LCZ-NT4-S 1.1 16 May 2009 This document specifies technical security policy for implementations of Microsoft Windows NT4.0, and applies to domain controller implementations of NT4.0. This standard contains 12 baseline controls, and 0 above baseline controls, for a total of 12 controls. 1.1 16 May 2009 FOD Revised for re-release 1.0 05 February 2003 LCZ Initial Version for public release 2001200220032009 Frank O'Dwyer All of these Security Standards and Security Policies are copyrighted. THEY ARE NOT IN THE PUBLIC DOMAIN. They are however distributed under a liberal open-source license, see Publishing these Security Standards and Policies.Frank O'Dwyer

The objectives of this document are: To specify a baseline configuration for implementations of <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 server. To provide guidance to administators, developers and security personnel in securely implementing <trademark>Microsoft</trademark> <trademark>Windows</trademark> NT4.0 server.

Controls specified in this document apply to server implementations of NT4.0. All of the organisation's NT4.0 server systems will be subject to the policies specified within this security standard. The policies will be applied to new and existing installations.

Compliance with this standard will not provide in depth security architecture or intelligent security design guidance to projects. As a consequence, for high impact or safety-critical business applications, additional guidance will still need to be sought from your Information Security team consultancy function. This is a specific standard for NT4.0 servers. Controls specific to workstation, domain controller, and generic controls common to all are not specified in this document and are the subject of separate standards. Compliance with this standard does not negate the need for an overall security review of a proposed application. Contact the Information Security team if you are in doubt.

Your feedback to improve this document is welcome. Please let me know of your experiences in applying the controls and guidance in this standard. Are the controls effective, easy to implement, too onerous, clear, unclear, something missing? Does an exceptional case need to be covered? Let me know. Please send your comments to frankodwyer AT netscape.net. Your comments will be used to produce better free security standards for the IT community.I also request that you give feedback where you think the controls and guidance is correct. This will let us gauge whether or not specific controls are controversial or broadly acceptable to the community, and will help us to resolve cases where we have conflicting feedback on particular content.

This document may be reproduced and distributed in whole or in part, free of charge, subject to the following conditions:All copyright and trademark notices, and this permission notice must be preserved complete on all complete or partial copies.Any translation or derivative work of this document must be approved by Frank O'Dwyer in writing before distribution.If you distribute this guide in part, instructions for obtaining the complete version of this manual must be included, and a means for obtaining a complete version provided.Small portions may be reproduced as illustrations for reviews or quotes in other works without this permission notice if proper citation is given.Neither Frank O'Dwyer's name nor the names of any contributors may be used to endorse or promote products derived from this document without specific prior written permission.THIS DOCUMENT IS PROVIDED BY FRANK O'DWYER AND CONTRIBUTORS "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL FRANK O'DWYER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.I would like to be informed of any plans to publish or distribute these documents, just so I know how they're being used and where they are becoming available. If you are publishing or distributing or planning to publish or distribute any of these documents, please send mail to frankodwyer AT netscape.net

This document should be read and applied in conjunction with the technology specific security standards that are available from the frankodwyer.com web site. Please note that some of the documents below are currently under development and as such may not as yet be available. Check back frequently for updates to this document and those documents listed below.

Generic Security Standardshttp://www.frankodwyer.com/standards/index.html#genericData Protection European Union Security Standardhttp://www.frankodwyer.com/standards/index.html#genericApplication Service Provider Security Standardshttp://www.frankodwyer.com/standards/index.html#generic

Generic Unix Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Generic Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Workstation Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Server Security Standardshttp://www.frankodwyer.com/standards/index.html#osWindows NT4.0 Domain Security Standardshttp://www.frankodwyer.com/standards/index.html#os

Oracle Security Standardshttp://www.frankodwyer.com/standards/index.html#db

An Information Asset equates to any computerised information system or component thereof and thus includes an application, an item of off the shelf software, hardware, media, a data item, a data item repository and associated communications networks. The specification of the Information Asset in question will usually be given so that this document is unambiguous, except where a control relates to any Information Asset. The use of must or will indicates what the author considers to be a mandatory control. However, whether the controls listed here are mandatory for your organisation is entirely at your organisation's discretion and thus they should be interpreted as representing the strongest recommendation of the author. The use of should or recommended or ought indicates that the author believe that the controls in question are worthwhile and should be implemented unless such an implementation is impossible, onerous or impractical. Again, the implementation of controls so recommended in this document is entirely at your organisation's discretion.

IDVersionLevelEnforcementNT4S-PRIV-61.0baselinemandatory

The advanced user right to increase quotas must be held by administrators only

Ensure that the administrators group holds this right Ensure that only administrator staff are members of the administrators group

Where this control is not applied, the following residual risks exist: Business information and services may be subject to a loss of availability

IDVersionLevelEnforcementNT4S-PRIV-71.0baselinemandatory

The advanced user right to lock pages in memory must be held by no one.

