure Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Set up directory auditing for group everyone such that failed attempts are recorded for read, write, execute and failed and successful attempts are recorded for delete, change permissions and take ownership. Has directory auditing for group everyone been set up in accordance with policy? Set up directory auditing for group everyone as follows; Read - Audit failed attempts Write - Audit failed attempts Execute - Audit failed attempts Delete - Audit failure and success Change Permissions - Audit failure and success Take Ownership - Audit failure and success Without an audit trail of activity reconstructing misuse cannot be achieved A loss of accountability may occur Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Network alerts must be enabled for excessive login failures Are network alerts enabled for excessive login failures? Configure network alerts for excessive login failures Non-interactive/network login failures may be indicative of an attack Non-interactive/network login failures may be indicative of a failed service Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. The audit policy must be set up to record failure and success for Logon and Logoff, User and Group Management, Security Policy Changes, Restart, Shutdown and System and failure for File and Object Access Has the audit policy been set up to record the events defined in the audit policy? Set up audit policy as follows; Logon and Logoff Audit failure and success File and Object Access Audit failure User and Group Management Audit failure and success Security Policy Changes Audit failure and success Restart, Shutdown and System Audit failure and success Capturing events allows an audit trail of activity to be created A failure to capture events prevents abnormal activity from being identified This allows an attackers behviour to go unnoticed. Failing to record security events may result in a loss of accountability A loss of accountability makes it difficult to determine the nature of a breach This may result in regulatory compliance breaches This may make legal action problematic to pursue This may make reconstructing the system securely difficult to achieve Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable. Registry key auditing should be set up to not audit query value, create subkey, read control, to audit successful attempts to set value, enumerate subkeys, notify, create link, delete and to audit successful and unsucessful attempts to write DAC Has registry key auditing been set up in accordance with policy? Set up registry key auditing as follows; Query Value - Not audited Set Value - Audit successful attempts Create Subkey - Not audited Enumerate Subkeys - Audit successful attempts Notify - Audit successful attempts Create Link - Audit successful attempts Delete - Audit successful attempts Write DAC - Audit successful and unsuccessful attempts Read Control - Not audited Reconstructing a sequence of evnts requires events to be recorded Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.