Microsoft Security Whitepaper - Windows NT

By Kurt Seifried, [email protected]



Windows NT was Microsoft's first attempt at an industrial strength business oriented operating system, and by the time NT 4.0 rolled around they had done quite a good job. NT supports advanced file permissions in the form of Access Control Lists, users and groups, and other needed security features. The problem is however that in an effort to make NT usable the default permissions on files are registry entries are extremely permissive (everybody has full control).

Best Defenses

Your best defenses in Windows NT are:

Remove unneeded network services

Unfortunately there are not many services you can disable if you are using it for file and print sharing and authentication. Fortunately most of these machines are on LANs and access from the Internet is restricted, so chances are if someone attacks it it will be from an internal source. This is why keeping the software up to date is so critical. However for publicly accessible machines such as web servers you should not rely on Windows file sharing, unless you have some sort of VPN and firewall to protect it. Also for gateway servers, proxy servers and other machine with connections to public and internal networks you can easily disable file and print sharing on the external adapter only, leaving it enable don the internal one. Although Windows NT does have built in packet filtering, it does not work properly and I would not recommend using it.

First open up network settings, "Start", "Settings", "Network", and choose the "Bindings" tab:

Choose "Show Bindings for" and select "all adapters", then expand the tree view:

Assuming the Interl 10/100 card is your internal interface, and the Acer PCI card is your external interface you would want to disable the WINS Client on it, to be on the safe side you should disable all the services, simply highlight them and click "Disable":

You can now click on "OK" and then you will have to reboot the computer.

The Server service is the actuall file and printer sharing. The Workstation service allows you to connect to other servers, this is dangerous because it potentially allows a remote attacker to connect to a remote site and retrieve data (such as a trojan horse they want to load on your machine), and in some cases passwords can be found be having the target computer connect out and try to access resources on an attackers machine.

Update software regularly

There are two sets of fixes for NT and related products, the first are hotfixes, these are solutions to (usually) individual problems, released several days or weeks after the problem is found. These hotfixes are tested, however they are not completely regression tested, so on occasion they may break some feature or misbehave. Every once in a while all the current fixes are rolled up into one big package, called a service pack. These service packs are extensively tested and include hundreds of fixes (calc.exe is replaced for example), they rarely break things (but it has been known to happen). The following URL's have links to download the various fixes needed for NT:

This is probably the first thing you should do after installing an NT server, you will need to apply the latest service pack, and numerous hotfixes, which can take a while since you MUST reboot in between them (do not try to install multiple hotfixes without rebooting, you will likely damage your software installation).

Tighten file permissions

Although NT supports file ACL's (Access Control Lists) the default permissions are that the group everybody has "full control", meaning anyone that can log in locally, or access files via a fileshare can create, delete, modify or otherwise manipulate files and directories. This is especially critical on machines that are part of a domain since backups of the SAM (Security Account Manager) are stored in:


Or wherever your NT installation directory is. Once an attacker has this file they can run it through a password cracking program such as L0phtcrack, since NT uses less then optimal password storage techniques, combined with the speed of password cracking programs it is pretty much guaranteed that an attacker will glean some passwords. The repair directory should be protected, open up "Windows NT Explorer" and go into your NT installation directory, then right click on the "repair" directory, choose "Security" and remove the group "everyone" from the listing. This is just one example of literally hundreds of bad file permissions.

Unfortunately if you try to protect the C:\Winnt\System and C:\Winnt\System32 chances are you will break many common applications since they want to be able to access files in these directories and in some cases write to them. A partial solution is to use system policies and restrict the applications people can run, i.e. restrict a user to:

C:\Program Files\Officesuite\office.exe

There is also a product from SecureWave called SecureExe who's primary purpose is to prevent trojan software from being executed, but can also prevent users from say copying regedt32.exe over notepad.exe and running is (since it not only check the file name, but a cryptographically secure hash of it [SHA1]). These two topics are discussed in more depth later on.

Tighten registry permissions

The same problem that affects file security exists for registry permissions, they default is extremely promiscuous. NT ships with two registry editing programs, one has the ability to manipulate security permissions and is extremely functional (regedt32.exe), the other has a search function, but you cannot modify permissions and so on (regedit.exe), which makes securing the registry a very tedious process.

Using regedt32.exe simply open up the registry on the appropriate computer (the default is the local computer), find the key or keys you wish to secure and choose "Security" and then "Permissions" and you can easily modify who is able to manipulate the key.

