Security Steps for an NT Operating System

1. Install Latest Service Pack and applicable hot-fixes

Install the latest recommended Microsoft Service Pack for the NT operating system.  The applicable hot-fixes should also be installed.  Generally not all hot-fixes are required.  Also the order in which hot-fixes are installed is very important, as later hot-fixes sometimes supersede earlier hot-fixes.

2. Display a Legal Notice Before Log On

 Windows NT can display a message box with the caption and text of your choice before a user logs on. Many organizations use this message box to display a warning message that notifies potential users that they can be held legally liable if they attempt to use the computer without having been properly authorized to do so. The absence of such a notice could be construed as an invitation, without restriction, to enter and browse the system.

The log on notice can also be used in settings (such as an information kiosk) where users might require instruction on how to supply a user name and password for the appropriate account.

To display a legal notice, use the Registry Editor to create or assign the following registry key values on the workstation to be protected:

Hive:     HKEY_LOCAL_MACHINE\SOFTWARE  

Key:     \Microsoft\Windows NT\Current Version\Winlogon          

Name:   LegalNoticeCaption      

Type:    REG_SZ          

Value:   Whatever you want for the title of the message box       

Hive:     HKEY_LOCAL_MACHINE\SOFTWARE  

Key:     Microsoft\Windows NT\Current Version\Winlogon           

Name:   LegalNoticeText           

Type:    REG_SZ          

Value:   Whatever you want for the text of the message box       

The changes take effect the next time the computer is started. You might want to update the Emergency Repair Disk to reflect these changes.

Example:

Welcome to the XYZ Information Kiosk

Log on using account name Guest and password XYZCorp.

Authorized Users Only

This system is for the use of authorized users only. Individuals using this computing system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel.  In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may be monitored.  Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.

3. Rename Administrative Accounts

It is a good idea to rename the built-in Administrator account to something less obvious. This powerful account is the one account that can never be locked out due to repeated failed log on attempts, and consequently is attractive to hackers who try to break in by repeatedly guessing passwords. By renaming the account, you force hackers to guess the account name as well as the password.

Make the following changes:

* Remove right "LOG ON FROM THE NETWORK" from Administrator's group

* Add right "LOG ON FROM THE NETWORK" for individuals who are administrators

* Enable auditing of failed login attempts

* Lock out users for more than 5 login failures

* Require password of at least 8 characters

4. Disable Guest Account

Disable Guest account and remove all rights (note:  if using with Internet Information Server then ensure that web user account has permission to access appropriate directories and the right to "LOG ON LOCALLY"

Limited access can be permitted for casual users through the built-in Guest account. If the computer is for public use, the Guest account can be used for public log-ons. Prohibit Guest from writing or deleting any files, directories, or registry keys (with the possible exception of a directory where information can be left).

In a standard security configuration, a computer that allows Guest access can also be used by other users for files that they don't want accessible to the general public. These users can log on with their own user names and access files in directories on which they have set the appropriate permissions. They will want to be especially careful to log off or lock the workstation before they leave it.

5. Logging Off or Locking the Workstation

Users should either log off or lock the workstation if they will be away from the computer for any length of time. Logging off allows other users to log on (if they know the password to an account); locking the workstation does not. The workstation can be set to lock automatically if it is not used for a set period of time by using any 32-bit screen saver with the Password Protected option. For information about setting up screen savers, see Help.

* Install password protected screen saver that automatically starts if workstation is not used for 5-15 minutes

6. Allowing Only Logged-On Users to Shut Down the Computer

Normally, you can shut down a computer running Windows NT Workstation without logging on by choosing Shutdown in the Logon dialog box. This is appropriate where users can access the computer's operational switches; otherwise, they might tend to turn off the computer's power or reset it without properly shutting down Windows NT Workstation. However, you can remove this feature if the CPU is locked away. (This step is not required for Windows NT Server, because it is configured this way by default.)

To require users to log on before shutting down the computer, use the Registry Editor to create or assign the following Registry key value:

Hive:    HKEY_LOCAL_MACHINE\SOFTWARE 

Key:     \Microsoft\Windows NT\Current Version\Winlogon      

Name:  ShutdownWithoutLogon         

Type:    REG_SZ          

Value:  0         

The changes will take effect the next time the computer is started. You might want to update the Emergency Repair Disk to reflect these changes.

7. Hiding the Last User Name

By default, Windows NT places the user name of the last user to log on the computer in the User name text box of the Logon dialog box. This makes it more convenient for the most frequent user to log on. To help keep user names secret, you can prevent Windows NT from displaying the user name from the last log on. This is especially important if a computer that is generally accessible is being used for the (renamed) built-in Administrator account.

