Security part from the Windows NT FAQ

Several interesting Q&A.
Originally from www.ntfaq.com

Security

Q. How do I enable auditing?

A. Logon as the Administrator (or a member of the Administrators group) and perform the following

  1. From the Start Menu, Programs, Administrative Tools and start User Manager
  2. From the Policies menu, select Audit
  3. Enable the events you want to Audit and click OK
  4. Exit User Manager

It is also possible to configure auditing on a file/directory. Right click on the file/directory, select properties, and select the security tab and then select auditing.

Q. How do I view/clear the security log?

A. Logon as the Administrator (or a member of the Administrators group) and perform the following

  1. From the Start Menu, Programs, Administrative Tools and start Event Viewer
  2. From the Log menu, select Security
  3. Double click any entry for more information
  4. Close the individual event information window
  5. To clear, select Log and clear all events. It will ask if you want to save the info, click No.
  6. It will prompt again if you are sure, click Yes
  7. Close Event Viewer

In Windows 2000 start the Event Viewer MMC snap-in (Start - Programs - Administrative Tools - Event Viewer, or via Computer Manager). Right click on the Security Log and you can clear from the context menu.

Q. Where can I get more information on the Event Viewer?

A. See http://www.heysoft.de/ for more information

Q. Where can I get information on NT security problems?

A. There are various sites:

Q. How can I restore the default permissions to the NT structure?

A. Follow the procedure below:

  1. Logon as administrator.
  2. The built-in SYSTEM account needs access to the Windows NT default directories and subdirectories. To get this access, do the following:
    - In File Manager use Security/Permissions to grant the SYSTEM account FULL CONTROL to the root directory of the NTFS volume that contains Windows NT.
    - Next, select the option to Replace Permissions on Subdirectories, which gives SYSTEM access to the entire volume
  3. Start Registry Editor (Regedit.exe).
  4. Go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SessionManager
  5. Double-click the value BootExecute.
  6. Under BootExecute, you may find a few entries, such as:
    autocheck autochk *
    After any entries, add on a separate line:
    setacl /a \DosDevices\<systemdrive>:\<winnt_root>\System32\winperms.txt \DosDevices\<systemdrive>:
    Here <systemdrive> is the drive that Windows NT is installed on and <winnt_root> is the Windows NT root directory on that drive.
  7. Save changes by clicking OK.
  8. Exit the registry editor and restart the computer.
  9. On restart, the system will set security on the system files to the norm

The procedure above will only work on an NT 3.51 system. To perform the above on an NT 4.0 system you require the Windows NT Resource Kit Supplement 2, or for Windows 2000 the normal resource kit and should perform the following

  1. Logon as an Account that has "Backup files and folders" privilege
  2. Run the FIXACLS.EXE utility (Start - run - fixacls)
  3. Click the Continue button
  4. Click OK when completed.

FIXACLS in NT 4.0 sets the permissions to the values defined in %SYSTEMROOT%\INF\PERMS.INF. Therefore, access to this file is also required to run FIXACLS.

Q. How can I copy files and keep their security and permissions?

A. By default when you copy files from one NTFS partition to another, the files inherit their protections from the parent directory. It is possible to copy the files and keep their settings using the SCOPY program that comes with the NT resource kit. SCOPY can copy owner and security audit information:
SCOPY c:\savilltech\secure.dat d:\temp\ /o /a
would copy the owner and auditing information. You can also use /s to copy information in subdirectories.

The restriction for this command is that both the origin and target drives must be NTFS or the command will fail.

Q. How do I enable auditing on certain files/directories?

A. Auditing is only available on NTFS volumes. Follow the instructions below:

  1. Start Explorer
  2. Right click on the file/directory you want to audit, and from the context menu select properties
  3. Select the Security tab and click Auditing
  4. If you have selected a directory, check the "replace auditing on subdirectories"
  5. Click the Add button and add the user(s) who you wish to audit by selecting and clicking Add. When finished adding users, click OK
  6. Select the events you wish to audit and then click OK

You must ensure that File access auditing is enabled (Start - Programs - Administrative Tools - User Manager - Policies - Audit).