A freeware/commercial solution is RegDACL from Heysoft, the freeware version is slightly stripped down but still very functional. You can easily script modifications and it makes modifying registry security permissions much faster (since chances are you want to do the same thing on many computers). You can download it from:

Install an Anti-Virus scanner

Even with all these precautions it is still possible for a virus to slip in and do something malicious. Best case scenario it infects some data which you need only disinfect or restore from backup, worst case it replicates itself via email and takes out your entire network. As well many trojan programs for NT are detected by the majority of anti-virus scanners, they are an integral part of any security policy. - TrendMicro (PC-cillin) - Norton (Anti-Virus) - McAfee (Virus Clinic)

Install a firewall

If your machine is attached directly to the Internet you should definetely install a firewall product, if it is on an internal network it is also a good idea (since many attacks come from internal sources). - Network ICE (BlackICE Defender, about $40USD for single license)

Additional Defences

Auditing events

The Windows NT event logger is extremely useful for detecting suspicious activity and nefarious user actions. Like most Windows NT security features it is not turned on by default. The first step is to increase the log size, as the default is to only keep 512 kilobytes of logs and overwrite events older then 7 days old. I would reccomend setting the log size to several hundred megabytes, or gigabytes if you want to do extensive logging (disk space is cheap). Setting the log file to "Overwrite Events as Needed" will result in the log "wrapping", as space is needed the oldest event will be blown away, this is somewhat better then "Do Not Overwrite Events (Clear Log Manually)" which once full will stop recording logging events. However the danger in overwriting log events is that an attacker may try to cover their tracks by flooding the log files and overwriting the events that could help reconstruct what happened. In any event a tool is now available: "WinZapper" which can be used to delete log entries. - WinZapper

The good news however is that WinZapper cannot be used remotely, so the user must install a trojan such as BackOrifice 2000 to use it (unless of course someone modifies WinZapper for remote usage, which is far from impossible). You can also not run Event Viewer after using WinZapper, you must reboot, so two indications that WinZapper has been used would be if the server is unexpectedly rebooted or if you cannot run Event Viewer. As well a file called "dummy.dat" is left, this is a copy of the original log file, so without modifications the tool is easily detected (again, this modification will happen, so don't depend on being able to find a dummy.dat file). It is primarily a proof of concept that once administrative access is gained you can no longer trust the event logs (this is true of most operating systems unless you use some type of secure off system logging).

To enable logging you must first go to "Start", "Programs", "Administrative Tools (Common)", and select "User Manage for Domains". Then click on "Policies" and choose "Audit". You can selectively audit events like user logins/logoffs, file and object access (warning, this will generate a lot of log entries), user and group management and so on. You can also audit successes and/or failures, unless you are extremely concerned about security auditing failed events only is probably sufficient. However for some sensitive environments you may wish to know exactly when users are accessing certain files. Once you have enabled auditing on "File and bject Access" you will need to enable auditing in the filesystem, this is good news because you can extremely selective on which files and directories you audit (otherwise there would be a huge amount of "noise" for normal system activity). Open up the "Windows NT Explorer" and select the directory or files you wish to enable auditing on, then right click, choose "Security" and "Auditing". You can audit access by certain users and groups (for example accounts belonging to temp workers might be included in the audit, but not fulltime workers), and you can audit the events selectively (Read, Write, Execute, Delete, Change Permission and Take Ownership) and whether they succeed or fail. Use the "Everone" group if you wish to record anyone accessing files.

One problem with all of this is that you can enable/disable logging on the fly without requiring a reboot, while convinient it does allow an attacker to disable auditing before they attempt to access something, and they can then turn the auditing back on, or leave it disabled (chances are most administrators will not notice). You should periodically check to make sure auditing is enabled properly, or have a test account to access objects so you can verify that the access is logged.

Implementing system policies

System policies will be covered later as they are a reasonably complex topic.

Preventing trojan binaries

Even with System policies installed and enforced it is possible for an attacker to circumvent them. Let's say for example you have restricted the programs a user can run, even with the full patchname specified it is possible for someone to run arbitrary programs if they can overwrite one of the programs they have access to. For example if you let UserA run C:\Winnt\notepad.exe, and you have not tightened up permissions they can simply copy regedt32.exe overtop of it and run it.

One solution is to use SecureExe from SecureWave:

This program uses the SHA1 signature algorithm, in addition to the program's name/path, if the stored signature for calc.exe doesn't match the one in the database you cannot run calc.exe. An attacker can copy over a file, but the signature will not match, and it will not be run. No pricing or availability yet, however they do have an online demo using Microsoft's Terminal Server.

Restricting access to removable devices

For a variety of reasons it is desirable to restrict user access to removable devices such as floppy disks, cdrom drives, printer ports and communication ports. Unfortunately NT does not have any facilities to control access to these ports selectively. Disabling them in the BIOS is possible but then you must reboot and enter a password at the BIOS prompt to reenable them, not a workable solution by any means. The good news is that there is a nice commercial product from SecureWave, called SecureNT (it also supports Win9x). This loads a VXD at startup which controls access to any removable media, and the com and printer ports. This allows you to easily prevent the user from plugging a modem in and setting up dial-in access, or plugging a parallel port cd-burner in and stealing corporate data.

Host based intrusion detection

Manually checking to make sure no-one has breached your security and reveiwing log files is an extremely time intensive and tedious process. Luckily there exist many software packages that will do it for you, filter the results and alert you to suspicious activity. - Activity log scanners - Intrusion detection / audit trail

Basic security auditing


Extended Defences

Advanced administration tools

Most of the built in Windows NT tools (like User Manager for Domains) leave a lot to be desired and are usually unusable in extremely large and complex environments.

Advanced security auditing




Last updated 10/4/2002

Copyright Kurt Seifried 2001