To prevent display of a user name in the Logon dialog box, use the Registry Editor to create or assign the following registry key value:

Hive:    HKEY_LOCAL_MACHINE\SOFTWARE 

Key:     \Microsoft\Windows NT\Current Version\Winlogon      

Name:  DontDisplayLastUserName      

Type:    REG_SZ          

Value:  1         

8. Restricting Anonymous network access to Registry

Windows NT version 4.0 Service Pack 3 includes a security enhancement that restricts anonymous (null session) logons when they connect to specific named pipes including the one for Registry.

There is a registry key value that defines the list of named pipes that are "exempt" from this restriction.  The key value is:

Hive:    HKEY_LOCAL_MACHINE\SYSTEM      

Key:     System\CurrentControlSet\Services\LanManServer\Parameters           

Name:  NullSessionPipes        

Type:    REG_MULTI_SZ          

Value:   Add or Remove names from the list as required by the configuration.     

Please refer to Knowledge Base article Q143138 for more details.

9. Restricting Anonymous network access to lookup account names and network shares

Windows NT has a feature where anonymous logon users can list domain user names and enumerate share names. Customers who want enhanced security have requested the ability to optionally restrict this functionality. Windows NT 4.0 Service Pack 3 and a hotfix for Windows NT 3.51 provide a mechanism for administrators to restrict the ability for anonymous logon users (also known as NULL session connections) to list account names and enumerate share names. Listing account names from Domain Controllers is required by the Windows NT ACL editor, for example, to obtain the list of users and groups to select who a user wants to grant access rights. Listing account names is also used by Windows NT Explorer to select from list of users and groups to grant access to a share.

The registry key value to set for enabling this feature is:

Hive:    HKEY_LOCAL_MACHINE\SYSTEM      

Key:     System\CurrentControlSet\Control\LSA           

Name:  RestrictAnonymous     

Type:    REG_DWORD  

Value:  1.        

This enhancement is part of Windows NT version 4.0 Service Pack 3.  A hot fix for it is also provided for Windows NT version 3.51.  Please refer to Knowledge Base article Q143474 for more details on this.

10. Enforcing strong user passwords

Windows NT 4.0 Service Pack 2 and later includes a password filter DLL file (Passfilt.dll) that lets you enforce stronger password requirements for users. Passfilt.dll provides enhanced security against "password guessing" or "dictionary attacks" by outside intruders.

Passfilt.dll implements the following password policy:

* Passwords must be at least six (6) characters long. (The minimum password length can be increased further by setting a higher value in the Password Policy for the domain).

* Passwords must contain characters from at least three (3) of the following four (4) classes:

Description                               Examples

English upper case letters                      A, B, C, ... Z

English lower case letters                      a, b, c, ... z

Westernized Arabic numerals     0, 1, 2, ... 9

Non-alphanumeric ("special characters") such as punctuation symbols

* Passwords may not contain your user name or any part of your full name.

These requirements are hard-coded in the Passfilt.dll file and cannot be changed through the user interface or registry. If you wish to raise or lower these requirements, you may write your own .dll and implement it in the same fashion as the Microsoft version that is available with Windows NT 4.0 Service Pack 2.

To use Passfilt.Dll, the administrator must configure the password filter DLL in the system registry on all domain controllers.  This can be done as follows with the following registry key value:

Hive:    HKEY_LOCAL_MACHINE\SYSTEM      

Key:     System\CurrentControlSet\Control\LSA           

Name:  Notification Packages  

Type:    REG_MULTI_SZ          

Value:  Add string "PASSFILT"  (do not remove existing ones).          

11. Disabling LanManager Password Hash Support

Windows NT supports the following two types of challenge/response authentication:

* LanManager (LM) challenge/response

* Windows NT challenge/response

To allow access to servers that only support LM authentication, Windows NT clients currently send both authentication types. Microsoft developed a patch that allows clients to be configured to send only Windows NT authentication.  This removes the use of LM challenge/response messages from the network.

Applying this hot fix, configures the following registry key:

Hive:    HKEY_LOCAL_MACHINE\SYSTEM      

Key:     System\CurrentControlSet\Control\LSA           

Name:  LMCompatibilityLevel 

Type:    REG_DWORD  

Value:  0,1,2  (Default 0)          

Setting the value to:

* 0 - Send both Windows NT and LM password forms.

* 1 - Send Windows NT and LM password forms only if the server requests it.

* 2 - Never send LM password form.

If a Windows NT client selects level 2, it cannot connect to servers that support only LM authentication, such as Windows 95 and Windows for Workgroups.

For more complete information on this hot fix, please refer to Knowledge Base article number Q147706.

12. Wiping the System Page File during clean system shutdown

Virtual Memory support of Windows NT uses a system page file to swap pages from memory of different processes onto disk when they are not being actively used.  On a running system, this page file is opened exclusively by the operating system and hence is well-protected.  However, systems that are configured to allow booting to other operating systems, may want to ensure that system page file is wiped clean when Windows NT shuts down.  This ensures that sensitive information from process memory that may have made into the page file is not available to a snooping user.  This can be achieved by setting up the following key:

Hive:    HKEY_LOCAL_MACHINE\SYSTEM      

Key:     System\CurrentControlSet\Control\SessionManager\Memory Management     

Name:  ClearPageFileAtShutdown       

Type:    REG_DWORD  

Value:  1         

Note that, this protection works only during a clean shutdown, therefore it is important that untrusted users do not have ability to power off or reset the system manually.