These events can then be viewed using the Event Viewer (Start - Programs - Administrative Tools - Event Viewer - Log - Security)

Q. How do I use the System Key functionality of Service Pack 3?

A. Service Pack 3 introduced a new feature in NT with the ability of increasing security on the SAM database. This is performed by introducing a new key in one of 3 modes

  1. A secure key generated by the system which is used to encrypt the SAM which is stored on the local hard disk
  2. A secure key generated by the system which is stored on a floppy disk which has to be placed in the computer at bootup
  3. A password given by the user is used to encrypt the SAM and has to be entered on bootup

To generate the system key you use the syskey.exe, however be warned, once you activate the encryption you cannot turn it off without performing a system recovery using an ERD produced before syskey was enabled. To enable encryption perform the following

  1. Make sure Service Pack 3 is installed
  2. Log on to the system as a member of the Administrators group (only administrators can run syskey.exe)
  3. Create a new ERD (rdisk /s) and store somewhere safe and label the disk "Pre System Key ERD"
  4. Run the System Key generation utility (Start - Run - syskey.exe)
  5. A dialog box will be displayed with encryption disabled. Select Encryption enabled and click OK
  6. Click OK to the warning dialog box
  7. Select which of the 3 encryption modes you require, if password enter a password and then enter again for verification. If you choose stored on floppy disk you will be prompted to insert a disk and then click OK.
  8. Click OK and a success message will be displayed, click OK
  9. You now need to reboot the machine
  10. Once rebooted you should create a new ERD (rdisk /s)

Once rebooted if you choose a password once the GUI phase of NT starts a dialog box will be displayed and you should enter the password you gave and click OK, after that you may log on as normal. If you choose floppy disk you will be prompted to insert the disk and then click OK

Although you cannot remove the system key, you can change the mode by running syskey.exe and click Update. You will be asked to either enter the existing password or insert the system key floppy if changing from one of these modes.

For more information see Q143475 at http://support.microsoft.com/support/kb/articles/q143/4/75.asp

Q. How do I remove the System Key functionality of Service Pack 3?

A. As stated in the previous FAQ there is not a simple remove function however if you restore the SAM from an ERD that was taken before the system key was enabled, it will remove this feature from the system.

  1. Boot off of the NT installation disks
  2. After disk 2 press R for repair
  3. Deselect everything except "Inspect registry files" and select continue
  4. Continue as per normal, inserting disk 3 and then the ERD (the one created before syskey was run)
  5. Once completed reboot and you should no longer have the system key in use

Q. How can I configure the system to stop when the security log is full?

A. To avoid security logs being lost you can configure the system to halt if the security log becomes full so that only Administrators can logon, they can then archive the log and purge

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. If CrashOnAuditFail exists then skip to step 4, if not from the Edit menu select New - DWORD value and enter a name of CrashOnAuditFail. Click OK
  4. Double click on CrashOnAuditFail and set to either:
    1 - Stop if the audit log is full
    2 - This is set by the operating system just before the system crashes due to a full audit log. When set to 2 only the administrator can logon.
  5. Close the registry editor

When this happens the OS will display a BSOD.

Q. How can I clear the pagefile at shutdown?

A. As you will be aware the pagefile contains areas of memory that were swapped out to disk, it may be in a secure environment you want this pagefile cleared when the machine is shutdown as parts of memory containing passwords/sensitive information may have been mapped out to the pagefile.

