Robichaux on Security — December, 1999

Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.

On This Page

Mmmmm, good
Unbind the unnecessary

Mmmmm, good

Computer security is like many other fields of human endeavor, from brain surgery to gourmet cooking to jazz trombone: serious practitioners create or discover new works, but the rest of us can apply what they've done on our own. I may not ever have my own cooking show on the Food Network, but I can still whip up a mean Cajun meal with the aid of my extensive cookbook collection.

You may not be ready to go to work as a computer security expert, but that shouldn't stop you from using a cookbook approach to improving your network's security. There are some simple steps you can follow to tighten up your security immediately, without a lot of knowledge or special planning on your part.

Unbind the unnecessary

By default, when you install Windows NT on a computer with a network interface card (NIC), NT will bind all the installed protocols to your installed NICs. This may not be what you want to do, since there's usually no good reason to expose anything other than TCP/IP on any NICs that are visible to the Internet. Consider a typical web server with two NICs: one connected to an internal LAN and one connected to the Internet. It might make sense to have NetBIOS enabled on the internal LAN if you want to publish files to shares on the server; however, there's no reason to leave NetBIOS visible to the outside world.

Recommendation: unbind NetBIOS from any adapter where you don't need it.

Tighten down passwords

Reusable passwords are a necessary evil:

• necessary because one-time password systems like S/Key and SecurID still aren't widely deployed, even though Windows NT and Windows 2000 can be extended to support them.

• evil because they're subject to compromise. Since they're designed to be reused over and over. Users do silly things like using the same password for many systems, writing down passwords on sticky notes, and so on.

It may not be practical for you to implement one-time passwords on your network, but you can improve the strength of reusable passwords by enforcing strong password rules. If you're using NT4 SP3 or later, you can add a password filter to force users to use strong passwords. You can also use the Policies | AccountsU command in User Manager to set minimum and maximum password ages, minimum password lengths, and password history. Applying these protections will help protect you against dictionary-based password attacks.

Recommendation: apply a password filter and password policies.

Pack your stuff

Windows NT service packs always contain fixes for defects. Many of these fixes repair security problems, ranging from small, esoteric problems to more serious vulnerabilities. If you don't keep current on service packs and hotfixes, you're cheating yourself—Microsoft and the security community expend a ton of effort to find and fix these problems, so why not take advantage of the fixes they've found?

Recommendation: diligently roll out service packs. Pay attention to Microsoft's security bulletins so that you'll know when something's happening.

Use the tools you get

Windows NT includes two tools that are critically underused: the local/domain group mechanism and NTFS file permissions. The group mechanism lets you assign access controls and rights to groups, not to individual users. This protects you in two ways: it makes it hard to forget to remove a permission someone should no longer have, and it makes it easy to change permissions for a whole group at once. As long as you remember to put users in the correct groups (easy), you get automatic assurance that all the settings that pertain to the group will be assigned to the individuals in it.

NTFS permissions give you great flexibility in assigning permissions for individual users and groups, and you can combine them with share permissions to give exactly the access control you want to any user on your network. However, that means you actually have to apply them, not just think about it. If the prospect of applying these controls by hand seems too daunting, consider using a tool like the excellent shareware products Security Explorer or SuperCACLS or the xcacls tool from the Windows NT Resource Kit. (In a future column, I'll go into more detail on xcacls.)

Keep the lid on

As with every other kind of operating system, computer security measures won't help you if an attacker can waltz over to where your computer sits and steal it, damage it, or copy data from it. Make sure you have physical security commensurate with the value of the data on your machines. You don't necessarily have to put all your servers in a big glass box (though it's not necessarily a bad idea), but at least impose some minimum controls over who can get near the machines. If an attacker can boot your server from a floppy, or take the cover off and fiddle around on the inside, you're toast.

Where to get more information

• The TechNet Knowledge Base has several articles about strong password support. Check out 151082 and 161990 in particular.

• The steps in this article are just a start. For a much more detailed list (about 90 pages worth!), see the excellent paper produced by Trusted Systems Services.

Paul Robichaux is the principal of Robichaux & Associates, Inc, which provides programming, technical communications, and security services to customers ranging in size from local auto dealerships to Microsoft. He's glad to have his latest book (Managing Microsoft Exchange Server from O'Reilly & Associates) on the shelves so he can spend more time with his family. He welcomes reader questions at security@robichaux.net.

We at Microsoft Corporation hope that the information in this work is valuable to you. Your use of the information contained in this work, however, is at your sole risk. All information in this work is provided "as -is", without any warranty, whether express or implied, of its accuracy, completeness, fitness for a particular purpose, title or non-infringement, and none of the third-party products or information mentioned in the work are authored, recommended, supported or guaranteed by Microsoft Corporation. Microsoft Corporation shall not be liable for any damages you may sustain by using this information, whether direct, indirect, special, incidental or consequential, even if it has been advised of the possibility of such damages.