13. Protecting the Registry

All the initialization and configuration information used by Windows NT is stored in the registry. Normally, the keys in the registry are changed indirectly, through the administrative tools such as the Control Panel. This method is recommended. The registry can also be altered directly, with the Registry Editor; some keys can be altered in no other way.

The Registry Editor supports remote access to the Windows NT registry. To restrict network access to the registry, use the Registry Editor to create the following registry key:

Hive:    HKEY_LOCAL_MACHINE         

Key:     \CurrentcontrolSet\Control\SecurePipeServers

Name:  \winreg

The security permissions set on this key define which users or groups can connect to the system for remote registry access. The default Windows NT Workstation installation does not define this key and does not restrict remote access to the registry. Windows NT Server permits only administrators remote access to the registry.

14. Secure EventLog Viewing

Default configuration allows guests and null log ons ability to view event logs (system, and application logs).  Security log is protected from guest access by default, it is viewable by users who have "Manage Audit Logs" user right.  The Event log services use the following key to restrict guest access to these logs:

Hive:    HKEY_LOCAL_MACHINE         

Key:     \System\CurrentControlSet\Services\EventLog\[LogName]      

Name:  RestrictGuestAccess   

Type     REG_DWORD  

Value:  1         

Set the value for each of the logs to 1.  The change takes effect on next reboot.  Needless to say that you will have to change the security on this key to disallow everyone other than Administrators and System any access because otherwise malicious users can reset these values.

16. Secure Print Driver Installation

 Registry key AddPrinterDrivers under HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Control\Print\Providers\LanMan Print Services\Servers, Key value AddPrinterDrivers (REG_DWORD) is used to control who can add printer drivers using the print folder.  This key value should be set to 1 to enable the system spooler to restrict this operation to administrators and print operators (on server) or power users (on workstation).

Hive:    HKEY_LOCAL_MACHINE         

Key:     System\CurrentcontrolSet\Control\Print\Providers\LanMan Print Services\Servers     

Name:  AddPrintDrivers          

Type     REG_DWORD  

Value:  1         

17. The Schedule Service (AT Command)

The Schedule service (also known as the AT command) is used to schedule tasks to run automatically at a preset time. Because the scheduled task is run in the context run by the Schedule service (typically the operating system's context), this service should not be used in a highly secure environment.

By default, only administrators can submit AT commands. To allow system operators to also submit AT commands, use the Registry Editor to create or assign the following registry key value:

Hive:    HKEY_LOCAL_MACHINE\SYSTEM      

Key:     \CurrentControlSet\Control\Lsa           

Name:  Submit Control           

Type:    REG_DWORD  

Value:  1         

There is no way to allow anyone else to submit AT commands.  Protecting the registry as explained earlier restricts direct modification of the registry key using the registry editor.  Access to the registry key HKEY_LOCAL_MACHINE\System\CurrentControlSet\ Services\Schedule should also be restricted to only those users/groups (preferrably Administrators only) that are allowed to submit jobs to the schedule service.

The changes will take effect the next time the computer is started. You might want to update the Emergency Repair Disk to reflect these changes.

18. Secure File Sharing

The native Windows NT file sharing service is provided using the SMB-based server and redirector services.  Even though only administrators can create shares, the default security placed on the share allows Everyone full control access.  These permissions are controlling access to files on down level file systems like FAT which do not have security mechanisms built in.  Shares on NTFS enforce the security on the underlying directory it maps to and it is recommended that proper security be put via NTFS and not via the file sharing service.

Also note that the share information resides in the registry which also needs to be protected as explained in a section earlier.

 * Service Pack 3 for Windows NT version 4.0 includes several enhancements to SMB based file sharing protocol.  These are:It supports mutual authentication to counter man-in-the-middle attacks.

* It supports message authentication to prevent active message attacks.

 These are provided by incorporating message signing into SMB packets which are verified by both server and client ends.  There are registry key settings to enable SMB signatures on each side.  To ensure that SMB server responds to clients with message signing only, configure the following key value:

Hive:    HKEY_LOCAL_MACHINE\SYSTEM      

Key:     System\CurrentControlSet\Services\LanManServer\Parameters           

Name:  RequireSecuritySignature       

Type:    REG_DWORD  

Value:  1         

Setting this value ensures that the Server communicates with only those clients that are aware of message signing.  Note that this means that installations that have multiple versions of client software, older versions will fail to connect to servers that have this key value configured.

Similarly, security conscious clients can also decide to communicate with servers that support message signing and no one else.

