C3 Security Consulting LLC
Confidentiality
Integrety
Availability		 company banner
HomeSecurityServicesVistaInformationCompany
  
floating layer default test box
Information
Basics
Checklists
CIA
Glossary & Acronyms
References and
Acknowledgments
Windows 98
Windows NT4
Windows XP
On this page:
Windows NT 4.0
Converting FAT to NTFS
Service Pack 6a
Security Configuration Manager
Related Links
File encryption
Free open-source disk encryption software for Windows XP/2000/2003 and Linux.
Newbie?
Whether brand new or looking for expansion, LinuxFromScratch is a great resource.
WaveSec
WaveSec is a part of the FreeS/WAN project looking at how it FreeS/WAN applies to Wireless LANs. They provide tools, documentations and sample configurations.
Read Linux partitions from Windows
This may be useful if you have installed both Windows and Linux as a dual boot environment on your computer.
Wireless LAN resources for Linux
Zone Alarm Internet Security Suite.

Securing Windows NT 4.0

Print view

If you need a "quick fix" it is possible to simply apply a security template. However, it is not a good idea. Without testing and fully understanding the changes it is possible that something will break. That being said, if you have a non-critical machine that you want/need to secure in a hurry, these are the steps. There are five templates you might need:

SecureWS.inf for basic workstation security
HiSecWS.inf high security for a workstation
Setup Security.inf   security level set during the workstation installation
CompatWS.inf setting that should be compatible with most applications
RootSec.inf directory level security — worth applying if you have just converted to NTFS from FAT

SecureWS.inf will probably suffice, but you know your environment.

Note: 

The are other templates (DC replaces WS) but these are for domain controllers and must be given more thought.

Installing the SCM   

  1. As an Administrator, open Windows Explorer.
  2. Create the directory c:\temp if it does not already exist.
  3. Download the SCM installer to C:\Temp.
  4. Open C:\Temp and double-click the Scesp4i.exe application.
  5. When prompted by the installation utility, specify a temporary file path of C:\Temp\scminstall in which to expand the support files, and then click OK.
  6. Use Explorer to open C:\Temp\scminstall.
  7. Double-click the Mssce utility to install the SCE and the Microsoft Management Console (MMC) tool required for the GUI version of the SCM. The installer will automatically place the SCM components in the correct location on the computer.

Loading the SCM Snap-in  

  1. Launch the MMC. (Start»Run»mmc.exe)
  2. Select Console, and then select Add/Remove Snap-In.
  3. Click Add.
  4. Select Security Configuration Manager.
  5. Click OK, and then click OK again.

Setting Security

  1. Backup your system — don’t care how long it takes, you MUST do it.
  2. Perform “installing SCM” and “Loading the SCM”.
  3. Select the Security Configuration Manager node.
  4. Select the Configurations node.
  5. Select the default configuration file directory (%systemroot%\security\templates) to show the configuration templates.
  6. Select the appropriate configuration file (securews.inf).
  7. Familiarize yourself with the various objects and settings in the policy template.
  8. Select the Security Configuration Manager node.
  9. Right-click the Database node, and then select Import Configuration.
  10. Choose the corresponding policy template, and then click OK.
  11. Right-click the Database node, and then select Configure System Now.
  12. Click OK to accept the default log file path.
  13. Wait for the policy to apply, and then review the log file results.
  14. Close the log file.
  15. Close the MMC.

To Reset to Baseline Security:

It the same as setting either high or medium security, but the template you apply is “Setup Security.inf”
If this fails to get you where you need to go, it’s time to restore.

For detailed guides the following are recommended:

Microsoft’s “The Microsoft Windows NT 4.0 and Windows 98 Threat Mitigation Guide”,
“Microsoft Security Configuration Manager for Windows NT 4.0”,
Windows NT 4.0 Server Baseline Security Checklist and
the NSA’s “Guide to Securing Microsoft Windows NT Networks”.

