I've also searched for UNIX like tools and haven't found much.
What I do is to install NT into a 500 mb NTFS partition (size
depending on what it you want to do). I leave enough space (plus 5
mb) to completely copy my first partition and then create an NTFS
extended partition with the remaining disk space. I create logical
partitions for the directories ftproot and wwwroot etc in this
extended partition. I completely remove all permissions to everything
from the root only giving administrator, system full access and
creator/owner add&read. For the logical partitions to support iis, I
only give iuser_machine read on the directories and read/execute on
files. This keeps your web server public access information
completely separate from your operating system. I also make some
adjustments to the registry to prevent programs from being installed
and I run the c2 compliance from the resource kit to make some other
security adjustments. Apply the service packs and patches and set it
behind a quality firewall that only allows ports 20, 21, 80 and 53 and
requires established connections. After I'm all done, I use partition
magic to duplicate my system partition and then I hide this copy. I
now have a completely installed NT system ready to be updated from
tape backups and put on line. Change your passwords frequently and
make sure that you know what the password is for the copy you've
I'd appreciate any critique to what I do and/or suggestions for other
things I can try.
______________________________ Reply Separator _________________________________
Subject: Re: Securing NT Web servers
Author: mcnabb @
com (Paul McNabb) at Internet
Date: 6/25/97 10:50 AM
> Date: Tue, 24 Jun 1997 14:44:39 -0700
> From: "Alberto U. Begliomini" <aub @
> I am looking for documentation, articles, and papers on how to make
> a NT Web server, sitting on the perimeter network of a firewall, secure.
> Also I am looking for tools on NT whose Unix equivalent are Tripwire,
> Cops, Swatch, etc.
> Basically, I would like to know how people make a NT server as secure as
> a Unix server can be made, and which kind of tools are used to notify
> the system administrators in case an attacker breaks in.
> Any help is greatly appreciated.
> Thanks --Alberto
We've been using our Decaf product, which allows you to make any file,
directory, device, or "directory tree" either read-only or inaccessible to
any process you want. This condition is inherited by all the children of
any such process, and is true no matter what the UID is (i.e., it applies
to root the same as to other users).
The bad news is that our Solaris 2.4, 2.5.1, and 2.6 (yes, we have the
2.6 source here) are done, but our NT version is still in production
for release this summer. I'll let you know when it's available.
We've used it on the http daemon, inetd, and other network daemons. We've
also been using it on login shells to make some users run restricted even
if they should somehow know root's password or manage to break out of a
setuid root program into a program of their choosing.
Currently you can't use Decaf to limit access to a port number or to a
network address or to an interface, so it can't do everything you are
looking for, but our customers seem pretty happy about it. Decaf is
currently being used to protect webservers, firewalls, and network servers.
I think some people on this list have downloaded it from our webpage,
but I don't recall seeing any comments about it, either pro or con.
Any flames anyone?
Also, check with the COAST guys at Purdue. I was over there a few months
ago to do a colloquium for Gene Spafford's security group. Gene took me
around to show me what they are doing and he mentioned some of the NT
technology they are working on. They seem to be emphasizing the intruder
detection aspects of security, and by now they may have what you are
Paul McNabb Argus Systems Group, Inc.
Vice President and CTO 1809 Woodfield Drive
com Savoy, IL 61874 USA
FAX 217-355-1433 "Securing the Future"