Hive:    HKEY_LOCAL_MACHINE\SYSTEM      

Key:     System\CurrentControlSet\Services\Rdr\Parameters   

Name:  RequireSecuritySignature       

Type:    REG_DWORD  

Value:  1         

Note that setting this key value implies that the client will not be able to connect to servers which do not have message signing support.

 Please refer to Knowledge Base article Q161372 for further details on SMB message signing enhancements.

Windows NT version 4.0 Service Pack 3 also includes another enhancement to SMB file sharing protocol such that by default you are unable to connect to SMB servers (such as Samba or Hewlett-Packard (HP) LM/X or LAN Manager for UNIX) with an unencrypted (plain text) password.  This protects from sending clear text forms of passwords over the wire.  Please refer to Knowledge base article Q166730 if you have any reasons to allow clients to send unencrypted passwords over the wire.

Additionally, customers may want to delete the administrative shares ($ shares) if they are not needed on an installation.  This can be accomplished using "net share" command.  For example:

C:\> net share admin$ /d

19. Auditing

Auditing can inform you of actions that could pose a security risk and also identify the user accounts from which audited actions were taken. Note that auditing only tells you what user accounts were used for the audited events. If passwords are adequately protected, this in turn indicates which user attempted the audited events. However, if a password has been stolen or if actions were taken while a user was logged on but away from the computer, the action could have been initiated by someone other than the person to whom the user account is assigned

When you establish an audit policy you'll need to weigh the cost (in disk space and CPU cycles) of the various auditing options against the advantages of these options. You'll want to at least audit failed log on attempts, attempts to access sensitive data, and changes to security settings. Here are some common security threats and the type of auditing that can help track them:

20. Threat Action     

Hacker-type break-in using random passwords    Enable failure auditing for log on and log off events.     

Break-in using stolen password  Enable success auditing for log on and log off events. The log entries will not distinguish between the real users and the phony ones. What you are looking for here is unusual activity on user accounts, such as log ons at odd hours or on days when you would not expect any activity.    

Misuse of administrative privileges by authorized users   Enable success auditing for use of user rights; for user and group management, for security policy changes; and for restart, shutdown, and system events. (Note: Because of the high volume of events that would be recorded, Windows NT does not normally audit the use of the Backup Files And Directories and the Restore Files And Directories rights. Appendix B, "Security In a Software Development Environment," explains how to enable auditing of the use of these rights.)       

Virus outbreak   Enable success and failure write access auditing for program files such as files with .exe and .dll extensions. Enable success and failure process tracking auditing. Run suspect programs and examine the security log for unexpected attempts to modify program files or creation of unexpected processes. Note that these auditing settings generate a large number of event records during routine system use. You should use them only when you are actively monitoring the system log.     

Improper access to sensitive files          Enable success and failure auditing for file- and object-access events, and then use File Manager to enable success and failure auditing of read and write access by suspect users or groups for sensitive files.           

Improper access to printers       Enable success and failure auditing for file- and object-access events, and then use Print Manager to enable success and failure auditing of print access by suspect users or groups for the printers.        

21. Enabling System Auditing

Enabling system auditing can inform you of actions that pose security risks and possibly detect security breaches.

To activate security event logging, follow these steps:

1. Log on as the administrator of the local workstation.

2. Click the Start button, point to Programs, point to Administrative Tools, and then click User Manager.

3. On the Policies menu, click Audit.

4.Click the Audit These Events option.

5. Enable the options you want to use. The following options are available:

•           Log on/Log off: Logs both local and remote resource logins.

•           File and Object Access: File, directory, and printer access.

•           Note: Files and folders must reside on an NTFS partition for security logging to be enabled. Once the auditing of file and object access has been enabled, use Windows NT Explorer to select auditing for individual files and folders.

•           User and Group Management: Any user accounts or groups created, changed, or deleted. Any user accounts that are renamed, disabled, or enabled. Any passwords set or changed.

•           Security Policy Changes: Any changes to user rights or audit policies.

•           Restart, Shutdown, And System: Logs shutdowns and restarts for the local workstation.

•           Process Tracking: Tracks program activation, handle duplication, indirect object access, and process exit.

6.         Click the Success check box to enable logging for successful operations, and the Failure check box to enable logging for unsuccessful operations.

7.Click OK.

  

Note that Auditing is a "detection" capability rather than "prevention" capability.  It will help you discover security breaches after they occur and therefore should always be consider in addition to various preventive measures.

NT Security

The Logon Process


WinLogon


Users must log on to a Windows NT machine in order to use that NT based machine or network. The logon process itself cannot be bypassed, it is mandatory. Once the user has logged on, an access token is created (this token will be discussed in more detail later). This token contains user specific security information, such as: security identifier, group identifiers, user rights and permissions. The user, as well as all processes spawned by the user are identified to the system with this token.


