Everhart, Glenn From: Mark Curphey [is-007@insight.co.uk] Sent: Wednesday, July 15, 1998 2:43 PM To: 'Max Westin (QDT)'; ntsecurity@iss.net Subject: RE: [NTSEC] Top 10 things to secure TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- In an ideal world I agree with all of this but...... null sessions are used in some trust relationship management and can cause problems with Exchange servers amongst other things. There is a KB article. More basically I always try to ensure there are no local accounts and people must log onto a PDC. User control is vastly improved. Make sure each WS has a dfferent local Admin password. If one gets cracked and they are all the same, a local admin on a WS become a global admin. t is difficult to manage but essential. I have seen batch files mapping drives using a known local admin password !!!! In that vain protect \\repair to prevent samdump.exe frombeing useful. and .......... etc...etc...etc..... -----Original Message----- From: owner-ntsecurity@iss.net [mailto:owner-ntsecurity@iss.net]On Behalf Of Max Westin (QDT) Sent: Wednesday, July 15, 1998 7:33 AM To: 'ntsecurity@iss.net' Subject: FW: [NTSEC] Top 10 things to secure TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net Contact ntsecurity-owner@iss.net for help with any problems! --------------------------------------------------------------------------- Hmm... Great list, but... There're three things I would like to add to the list below: 1) Add the value RestrictAnonymous[REG_DWORD]=1 in HKEY_LOCAL_MACHINE \SYSTEM\CurrentControlSer\Control\LSA in the Registry. There's a fairly common program called RedButton that I would try using if I made an attack on a server. Installing SP3 cripples this application, but you can still use it to get the names of the accounts with SID 500 and SID 501 (Administrator and Guest). Setting this value in the registry disables RedButton. 2) Change the UserRight "Access this computer from the network" from "Everyone" to "Authenticated Users" (A new global group added with SP3). This means that everyone trying to access the computer has to have an ID from your domain or a trusted domain, thus disabling the [NET USE %Sharename% "" /user:""] way to access a share without giving the server an ID. 3) Use PASSPROP.EXE to disable Administrator account lockout. The weakest spot on a server is that the Administrator Account never locks. PASSPROP.EXE (part of SP3) enables lockout of the admin account over the network. This means that you get locked out after, say, 3 failed tries to log on as admin over the net, but you're still able to log on if you're sitting locally on the machine. Another alterative is to forbid administrators to access the computer over the network at all. If the network is "NT4 only", that is no Win95 clients, I would add the hot fix LM-fix and set the LMCompatibilityLevel in HKLM\system\CurrentControlSet\Control\LSA in the registry to 2. This disables the LanManager Password Authentication which makes it impossible to sniff passwords. Finally I'd use syskey.exe (also part of SP3) to disable LOPthcrack and other similar programs you can use if you get hold of the SAM file. Well... thats all folks :) /Max > -----Original Message----- > From: Stout, Bill [SMTP:StoutB@pios.com] > Sent: Tuesday, July 14, 1998 6:44 PM > To: ntsecurity@iss.net > Subject: [NTSEC] Top 10 things to secure > > > TO UNSUBSCRIBE: email "unsubscribe ntsecurity" to majordomo@iss.net > Contact ntsecurity-owner@iss.net for help with any problems! > ---------------------------------------------------------------------- > ----- > > > Yesterday, a company asked me what they should tighten on a default NT > installation. Being momentarily distracted by the (ahem) videos used > for load testing their NT video servers, I thought, 'Geeze, where > should > I start?'. Therefore the question, if you need to rattle off maybe > ten > things to secure for non-security people - a mantra, what would that > list be? (And could that fit on a handout card?) > > Here's my initial suggestion: > > 1. Use NTFS > 2. Turn on auditing in User manager for all Failures > 3. Apply service packs and hotfixes according to Russ's mustfix page: > http://ntbugtraq.ntadvice.com/mustfix.asp > 4. Disable Guest account > 5. Remove 'Everyone' write permissions from the winnt\system32 > directory > tree. > 6. Use regedt32, and turn on auditing for (at least the) > HKEY_LOCAL_MACHINE\Security subtree (detects remote registry browsing) > 7. Rename administrator and guest accounts, add fake administrator and > guest accounts (detects account attacks) > 8. Use partition other than system partition for user or application > data > 9. Use a blank password-protected screensaver > 10. Disable autoshares, change '1' to '0' of key AutoShareServer at: > HKEY_LOCAL_MACHINE\SYSTEM\ControlSet001\Services\LanmanServer\Paramete > rs > > Comments? > > Bill Stout