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management
  3. If the value ClearPageFileAtShutdown does not exist, from the Edit menu select New - DWORD value and enter a name of ClearPageFileAtShutdown
  4. Double click on ClearPageFileAtShutdown and set to 1
  5. Reboot the machine and next time you shutdown the pagefile will be cleared

Q. How do I enable strong password filtering?

A. Windows NT 4.0 Service Pack 2 introduced a new password filter, passfilt.dll, which implements the following new restrictions

  • Passwords must be at least 6 characters long
  • Passwords must meet at least 3 of the following criteria
    - Uppercase letters A-Z
    - Lowercase letters a-z
    - Number(s) 0-9
    - Non-alphanumeric character (e.g. !, etc.)
  • Password may not contain your user name or any part of your full name

To enable this functionality perform the following on all PDC's (and stand alone's if used). You do not need to install this on BDC's, however you should in case the BDC is promoted to a PDC.

  1. Start the registry editor (regedt32.exe, do not use regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. Double click on "Notification Packages"
  4. Add PASSFILT on a new line (there may be a FPNWCLNT so you should add this after this value). Click OK
  5. Close the registry editor
  6. Reboot the machine

It should be noted you will still be able to set passwords in User Manager that do not meet the criteria, this is by design as direct SAM updates are not filtered.

Q. How do I set what happens during a crash?

A. By default a crash dump file will be produced but there are two other items that can be configured.

The first option is to enter a log entry in the system log. This can be set using the Startup/Shutdown tab of the system control panel applet in NT 4.0 and the "Startup and Recovery" button under the Advanced tab of the system control panel applet in NT 5.0 by checking the "Write an event to the system log".

This can also be achieved by setting the registy key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\LogEvent to 1.

The other option is to send an Administrative alert (you need the alerter service to be running to enable this option). Again using the same dialog as before check the "Send an administrive alert".

This can also be achieved by setting the registy key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\SendAlert to 1.

Q. How can I configure the system to automatically reboot in the event of a crash?

A. This can be set using the Startup/Shutdown tab of the system control panel applet in NT 4.0 and the "Startup and Recovery" button under the Advanced tab of the system control panel applet in NT 5.0 by checking the "Automatically reboot".

This can also be achieved by setting the registy key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl\AutoReboot to 1.

Q. How do I enable auditing on the SAM?

A. It is possible to enable auditing of any failed or successful access to your sensitive information by the only accounts which have the ability to access such information, e.g. Administrators. This can be done as follows:

  1. First ensure auditing is enabled on the system using User Manager - Policies menu - Audit. Select the "Audit These Events". Choose the objects to audit and click OK.
  2. Next make sure the Scheduler service is running on the machine either via the Services Control Panel applet (Start - Settings - Control Panel - Services) or type "net start" and look for "Scheduler". If it is not running you can start by typing
    C:\> net start schedule
  3. At the command prompt (cmd.exe) type
    C:\> at <time> /interactive "regedt32.exe"
    where <time> is a minute in the future.
  4. At the time entered Regedt32.exe will be started but running under the internal System account. This allows access to areas normally inaccessible.
  5. Select the HKEY_LOCAL_MACHINE window
  6. Select the SAM key and from the Security menu select Auditing
    Changing auditing
  7. Click the Add button and on the displayed dialog (which will show groups) click the 'Show Users' button.
  8. Add the following:
    - SYSTEM
    - Domain Admins
    - Administrator
    - Backup Operators
    and any other accounts with the following:
    - Take ownership of files or other objects
    - Back up files and directories
    - Manage auditing and security log
    - Restore files and directories
    - Add workstations to domain
    - Replace a process level token
    Click OK
  9. Check the "Audit Permissions on Existing Subkeys" box
  10. Set Success and Failure for
    - Query Value
    - Set Value
    - Write DAC
    - Read Control
    Audit settings for passwords
  11. Click OK. Click Yes to the dialog that asks if you want to audit all existing subkeys in the SAM.
  12. You should now repeat but on the Security key steps 6 to 11.
  13. Close the registry editor
  14. Stop the schedule service is you only started it for this task
    C:\> net stop schedule

Auditing the Security key is optional but without it only password keys will be audited. Setting auditing on the Security key will allow you to track other security relevant changes to the system.

You will now see entries in the Security log via event viewer, e.g.