The first step in the WinLogon process is something we are all familiar with, CTRL+ALT+DEL. This is NT's default Security Attention Sequence (SAS - The SAS key combo can be changed. We will also discuss that later.). This SAS is a signal to the operating system that someone is trying to logon. After the SAS is triggered, all user mode applications pause until the security operation completes or is cancelled. (Note: The SAS is not just a logon operation, this same key combination can be used for logging on, logging off, changing a password or locking the workstation.) The pausing, or closing, of all user mode applications during SAS is a security feature that most people take for granted and dont understand. Due to this pausing of applications, logon related trojan viruses are stopped, keyloggers (programs that run in memory, keeping track of keystrokes, therefor recording someones password) are stopped as well.

The user name is not case sensitive but the password is.

After typing in your information and clicking OK (or pressing enter), the WinLogon process supplies the information to the security subsystem, which in turn compares the information to the Security Accounts Manager (SAM). If the information is compliant with the information in the SAM, an access token is created for the user. The WinLogon takes the access token and passes it onto the Win32 subsytem, which in turn starts the operating systems shell. The shell, as well as all other spawned processes will receive a token. This token is not only used for security, but also allows NTs auditing and logging features to track user usage and access of network resources.


Note: All of the logon components are located in a file known as the Graphical Indetification and Authentication (GINA) module, specifically MSGINA.DLL. Under certain conditions, this file can be replaced, which is how you would change the SAS key combination.


For fine tuning of the WinLogon process, you can refer to the registry. All of the options for the WinLogon process are contained in the HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon area. You can also fine tune the process by using the Policy Editor.


Logging on to a Domain


If an NT machine is a participant on a Domain, you would not only need to login to the local machine, but the Domain as well. If a computer is a member of a Domain, the WinLogon process is replaced by the NetLogon process.






Security Architecture Components


Local Security Authority (LSA): Also known as the security subsystem, it is the central portion of NT security. It handles local security policies and user authentication. The LSA also handles generating and logging audit messages.


Security Accounts Manager (SAM): The SAM handles user and group accounts, and provides user authentication for the LSA.


Security Reference Monitor (SRM): The SRM is in charge of enforcing and assuring access validation and auditing for the LSA. It references user account information as the user attempts to access resources.




Introduction to Securing an NT Box


Abstract


Microsoft Windows NT operating system provides several security features. However, the default out-of-the-box configuration is highly relaxed, especially on the Workstation product. This is because the operating system is sold as a shrink-wrapped product with an assumption that an average customer may not want to worry about a highly restrained but secure system on their desktop.


A particular installation's requirements can differ significantly from another. Therefore, it is necessary for individual customers to evaluate their particular environment and requirements before implementing a security configuration. This is also because implementing security settings can impact system configuration. Certain applications installed on Windows NT may require more relaxed settings to function properly than others because of the nature of the product. Customers are therefore advised to careful evaluate recommendations in the context of their system configurations and usage.


If you install a Windows NT machine as a web server or a firewall, you should tighten up the security on that box. Ordinary machines on your internal network are less accessible than a machine the Internet. A machine accessible from the Internet is more vulnerable and likely to be attacked. Securing the machine gives you a bastion host. Some of the things you should do include:


* Remove all protocol stacks except TCP/IP, since IP is the only protocol that runs on the Internet


* Remove unnecessary network bindings


* Disable all unnecessary accounts, like guest


* Remove share permissions and default shares


* Remove network access for everyone (User Manger -> Policies ->User rights, "Access this computer from the network")


* Disable unnecessary services


* Enable audit logging


* Track the audit information






Physical Security Considerations


Take the precautions you would with any piece of valuable equipment to protect against casual theft. This step can include locking the room the computer is in when no one is there to keep an eye on it, or using a locked cable to attach the unit to a wall. You might also want to establish procedures for moving or repairing the computer so that the computer or its components cannot be taken under false pretenses.


Use a surge protector or power conditioner to protect the computer and its peripherals from power spikes. Also, perform regular disk scans and defragmentation to isolate bad sectors and to maintain the highest possible disk performance.


As with minimal security, the computer should be protected as any valuable equipment would be. Generally, this involves keeping the computer in a building that is locked to unauthorized users, as most homes and offices are. In some instances you might want to use a cable and lock to secure the computer to its location. If the computer has a physical lock, you can lock it and keep the key in a safe place for additional security. However, if the key is lost or inaccessible, an authorized user might be unable to work on the computer.


You might choose to keep unauthorized users away from the power or reset switches on the computer, particularly if your computer's rights policy denies them the right to shut down the computer. The most secure computers (other than those in locked and guarded rooms) expose only the computer's keyboard, monitor, mouse, and (when appropriate) printer to users. The CPU and removable media drives can be locked away where only specifically authorized personnel can access them.






Backups


Regular backups protect your data from hardware failures and honest mistakes, as well as from viruses and other malicious mischief. The Windows NT Backup utility is described in Chapter 6, "Backing Up and Restoring Network Files" in Microsoft Windows NT Server Concepts and Planning. For procedural information, see Help.


Obviously, files must be read to be backed up, and they must be written to be restored. Backup privileges should be limited to administrators and backup operators-people to whom you are comfortable giving read and write access on all files.






