|
Completed
|
Not implemented
|
Not applicable
|
STATUS
|
|
|
|
The NTFS file system provides more security features than the FAT system and should be used whenever security is a concern. The only reason to use FAT is for the boot partition of an ARC‑compliant RISC system. A system partition using FAT can be secured in its entirety using the Secure System Partition command on the Partition menu of the Disk Administrator utility.
Among the files and directories to be protected are those that make up the operating system software itself. The standard set of permissions on system files and directories provide a reasonable degree of security without interfering with the computer’s usability. For high-level security installations, however, you might want to additionally set directory permissions to all subdirectories and existing files, as shown in the following list, immediately after WindowsNT is installed. Be sure to apply permissions to parent directories before applying permissions to subdirectories.
First apply the following using the ACL editor:
Directory
|
Permissions
|
Complete
|
\WINNT and all subdirectories under it.
|
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Read
SYSTEM: Full Control
|
|
Now, within the \WINNT tree, apply the following exceptions to the general security:
Directory
|
Permissions
|
Complete
|
\WINNT\REPAIR
|
Administrators: Full Control
|
|
\WINNT\SYSTEM32\CONFIG
|
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: List
SYSTEM: Full Control
|
|
\WINNT\SYSTEM32\SPOOL
|
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Read
Power Users: Change
SYSTEM: Full Control
|
|
\WINNT\COOKIES
\WINNT\FORMS
\WINNT\HISTORY
\WINNT\OCCACHE
\WINNT\PROFILES
\WINNT\SENDTO
\WINNT\Temporary Internet Files
|
Administrators: Full Control
CREATOR OWNER: Full Control
Everyone: Special Directory Access – Read, Write and Execute, Special File Access – None
System : Full Control
|
|
Several critical operating system files exist in the root directory of the system partition on Intel 80486 and Pentium-based systems. In high-security installations you might want to assign the following permissions to these files:
File
|
C2-Level Permissions
|
Complete
|
\Boot.ini, \Ntdetect.com, \Ntldr
|
Administrators: Full Control
SYSTEM: Full Control
|
|
\Autoexec.bat, \Config.sys
|
Everybody: Read
Administrators: Full Control
SYSTEM: Full Control
|
|
\TEMP directory
|
Administrators: Full Control
SYSTEM: Full Control
CREATOR OWNER: Full Control
Everyone: Special Directory Access – Read, Write and Execute, Special File Access – None
|
|
To view these files in File Manager, choose the By File Type command from the View menu, then select the Show Hidden/System Files check box in the By File Type dialog box.
Note that the protections mentioned here are over and above those mentioned earlier in the standard security level section, which included having only NTFS partitions (except the boot partition in case of RISC machines). The FAT boot partition for RISC systems can be configured using the Secure System Partition command on the Partition menu of the Disk Administrator utility.
It is also highly advisable that Administrators manually scan the permissions on various partitions on the system and ensures that they are appropriately secured for various user accesses in their environment.
Services and NetBios Access From Internet
For a stand-alone WEB or firewall server, consider the following guidelines
The following services should NOT be started:
Service
|
Installed
|
Not Installed
|
Alerter
|
|
|
ClipBook Server
|
|
|
Computer Browser
|
|
|
DHCP Client
|
|
|
Directory Replicator
|
|
|
Messenger
|
|
|
Net Logon
|
|
|
Network DDE
|
|
|
Network DDE DSDM
|
|
|
Plug and Play
|
|
|
Remote Procedure Call (RPC) Locator
|
|
|
Server
|
|
|
SNMP Trap Service
|
|
|
Spooler "unless print spooling is needed"
|
|
|
TCP/IP NetBIOS Helper
|
|
|
Telephony Service
|
|
|
Workstation
|
|
|
The following services MUST be started:
Service
|
Installed
|
Not Installed
|
EventLog
|
|
|
FTP Publishing Service (for FTP server)
|
|
|
Gopher Publishing Service (for Gopher server)
|
|
|
NT LM Security Support Provider
|
|
|
Remote Procedure Call (RPC) Service
|
|
|
SNMP
|
|
|
World Wide Web Publishing Service (for WWW server)
|
|
|
The following services MAY be started if needed:
Service
|
Installed
|
Not Installed
|
Schedule
|
|
|
UPS
|
|
|
Disconnect the "NetBIOS Interface", the "Server" and the "Workstation" from the "WINS Client(TCP/IP)"
|