Convert FAT to NTFS

Unless there are specific compatibility issues, all file systems should be NTFS based. Existing FAT16 or FAT32 systems can be upgraded during, or after, installing later versions of Windows by using %SystemRoot%\system32\convert.exe (e.g. convert c: /FS:NTFS).

Two considerations:

  1. Once converted to NTFS, it is not possible to convert back to FAT without formatting the drive.
  2. After conversion there are no security permissions associated with the files or directories. To finish securing the file system, either manually assign appropriate discretionary permissions or use the fixacl.exe utility that ships with the resource kit. For a guide to appropriate system directory security see Microsoft’s KBQ157963.

Installing Service Pack 6a and Hotfixes

Download service pack 6a (SP6a).

  1. Perform a full backup of files and the registry.
  2. Update the emergency repair disk (ERD). Use the rdisk /s parameter to get the Security and SAM registry hives updated on the disk. For more instructions, see the following Knowledge Base articles:
    • Q156328—Description of Windows NT Emergency Repair Disk
    • Q122857—RDISK /S and RDISK /S- Options in Windows NT
  3. Perform a full system restart and check the Event Viewer for errors. Resolve any issues before installing SP6a.
  4. Copy your previous Uninstall directory to a safe location. By default, this directory is located in %SystemRoot%\$NTServicePackUninstall$.
  5. Run Srvinfo.exe from the Windows NT 4.0 Resource Kit and document existing hotfix information.
  6. Disable any non-essential third-party drivers and services not required for starting the system. Contact the manufacturers about updated versions.
  7. Verify available disk space. The installation of SP6a requires 60 MB to 120 MB of drive space for the installation, depending on whether the Uninstall option is chosen.
  8. Close all active debugging sessions or remote control sessions before starting the installation.
    • Identify any third party software and verify the software is compatible with Service Pack 6a.
    • Perform a full backup of your system, including system registry files. A full backup is the only way to restore your system to a previous working installation.
  9. Install the 128-bit version of Service Pack 6a. The restrictions regarding the export of 128bit encryption technology have been revoked.
  10. Check the “Backup up files necessary to uninstall this Service Pack at a later time” checkbox.

Once the service pack has been installed, reboot the machine. To install the latest hot fixes use the Windows Update utility from the Program menu, or visit the Windows Update home page.

Security Configuration Manager (SCM)

The SCM allows system administrators to consolidate all security related system settings into a single configuration file (an inf file). The advantage is these settings may be re-applied to a greater number of machines of the same (or similar) configuration. It is fundamental to the process of setting security. We recommend you be familiar with it.

The SCM is sub-divided into:

  • Account Policies—includes Password Policy and Account Lockout Policy
  • Local Policies—includes Audit Policy, User Rights Assignment, and Security Options
  • Event Log—includes settings for the event logs
  • Restricted Groups—includes membership settings for sensitive groups
  • System Services—includes configurations for services such as network transport
  • Registry—includes registry key permission settings
  • File System—includes file and folder permission settings

For more detailed information on the SCM, refer to

http://www.microsoft.com/ntserver/techresources/security/securconfig.asp.
▲Top of page
Did you know?
The easiest way to get someone's password - ask.
Make sure you have adequately trained you employees to expect and recognize "social engineering" attacks.
Only and estimated 25% of companies report computer intrusions to law enforcement.
They site bad publicity and loss of credibility as major concerns.
Email is a hackers gateway to your network.
Make sure you have adequately trained your employees in good email hygiene to reduce virus attacks.
Windows XP and beyond include firewall technology.
If you have a gateway to the internet or are just using Windows XP Internet Connection Sharing, Windows has a great firewall, but you need to tune it to get the best from it.
Patch management is the cheepest security fix available.
Having an automated patchmanagement system is straight forward to setup with almost no administrative overhead. Set it up once for your environment and it will do the work.
Trademarks© Copyright (2006) C3 Security Consulting LLC, Washington DC. (+1 866 799 2969) - Hosted by Webmasters.com