Networks and Security


If the network is entirely contained in a secure building, the risk of unauthorized taps is minimized or eliminated. If the cabling must pass through unsecured areas, use optical fiber links rather than twisted pair to foil attempts to tap the wire and collect transmitted data.






Restricting the Boot Process


Most personal computers today can start a number of different operating systems. For example, even if you normally start Windows NT from the C: drive, someone could select another version of Windows on another drive, including a floppy drive or CD-ROM drive. If this happens, security precautions you have taken within your normal version of Windows NT might be circumvented.


In general, you should install only those operating systems that you want to be used on the computer you are setting up. For a highly secure system, this will probably mean installing one version of Windows NT. However, you must still protect the CPU physically to ensure that no other operating system is loaded. Depending on your circumstances, you might choose to remove the floppy drive or drives. In some computers you can disable booting from the floppy drive by setting switches or jumpers inside the CPU. If you use hardware settings to disable booting from the floppy drive, you might want to lock the computer case (if possible) or lock the machine in a cabinet with a hole in the front to provide access to the floppy drive. If the CPU is in a locked area away from the keyboard and monitor, drives cannot be added or hardware settings changed for the purpose of starting from another operating system. Another simple setting is to edit the boot.ini file such that the boot timeout is 0 seconds; this will make hard for the user to boot to another system if one exists.


On many hardware platforms, the system can be protected using a power-on password. A power-on password prevents unauthorized personnel from starting an operating system other than Windows NT, which would compromise system security. Power-on passwords are a function of the computer hardware, not the operating system software. Therefore the procedure for setting up the power-on password depends on the type of computer and is available in the vendor's documentation supplied with the system.

Point-To-Point Tunneling Protocol (PPTP)

Point-To-Point Tunneling Protocol (PPTP) is a protocol that allows the secure exchange of data from a client to a server by forming a Virtual Private Network (VPN) via a TCP/IP based network. The strong point of PPTP is its ability to provide on demand, multi-protocol support over existing network infrastructure, such as the Internet. This ability would allow a company to use the Internet to establish a virtual private network without the expense of a leased line.

The technology that makes PPTP possible is an extension of the remote access Point-To-Point Protocol (PPP- which is defined and documented by the Internet Engineering Task Force in RFC 1171).  PPTP technology encapsulates PPP packets into IP datagrams for transmission over TCP/IP based networks. PPTP is currently a protocol draft awaiting standardization. The companies involved in the PPTP forum are Microsoft, Ascend Communications, 3Com/Primary Access, ECI Telematics, and US Robotics.

PPTP and Virtual Private Networking

 The Point-To-Point Tunneling Protocol is packaged with WindowsNT 4.0 Server and Workstation. PC's that are running this protocol  can use it to securely connect to a private network as a remote access client using a public data network such as the Internet.

A major feature in the use of PPTP is its support for virtual private networking. The best part of this feature is that it supports VPN's over public-switched telephone networks (PSTNs). By using PPTP a company can greatly reduce the cost of deploying a wide area, remote access solution for mobile users because it provides secure and encrypted communications over existing network structures like PSTNs or the Internet.

Standard PPTP Deployment

 In general practice, there are normally three computers involved in a deployment:

* a PPTP client

* a Network Access Server

* a PPTP Server

note: the network access server is optional, and if NOT needed for PPTP deployment. In normal deployment however, they are present.

In a typical deployment of PPTP, it begins with a remote or mobile PC that will be the PPTP client. This PPTP client needs access to a private network by using a local Internet Service Provider (ISP). Clients who are running the WindowsNT Server or Workstation operating systems will use Dial-up networking and the Point-To-Point protocol to connect to their ISP. The client will then connect to a network access server which will be located at the ISP (Network Access Servers are also known as Front-End Processors (FEPs) or Point-Of-Presence servers (POPs)). Once connected, the client has the ability to exchange data over the Internet. The Network Access Server uses the TCP/IP protocol  for the handling of all traffic.

After the client has made the initial PPP connection to the ISP, a second Dial-Up networking call is made over the existing PPP connection. Data sent using the second connection is in the form of IP datagrams that contain PPP packets, referred to as encapsulated PPP. It is this second call that creates the virtual private network connection to a PPTP server on the private company network. This is called a tunnel.

Tunneling is the process of exchanging data to a computer on a private network by routing them over some other network. The other network routers cannot access the computer that is on the private network. However, tunneling enables the routing network to transmit the packet to an intermediary computer, such as a PPTP server. This PPTP server is connected to both the company private network and the routing network, which is in this case, the Internet. Both the PPTP client and the PPTP server use tunneling to securely transmit packets to a computer on the private network.

