Sorry, but there are so many inaccuracies in this message it makes my head
spin.
NT 3.51 comes with the Guest account disabled. The Guest account has
limited access to the system, although all NT systems are installed with
very lax security out of the box. It should be blatantly obvious to anyone
that if you are trying to use NT in a secure environment, then some effort
is going to be required to secure it.
Read/Write access to the registry is, first of all, restricted to members
of the domain which the NT box is installed in. If you enabled the Guest
account, then yes, it would have access to a sub-section of the registry on
the NT box, but it certainly does not permit you read/write access to the
Security Access Manager (the user/password encrypted database). If fact,
no-one, not even the Administrator, has read/write access to the SAM. The
Administrator can gain access to the SAM, but it must do so by first taking
ownership, then granting permission. Both of these actions are recorded in
the Event Log.
"However, even if guest has a passowrd, any other user on that NT box
could edit the registry."
Editing the registry is a very broad and sweeping term that can either have
no security implications or tremendous security implications. By default,
any user can add information into the registry about their application.
Since application information is stored in a common sub-section of the
registry, its possible that one application could write to the keys of
another application, thereby installing a Trojan. This Trojan, however, is
limited to installable applications, and does not include things such as
the logon process.
"There are a few things one can do to sorta secure NT, but there are so
many, one starts to think the only way to make NT secure is to disconnect
it from the network... or put it behind its own firewall (which stiill
makes it vunerable to people who have access to it...)"
So, there are a few things, but those few things are so many its difficult
to understand?? Come on, there are a number of things you do to secure NT,
its not rocket science, its like any other environment, you have to learn
that environment.
"Global Internet (Gi.net) have a firewall, and a TNT package for NT, which
can secure NT from tcp/ip networks, but merely by making it a wrapper,
which basically acts like a tcpwrapper under unix, which only allows access
to it to hosts which are specified."
Just to clarify, the firewall is not merely a wrapper, its a fully
NT-specifically coded version of Gauntlet.
"I unfortuneatly have not had the time to evaluate these packages
extensively, or any of the competing packages, for that matter..."
And you could have added that you haven't had much time to understand NT
security either. Certainly you don't think that spending three weeks on the
NTSecurity list qualifies you as an NT Security (or NT InSecurity) expert??
I've been securing Windows NT for almost 5 years now, and while there are
some environments which I admit are almost impossible to properly secure
(access to NT through WinDD, Citrix, or some other terminal-emulation-like
server-based environment...thanks to Pete Da Silva) today, the vast
majority of NT installations can be *reasonably* secured with the tools
that come with NT itself. There are a number of tools which can improve
NT's security environment, as they do in Unix environments. SecureID,
eNTrust, TNT, and other authentication mechanisms are just one example.
"Because NT has even more security holes than Irix *duck*, I wont list
them here,"
Its interesting that you should say this. Bill Stout put a very good list
together, but a number of those issues can be addressed if you can accept
the inconvenience it adds to the environment (as is often the case with any
environment you are trying to *completely* secure). I would suggest that
you are merely echoing someone else's claims, and not stating anything that
you have personal knowledge of.
There are some *holes* in NT. The biggest one that I am personally aware of
is the fact that you can attempt to change the Administrator's password as
many times as you want without the account ever locking you out. Since its
not currently possible to limit the number of unsuccessful login attempts
to the Administrator account, there is no way to prevent this hack. Of
course this is a brute force attack, but since its possible to do this from
across a network, it represents the most significant flaw in NT's security
model that I am aware of.
NT 4.0 addresses some problems, and will probably address more by the time
its released. Currently, however, NT 4.0 has not yet addressed the issue of
locking out the Administrator account. There is, however, a basic packet
filter which allows you to shut down specific ports on your machine. It
does not, however, allow you to specify IP addresses or NT Machine names to
selectively allow connections through closed ports. Since Catapult can be
run together with other NT Server applications, its possible that it might
make a very logical addition to any NT Server that is meant to be secure
(it will depend on its cost, and its ability).
The Kane Security Analyst, well-known in the Novell environment, have
completed their NT product which can provide a pretty comprehensive
analysis of your NT environment. It's not intended to show every potential
security risk, as no program could, but it does a very good job of showing
and documenting issues which need to be considered.
Its important to point out that some of the NT Firewall products do not
rely on NT's Security Reference Monitor (or NT's security mechanisms) to
provide their security. Depending on how the Firewall has been implemented,
it may, for example, use drivers to intercept packets prior to those
packets entering NT's networking components. By doing so, they are better
able to control how those packets interact with NT, in some cases,
eliminating access to NT core components in order to verify what the packet
can do. Most also disable various NT services which pose security risks to
the Firewall. These two actions could be considered similar to stripping
down an OS in order to harden it. Some people have previously said that
hardening NT was not possible, but most of these Firewall products have
shown that it is.
Cheers,
Russ
|
|
