To use NT as a File and Print server, there are no directories/files
which need to be set to RWXD for Everyone. In fact, the group Everyone
does not need to have any access to anything.
Given that access for some unknown/unqualified user (i.e. Everyone) is
not necessary for an NT File and Print server, the idea of C2's
accountability/auditing is of value, albeit limited value, but that's
all that C2 provides. Part of the C2 requirements are that the system
cannot be modified or accessed without record, and to comply in this
area, Microsoft used Compaq and Digital equipment which could have the
floppy boot disabled (in the case of Compaq they also disabled the CD
boot). The boxes also required physical security (i.e. cabinet locks).
This would be true of any system which does not employ a firmware-based
tripwire system for the HD controller.
The C2 Orange book requirements were meant to cover a stand-alone
machine, but the C2 Red Book requirements were/are intended for network
environments. Microsoft has never completed C2 Red Book testing (or if
they have, they've never published the results). The main reason, IMO,
is that in order to comply they would have to make significant
modifications to their BackOffice products which might run on an NT
Server. Microsoft is far more interested in selling less secure/more
easily useable products to make that investment at this time. Although
customer requirements are changing (look at some of the security
features in MSExchange Server, like data encryption, encrypted sessions
between site servers, integrated NT Domain authentication...), they
still don't have a focus on security first.
As for basic security precautions for NT, remove permissions for the
group Everyone at the root of the HKEY_LOCAL_MACHINE hierarchy in the
registry. You will be given the option to have this removal propogated
down through the entire tree, DO NOT USE THIS OPTION. With that one
change, accessing your registry from the network will be restricted only
to logged on users of the Administrators group, and even members of this
group can be restricted if they are not granted the right to "Log on
from the Network". Of course, members of the Administrators group can
change that right to give themselves access, but as C2 requires, this
change would be recorded in the event logs. And if they were to delete
the logs, the deletion would be recorded also...and so on...
NT 4.0, by default, now restricts registry access for the group Everyone
to read access of the following hives;
System\CurrentControlSet\Control\ProductOptions
System\CurrentControlSet\Control\Print\Printers
System\CurrentControlSet\Services\Eventlog
Software\Microsoft\Windows NT\CurrentVersion
NOTE: If you have your NT box set to auto-logon, the username and
password get stored in a subkey of Software\Microsoft\Windows
NT\CurrentVersion, and can therefore be seen by members of the group
Everyone by default. Since enabling auto-logon is done by a registry
hack (although a utility is included in the NT Resource Kit to enable
it), and since it requires a user ID and password to be stored in clear
text, its obviously a pretty bad idea to enable it. Reducing permissions
on subkeys of this hive is a good idea since it contains some parameters
that you might not want made known, usually removing the query
permission is sufficient.
Cheers,
Russ
"any sufficiently advanced technology is indistinguishable from
magic"...Arthur C. Clarke
>
|
|
