Securing Windows nt installation

Securing Windows NT Installation

Introduction

Abstract

• 
  Remove all protocol stacks except TCP/IP, since IP is the only protocol that runs on the Internet
  
• 
  Remove unnecessary network bindings
  
• 
  Disable all unnecessary accounts, like guest
  
• 
  Remove share permissions and default shares
  
• 
  Remove network access for everyone (User Manger -> Policies ->User rights, "Access this computer from the network")
  
• 
  Disable unnecessary services
  
• 
  Enable audit logging
  
• 
  Track the audit information
  

  Physical Security Considerations

  
  Take the precautions you would with any piece of valuable equipment to protect against casual theft. This step can include locking the room the computer is in when no one is there to keep an eye on it, or using a locked cable to attach the unit to a wall. You might also want to establish procedures for moving or repairing the computer so that the computer or its components cannot be taken under false pretenses.

  Use a surge protector or power conditioner to protect the computer and its peripherals from power spikes. Also, perform regular disk scans and defragmentation to isolate bad sectors and to maintain the highest possible disk performance.

  As with minimal security, the computer should be protected as any valuable equipment would be. Generally, this involves keeping the computer in a building that is locked to unauthorized users, as most homes and offices are. In some instances you might want to use a cable and lock to secure the computer to its location. If the computer has a physical lock, you can lock it and keep the key in a safe place for additional security. However, if the key is lost or inaccessible, an authorized user might be unable to work on the computer.

  You might choose to keep unauthorized users away from the power or reset switches on the computer, particularly if your computer’s rights policy denies them the right to shut down the computer. The most secure computers (other than those in locked and guarded rooms) expose only the computer’s keyboard, monitor, mouse, and (when appropriate) printer to users. The CPU and removable media drives can be locked away where only specifically authorized personnel can access them.

  
  

  Backups

  
  Regular backups protect your data from hardware failures and honest mistakes, as well as from viruses and other malicious mischief. The Windows NT Backup utility is described in Chapter 6, “Backing Up and Restoring Network Files” in Microsoft Windows NT Server Concepts and Planning. For procedural information, see Help.

  Obviously, files must be read to be backed up, and they must be written to be restored. Backup privileges should be limited to administrators and backup operators—people to whom you are comfortable giving read and write access on all files.

  
  

  Networks and Security

  
  If the network is entirely contained in a secure building, the risk of unauthorized taps is minimized or eliminated. If the cabling must pass through unsecured areas, use optical fiber links rather than twisted pair to foil attempts to tap the wire and collect transmitted data.
  

  Restricting the Boot Process

  
  Most personal computers today can start a number of different operating systems. For example, even if you normally start Windows NT from the C: drive, someone could select another version of Windows on another drive, including a floppy drive or CD-ROM drive. If this happens, security precautions you have taken within your normal version of Windows NT might be circumvented.

  In general, you should install only those operating systems that you want to be used on the computer you are setting up. For a highly secure system, this will probably mean installing one version of Windows NT. However, you must still protect the CPU physically to ensure that no other operating system is loaded. Depending on your circumstances, you might choose to remove the floppy drive or drives. In some computers you can disable booting from the floppy drive by setting switches or jumpers inside the CPU. If you use hardware settings to disable booting from the floppy drive, you might want to lock the computer case (if possible) or lock the machine in a cabinet with a hole in the front to provide access to the floppy drive. If the CPU is in a locked area away from the keyboard and monitor, drives cannot be added or hardware settings changed for the purpose of starting from another operating system. Another simple setting is to edit the boot.ini file such that the boot timeout is 0 seconds; this will make hard for the user to boot to another system if one exists.

  On many hardware platforms, the system can be protected using a power-on password. A power-on password prevents unauthorized personnel from starting an operating system other than Windows NT, which would compromise system security. Power-on passwords are a function of the computer hardware, not the operating system software. Therefore the procedure for setting up the power-on password depends on the type of computer and is available in the vendor’s documentation supplied with the system.
  

  
  
  Katalog: pub
  pub -> Mit rss feeds
  pub -> Internet Explorer Recommended settings for
  pub -> Настройки браузера Internet Explorer для работы с электронной подписью
  
  
  
  Download 91 Kb.