Take steps to increase security on your NT Web server
When IBM brought an AS/400 to the Windows NT Magazine Lab, it claimed
that the AS/400 was "the safest Web server on the planet" because professional security firms failed to break into it. Naturally, the Lab and I felt compelled to build a secure NT Web server. I spent approximately 3 hours completing the job. When the Lab turned the same professional security firms loose on my system, they were unable to break in.
An NT server is a great platform right out of the box; however, NT isn't
bulletproof. An NT Web server definitely needs strengthening against unwanted
intrusion.
In most cases, large companies can survive losses resulting from security
breaches; smaller businesses might not. I've seen more than one business vanish
overnight as a result of the financial damage an intrusion causes.
In this article, I'll describe how I built my NT Web server and give tips
on how you can build your own. I'll also describe steps to increase security on your server.
How I Did It
I made numerous changes to NT's original configuration to secure the system I built for the Lab, which the Lab used for Internet services only. I created a standalone server in its own private workgroup and installed only the necessary default services (plus Internet Information Server--IIS). I didn't add any optional services or use any third-party security add-ons.
If you're familiar with NT's administration tools and the basic concepts of granting and removing user rights and permissions, you know that these modifications involve editing the Registry. If you're considering building your own server, have an up-to-date Emergency Repair Disk (ERD) handy. Also, use caution when changing the Registry: Mistakes in editing the Registry can lead to an unbootable NT server.
Step 1: Install the Latest Service Pack and Applicable Hotfixes
After you install your operating system (OS), you can load the current
service pack. I used Service Pack 3 (SP3).
Some network engineers claim that installing service packs isn't always
necessary. However, sometimes service packs contain features that fix security
problems. Because Microsoft doesn't always itemize service pack features, you
won't know which features are included unless you use the service pack. The same
is true for post-service pack hotfixes. On at least one occasion, I used an
unrelated hotfix that contained the solution to an obscure security problem I
had. However, the associated Microsoft Support Online article and README file
didn't mention this hotfix.
You can always test a hotfix or service pack on a nonproduction (or backup)
server before you implement it on your live server. If you don't have a second
server or don't feel comfortable loading fixes, you can seek a network
professional's assistance. This money will be well spent. To minimize the risk
of a faulty service pack or hotfix breaking my NT server, I wait about a week
after Microsoft releases a new one to see whether any major complaints arise
from the user community.
If you don't know which service packs you need, you can load them all or
seek a network professional's advice. The order in which you install hotfixes is
important because later hotfixes sometimes supersede earlier ones. You need to
pay attention to the date and time stamps on the files listed on Microsoft's FTP
site and install the hotfixes in chronological order. The hotfixes are located
at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes. If you
add services or install new versions of NT components later, you'll need to
reinstall the latest service pack and hotfix (so keep them available).
When I built my system, I loaded five mandatory post-SP3 hotfixes:
getadmin-fix, teardrop2-fix, srv-fix, simptcp-fix, and pent-fix. If you want to
learn about what these hotfixes can do, read Microsoft Support Online articles
located in the named subdirectories.
Step 2: Change NTFS File and Directory Permissions
NTFS provides more advanced security features than FAT file systems, so use
NTFS whenever possible (e.g., if you install an additional hard drive or create
new partitions on existing drives). FAT offers no security at the file and
directory levels. If you must use a FAT file system, consider securing the FAT
partition by using the Secure System Partition command on the Partition menu of
the Disk Administrator utility. You can use FAT for the boot partition of an
ARC-compliant RISC system (e.g., an Alpha), but don't put any files on that
partition other than the Windows NT installation default boot files.
The files and directories that comprise the OS software on any partition
require protection. The standard set of permissions on these files and
directories provide a reasonable degree of security without interfering with the
computer's usability. However, you can modify the NTFS file and directory
permissions, if necessary. For high-level security installations, set directory
permissions for all subdirectories and existing files immediately after you
install NT. Remember that you need to apply permissions to parent directories
before you apply permissions to subdirectories. Table 1 provides a list of the
permissions you need to apply. You will also need to apply exceptions to the
general security permission settings within the /winnt directory. Table 2
provides these exceptions. Because several critical OS files exist in the root
directory of the system partition on Intel-based systems, you might also
consider assigning the permissions listed in Table 3.
To view these files in Explorer, you can choose the By File Type command
from the View menu, then select the Show Hidden/System Files check box in the By
File Type dialog box. Be sure to review your changes on each partition to ensure
they have been properly secured. You can use Explorer or a specialized tool such
as CACLS from the Microsoft Windows NT Server 4.0 Resource Kit, or
Somarsoft's DumpACL (available at www.somarsoft.com) to perform this audit.
Also, review your file and directory permissions periodically to determine
whether sensitive files are exposed to unauthorized users or groups.
Previous
Register