Example event log for a password change

Q. How can I enable strong protection on shared system objects?

A. It is possible to tighten security on shared system resource attributes, such as the attributes of COM1: or of printers. By tightening base security, these shared resources will be administered only by system administrators.

To enable this perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager
  3. From the Edit menu select New - DWORD value and enter a name of ProtectionMode if it does not already exist
  4. Double click the value and set to 1. Click OK
  5. Reboot the computer

After performing this change you should update your Emergency Repair Disk using RDISK.EXE.

Q. How can I restrict access to objects from Anonymous accounts?

A. It is possible to restrict the ability to list domain user names and enumerate share names available to anonymous logon users (also known as NULL session connections). If you feel this is a security risk Service Pack 3 for Windows NT 4.0 introduces a new option to stop anonymous users listing users and shares.

To enable this perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. From the Edit menu select New - DWORD value and enter a name of RestrictAnonymous if it does not already exist
  4. Double click the value and set to 1. Click OK
  5. Reboot the computer

After performing this change you should update your Emergency Repair Disk using RDISK.EXE.

Q. How do I enable SMB signing?

A. Windows NT 4.0 Service Pack 3 provides an updated version of the Server Message Block (SMB) authentication protocol, also known as the Common Internet File System (CIFS) file sharing protocol.

When SMB signing is enabled on both the client and server SMB sessions are authenticated between the machines on a packet by packet basis. This does have a performance hit of between 10 to 15% as every packets signature has to be verified.

To enable SMB signing on the NT Server perform the following:

  1. Start the Registry Editor (Regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters
  3. From the Edit menu select New - DWORD value
  4. Add the following two values EnableSecuritySignature and RequireSecuritySignature if they do not exist.
  5. You should set to 0 for disable (the default) or 1 to enable. Enabling EnableSecuritySignature means if the client also has SMB signing enabled then that is the preferred communication method, but setting RequireSecuritySignature to enabled means SMB signing MUST be used and so if the client is not SMB signature enabled then communication will fail
  6. Close the registry editor
  7. Shut down and restart Windows NT.

By default a Workstation with SP3 or above is SMB signing enabled but to manually enable:

  1. Start the Registry Editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Rdr\Parameters
  3. From the Edit menu select New - DWORD value
  4. Add the following two values EnableSecuritySignature and RequireSecuritySignature if they do not exist.
  5. Enabling EnableSecuritySignature means if the server also has SMB signing enabled then that is the preferred communication method, but setting RequireSecuritySignature to enabled means SMB signing MUST be used and so if the server is not SMB signature enabled then communication will fail
  6. Close the registry editor
  7. Shut down and restart Windows NT.

If you have set RequireSecuritySignature then any clients not support SMB signing will fail to communicate including logons and you may receive the error:

"Invalid user name or password..."

If you get this then check the workstation is SMB signing enabled.

Q. How do I disable LanManager challenge/response in NT?

A. Windows NT Servers with Service Pack 4 and above support three authentication types,

  • LanManager (LM) challenge/response
  • Windows NT challenge/response (also known as NTLM challenge/response)
  • Windows NT challenge/response Version 2.0 (also known as NTLM2)

By default when a client connects to a server both LM and NTLM are used in case the server does not support NTLM however LM is far weaker than NTLM so you may wish to disable LM for security reasons.

Editing the registry key described allows the client to select which authentication is will use but ensure is NTLM2 is select SP4 is applied to all servers. The setting below is required on the clients and servers so you may wish to automate this via a logon script or policy

  1. Start the registry editor
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. From the edit menu select New - DWORD value
  4. Enter a name of LMCompatibilityLevel and press Enter
  5. Double click the new value and set to one of the following
    0 - Send LM response and NTLM response; never use NTLMv2 session security
    1 - Use NTLMv2 session security if negotiated
    2 - Send NTLM response only
    3 - Send NTLMv2 response only
    4 - DC refuses LM responses
    5 - DC refuses LM and NTLM responses (accepts only NTLMv2)
  6. Close the registry editor
  7. Reboot the machine

For more information on deploying see http://support.microsoft.com/support/kb/articles/q147/7/06.asp

Q. How can I check the security of my passwords?

A. Microsoft have a strong password filter that can force users to use passwords that are not easily guessable and more details can be found at 'Q. How do I enable strong password filtering?'.