Ensure that no one holds this right

Where this control is not applied, the following residual risks exist: Business information and services may be subject to a loss of availability

IDVersionLevelEnforcementNT4S-PRIV-21.0baselinemandatory

The user right to backup files and directories must only be held by Backup Operators

Ensure that only operators are in the backup operators group Ensure that the backup operators group hold the backup files and directories user right

Where this control is not applied, the following residual risks exist: Business information may be subject to unauthorised disclosure Business information may be subject to a loss of availability

IDVersionLevelEnforcementNT4S-PRIV-81.0baselinemandatory

The advanced user right to log on as a batch job must be held by no one.

Ensure that no one holds this right

Where this control is not applied, the following residual risks exist: Business information and services may be subject to a loss of availability

IDVersionLevelEnforcementNT4S-NETW-11.0baselinemandatory

Remote Acess Server must be enabled only if required

Disable remote access server if it is not required

Where this control is not applied, the following residual risks exist: Remote access server allows users potentially to gain unauthorised remote access Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

IDVersionLevelEnforcementNT4S-ACCESS-11.0baselinemandatory

File and directory permissions must be restricted on the basis of least privilege

Ensure that the access permitted for each file and directory permits the minimum access permissions

Where this control is not applied, the following residual risks exist: Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

IDVersionLevelEnforcementNT4S-ADMIN-11.0baselinemandatory

Replication must be implemented only at the administrator level

Where this control is not applied, the following residual risks exist: Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

IDVersionLevelEnforcementNT4S-AUDIT-41.0baselinerecommended

Auditing should be enabled for RAS for failed authentication and authentication timeout

Set up auditing to audit for failed authentication and authentication timeout

Where this control is not applied, the following residual risks exist: Business information and applications may be unavailable. Business information may be disclosed Business information may be maliciously altered

IDVersionLevelEnforcementNT4S-AUDIT-11.0baselinerecommended

Failed attempts to delete documents in a print queue should be audited

Set up auditing to audit for failed attempts to delete documents in a print queue

Where this control is not applied, the following residual risks exist: Business information and applications may be unavailable.

IDVersionLevelEnforcementNT4S-AUDIT-31.0baselinerecommended

Failed attempts to take ownership of documents should be audited

Set up auditing to audit for failed attempts to take ownership of documents in a print queue

Where this control is not applied, the following residual risks exist: Business information and applications may be unavailable. Business information may be disclosed Business information may be maliciously altered

IDVersionLevelEnforcementcopy of NT4S-AUDIT-21.0baselinerecommended

Failed attempts to change permissions on a print queue should be audited

Set up auditing to audit for failed attempts to delete documents in a print queue

Where this control is not applied, the following residual risks exist: Business information and applications may be unavailable.

IDVersionLevelEnforcementNT4S-NETW-21.0baselinerecommended

RAS should be set up to encrypt logon information by any remote client before sending across the network

RAS should be configured to encrypt logon information by any remote client before sending across the network

Where this control is not applied, the following residual risks exist: Account logon details may be compromised Business information may be accidentally or maliciously altered. Business information may be disclosed. Business information and applications may be unavailable.

User ConfigurationPrivilegesControl IDChecklist QuestionYour AnswerNT4S-PRIV-6Is the advanced user right to increase quotas must be held by administrators onlyNT4S-PRIV-7Is the advanced user right to lock pages in memory held by no one?NT4S-PRIV-2Is the user right to backup files and directories only held by Backup Operators?NT4S-PRIV-8Is the advanced user right to log on as a batch job held by any user?Network Security ConfigurationNetwork Interface ConsiderationsControl IDChecklist QuestionYour AnswerNT4S-NETW-1If Remote Acess Server is enabled is it required?ConfigurationFiles and File PermissionsControl IDChecklist QuestionYour AnswerNT4S-ACCESS-1Are file and directory permissions restricted on the basis of least privilege?AdministrationControl IDChecklist QuestionYour AnswerNT4S-ADMIN-1Is replicationimplemented only at the administrator level?Auditing and MonitoringEvents to be auditedControl IDChecklist QuestionYour AnswerNT4S-AUDIT-4Is auditing enabled for RAS for failed authentication and authentication timeout?NT4S-AUDIT-1Are failed attempts to delete documents in a print queue audited?NT4S-AUDIT-3Are failed attempts to take ownership of documents audited?copy of NT4S-AUDIT-2Are failed attempts to change permissions on a print queue audited?OtherControl IDChecklist QuestionYour AnswerNT4S-NETW-2Is RAS set up to encrypt logon information by any remote client before sending across the network?