When the PPTP server receives a packet from the routing network (Internet), it sends it across the private network to the destination computer. The PPTP server does this by processing the PPTP packet to obtain the private network computer name or address information which is encapsulated in the PPP packet.

quick note: The encapsulated PPP packet can contain multi-protocol data such as TCP/IP, IPX/SPX, or NetBEUI. Because the PPTP server is configured to communicate across the private network by using private network protocols, it is able to understand Multi-Protocols.

PPTP encapsulates the encrypted and compressed PPP packets into IP datagrams for transmission over the Internet. These IP datagrams are routed over the Internet where they reach the PPTP server. The PPTP server disassembles the IP datagram into a PPP packet and then decrypts the packet using the network protocol of the private network. As mentioned earlier, the network protocols that are supported by PPTP are TCP/IP, IPX/SPX and NetBEUI.

PPTP Clients

 A computer that is able to use the PPTP protocol can connect to a PPTP server two different ways:

* By using an ISP's network access server that supports inbound PPP connections.

* By using a physical TCP/IP-enabled LAN connection to connect to a PPTP server.

PPTP clients attempting to use an ISP's network access server must be properly configured with a modem and a VPN device to make the seperate connections to the ISP and the PPTP server. The first connection is dial-up connection utilizing the PPP protocol over the modem to an Internet Service Provider. The second connection is a VPN connection using PPTP, over the modem and through the ISP. The second connection requires the first connection because the tunnel between the VPN devices is established by using the modem and PPP connections to the internet.

The exception to this two connection process is using PPTP to create a virtual private network between computers physically connected to a LAN. In this scenario the client is already connected to a network and only uses Dial-Up networking with a VPN device to create the connection to a PPTP server on the LAN.

PPTP packets from a remote PPTP client and a local LAN PPTP client are processed differently. A PPTP packet from a remote client is placed on the telecommunication device physical media, while the PPTP packet from a LAN PPTP client is placed on the network adapter physical media.

PPTP Architecture

 This next area discusses the architecture of PPTP under Windows NT Server 4.0 and NT Workstation 4.0. The following section covers:

* PPP Protocol

* PPTP Control Connection

* PPTP Data Tunneling

Architecture Overview:

The secure communication that is established using PPTP typically involves three processes, each of which requires successful completion of the previous process. This will now explain these processes and how they work:

PPP Connection and Communication: A PPTP client utilizes PPP to connect to an ISP by using a standard telephone line or ISDN line. This connection uses the PPP protocol to establish the connection and encrypt data packets.

PPTP Control Connection: Using the connection to the Internet established by the PPP protocol, the PPTP protocol creates a control connection from the PPTP client to a PPTP server on the Internet. This connection uses TCP to establish communication and is called a PPTP Tunnel.

PPTP Data Tunneling: The PPTP protocol creates IP datagrams containing encrypted PPP packets which are then sent through the PPTP tunnel to the PPTP server. The PPTP server disassembles the IP datagrams and decrypts the PPP packets, and the routes the decrypted packet to the private network.

PPP Protocol:

 The are will not cover in depth information about PPP, it will cover the role PPP plays in a PPTP environment. PPP is a remote access protocol used by PPTP to send data across TCP/IP based networks. PPP encapsulates IP, IPX, and NetBEUI packets between PPP frames and sends the encapsulated packets by creating a point-to-point link between the sending and receiving computers.

Most PPTP sessions are started by a client dialing up an ISP network access server. The PPP protocol is used to create the dial-up connection between the client and network access server and performs the folloing functions:

* Establishes and ends the physical connection. The PPP protocol uses a sequence defined in RFC 1661 to establish and maintain connections between remote computers.

* Authenticates Users. PPTP clients are authenticated by using PPP. Clear text, encrypted or MS CHAP can be used by the PPP protocol.

* Creates PPP datagrams that contain encrypted IPX, NetBEUI, or TCP/IP packets.

PPTP Control Connection:

The PPTP protocol specifies a series of messages that are used for session control. These messages are sent between a PPTP client and a PPTP server. The control messages establish, maintain and end the PPTP tunnel. The following list present the primary control messages used to establish and maintain the PPTP session.

           

Message Type	Purpose
PPTP_START_SESSION_REQUEST	Starts Session
PPTP_START_SESSION_REPLY	Replies to Start Session Request
PPTP_ECHO_REQUEST	Maintains Session
PPTP_ECHO_REPLY	Replies to Maintain Session Request
PPTP_WAN_ERROR_NOTIFY	Reports an error in the PPP connection
PPTP_SET_LINK_INFO	Configures PPTP Client/Server Connection
PPTP_STOP_SESSION_REQUEST	Ends Session
PPTP_STOP_SESSION_REPLY	Replies to End Session Request

The control messages are sent inside of control packets in a TCP datagram. One TCP connection is enabled between the PPTP client and Server. This path is used to send and receive control messages. The datagram contains a PPP header, a TCP Header, a PPTP Control message and appropriate trailers. The construction is as follows

PPP Delivery Header

IP Header

PPTP Control Message

Trailers

PPTP Data Transmission

After the PPTP Tunnel has been created, user data is transmitted between the client and PPTP server. Data is sent in IP Datagrams containing PPP packets. The IP datagram is created using a modified version of the Generic Routing Encapsulation (GRE) protocol (GRE is defined in RFC 1701 and 1702). The structure of the IP Datagram is as follows:

PPP Delivery Header

IP Header

GRE Header

PPP Header

IP Header

TCP Header

Data

By paying attention to the construction of the packet, you can see how it would be able to be transmitted over the Internet as headers are stripped off. The PPP Delivery header provides information necessary for the datagram to traverse the Internet. The GRE header is used to encapsulate the PPP packet within the IP Datagram. The PPP packet is created by RAS. The PPP Packet is encrypted and if intercepted, would be unintelligible.

