Install Latest Service Pack and applicable hot-fixes
Install the latest recommended Microsoft Service Pack for the NT operating system. The applicable hot-fixes should also be installed. Generally not all hot-fixes are required. Also the order in which hot-fixes are installed is very important, as later hot-fixes sometimes supersede earlier hot-fixes.
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40
Display a Legal Notice Before Log On
|
Completed
|
Not implemented
|
Not applicable
|
STATUS
|
|
|
|
Windows NT can display a message box with the caption and text of your choice before a user logs on. Many organizations use this message box to display a warning message that notifies potential users that they can be held legally liable if they attempt to use the computer without having been properly authorized to do so. The absence of such a notice could be construed as an invitation, without restriction, to enter and browse the system.
The log on notice can also be used in settings (such as an information kiosk) where users might require instruction on how to supply a user name and password for the appropriate account.
To display a legal notice, use the Registry Editor to create or assign the following registry key values on the workstation to be protected:
Hive:
|
HKEY_LOCAL_MACHINE\SOFTWARE
|
Key:
|
\Microsoft\Windows NT\Current Version\Winlogon
|
Name:
|
LegalNoticeCaption
|
Type:
|
REG_SZ
|
Value:
|
Whatever you want for the title of the message box
|
Hive:
|
HKEY_LOCAL_MACHINE\SOFTWARE
|
Key:
|
Microsoft\Windows NT\Current Version\Winlogon
|
Name:
|
LegalNoticeText
|
Type:
|
REG_SZ
|
Value:
|
Whatever you want for the text of the message box
|
The changes take effect the next time the computer is started. You might want to update the Emergency Repair Disk to reflect these changes.
Example:
Welcome to the XYZ Information Kiosk
Log on using account name Guest and password XYZCorp.
Authorized Users Only
This system is for the use of authorized users only. Individuals using this computing system without authority, or in excess of their authority, are subject to having all of their activities on this system monitored and recorded by system personnel. In the course of monitoring individuals improperly using this system, or in the course of system maintenance, the activities of authorized users may be monitored. Anyone using this system expressly consents to such monitoring and is advised that if such monitoring reveals possible evidence of criminal activity, system personnel may provide the evidence of such monitoring to law enforcement officials.
Rename Administrative Accounts
|
Completed
|
Not implemented
|
Not applicable
|
STATUS
|
|
|
|
It is a good idea to rename the built-in Administrator account to something less obvious. This powerful account is the one account that can never be locked out due to repeated failed log on attempts, and consequently is attractive to hackers who try to break in by repeatedly guessing passwords. By renaming the account, you force hackers to guess the account name as well as the password.
Make the following changes:
Remove right “LOG ON FROM THE NETWORK” from Administrator’s group
Add right “LOG ON FROM THE NETWORK” for individuals who are administrators
Enable auditing of failed login attempts
Lock out users for more than 5 login failures
Require password of at least 8 characters
| 