Understanding PPTP Security

PPTP uses the strict authentication and encryption security available to computers running RAS under WindowsNT Server version 4.0. PPTP can also protect the PPTP server and private network by ignoring all but PPTP traffic. Despite this security, it is easy to configure a firewall to allow PPTP to access the network.

Authentication: Initial dial-in authentication may be required by an ISP network access server. If this Authentication is required, it is strictly to log on to the ISP, it is not related to Windows NT based Authentication. A PPTP server is a gateway to your network, and as such it requires standard WindowsNT based logon. All PPTP clients must provide a user name and password. Therefore, remote access logon using a PC running under NT server or Workstation is as secure as logging on from a PC connected to a LAN (theoretically). Authentication of remote PPTP clients is done by using the same PPP authentication methods used for any RAS client dialing directly into an NT Server. Because of this, it fully supports MS-CHAP (Microsoft Challenge Handshake Authentication Protocol which uses the MD4 hash as well as earlier LAN Manager methods.)

Access Control: After Authentication, all access to the private LAN continues to use existing NT based security structures. Access to resources on NTFS drives or to other network resources require the proper permissions, just as if you were connected directly to the LAN.

Data Encryption: For data encryption, PPTP uses the RAS "shared-secret" encryption process. It is referred to as a shared-secret because both ends of the connection share the encryption key. Under Microsoft's implementation of RAS, the shared secret is the user password (Other methods include public key encryption). PPTP uses the PPP encryption and PPP compression schemes. The CCP (Compression Control Protocol) is used to negotiate the encryption used. The username and password is available to the server and supplied by the client. An encryption key is generated using a hash of the password stored on both the client and server. The RSA RC4 standard is used to create this 40-bit (128-bit inside the US and Canada is available) session key based on the client password. This key is then used to encrypt and decrypt all data exchanged between the PPTP client and server. The data in PPP packets is encrypted. The PPP packet containing the block of encrypted data is then stuffed into a larger IP datagram for routing.

PPTP Packet Filtering: Network security from intruders can be enhanced by enabling PPTP filtering on the PPTP server. When PPTP filtering is enabled, the PPTP server on the private network accepts and routes only PPTP packets. This prevents ALL other packet types from entering the network. PPTP traffic uses port 1723.

PPTP and the Registry

This following is a list of Windows NT Registry Keys where user defined PPTP information can be found:

KEY:    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RASPPTPE\

             Parameters\Configuration

Values: AuthenticateIncomingCalls

             DataType = REG_WORD

             Range = 0 - 1

             Default = 0

Set this value to 1 to force PPTP to accept calls only from IP addresses listed in the PeerClientIPAddresses registry value. If AuthenticateIncomingCalls is set to 1 and there are no addresses in PeerClientIPAddresses, the no clients will be able to connect.

             PeerClientIPAddresses

             DataType = REG_MULTI_SZ

             Range = The format is a valid IP address

This parameter is a list of IP addresses the server will accept connections from.

KEY:    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\<adapter name>\

             Parameters\Tcpip

 

Values: DontAddDefaultGateway

             DataType = REG_WORD

             Range = 0 - 1

             Default = 1

When PPTP is installed, a default route is made for each LAN adapter. This parameter will disable the default route on the corporate LAN adapter.

             PPTPFiltering

             Key: <adaptername.\Paramters\tcpip

             ValueType: REG_WORD

             Valid Range: 0 - 1

             Default = 0

This parameter controls whether PPTP filtering is enabled or not.

             PPTPTcpMaxDataRetransmissions

             Key: Tcpip\Parameters

             ValueType: REG_WORD - Number of times to retransmit a PPTP packet.

             Valid Range: 0 - 0xFFFFFFFF

             Default: 9

This setting control how many times PPTP will retransmit a packet.

Special Security Update

SPECIAL REVISION: As a last minute revision to the lecture. A flaw has been discovered in the PPTP architecture. It turns out that if you send a that if you send a pptp start session request with an invalid packet length in the pptp packet header that it will crash an NT box and cause the NT server to do a CoreDump. Fragments of code for a DoS attack package are flying, and the rhino9 team should have a completed DoS Attack program released soon. This program is released, of course, for network administrators wanting to know how the bug works.