If you want to test all your users's password's an excellent utility is l0phtcrack that will try and ascertain your passwords.

L0phtcrack allows NT Administrators & Information Security Engineers to quickly evaluate the security of users passwords. L0phtcrack supports traditional dictionary attacks, hybrid dictionary attacks, and fullblown exhaustive keyspace attacks (user definable).

L0phtcrack can gather NT password hashes through a number of ways, including the registry, SAM files, or even by monitoring SMB network activity.

L0phtcrack has recently won the InfoWorld Golden Guardian award and has been recommended by Microsoft.

Lophtcrack can be downloaded from http://www.l0pht.com/l0phtcrack/ and can be used for free for 15 days and is very simple to use once installed.

Once you start the utility you can either load in a Sam file (from the %systemroot%\system32\config directory) but not on your current installation as the files are locked or dump out passwords from the registry by selecting "Dump Passwords from Registry" from the Tools menu and select the computer, e.g. a domain controller or the local machine. If you want to dump from the registry you must be an Administrator on the machine whose registry you are trying to dump.

After importing the information from a source you will have a list of usernames and the hash values of the passwords, selecting 'Run Crack' from the Tools menu will then start the attack on the passwords.

5 down, 4 to go
Notice the easy passwords were found quickly and it is starting to guess the more complex ones, only a matter of time.

The idea of running this is to find people who are using weak passwords and force them to change it, a good start is to use the strong password filtering which will FORCE users to use complex passwords and always make sure to have a minimum password length of 8 characters (set in User Manager - Policies - Account). This helps, but can give a person a false sense of security. For example, if the password requirement is just alphanumeric, a password like "N0ts3cur3" would be guessed rather quickly with a hybrid dictionary attack so you should still audit passwords regularly.

One reader of the FAQ has pointed out 8 characters is not the best number as an 8 character password consists of basically one 7 character passwords and a one letter password (the last character) which will be guessed almost instantly and may give a clue to the first seven characters. Many times, we've guessed the first half of the password based off of the 8th, 9th, and 10th characters. (i.e. ???????werty is either 123456qwerty or qwertyqwerty)

"When users are forced to use special characters, 9 out of 10 times, the user will put the special character at the end of the password. In an 8 character minimum password, the eight character becomes the symbol, and the first seven are letters and num! bers. The seven characters are cracked with L0pht crack in 24 hours or less. Thus, an 8 character password (even with a special character at the end) may either be cracked in 24 hours, or give up enough info to guess the first half (yes - a lot of assumptions here - but this theory has held up over 30,000 times). I'd like us to reset the industry line of thought on NT passwords and suggest that the strongest password policies are those that require seven characters (instead of 6 or 8). Also, the strongest passwords are those that are either 7 or 14 characters exactly, with at least one special character in each half (with very few exceptions - note Paul Ashtons 7 character or less pwd attack). Given that users will write down pwds that are 14 characters in length, 7 becomes the next best choice. I believe Dave Leblanc, InfoWorld, and some folks at Microsoft will agree that exactly 7 characters is a recommended length."

A description of Permissions in NT.

The default permissions in NT are loose to provide for easy use (see Microsoft Knowledge Base Article Q148437). To make the system more secure, read "Securing Windows NT Installation" (http://www.microsoft.com/NTServer/Basics/TechPapers/). With a few exceptions, it suggests granting Administrators, Creator/Owner and System Full Control, Everyone Read for all system and program files, and leaving registry permissions alone. But be forewarned: unless you have the luxury of restricting programs to those that have earned the NT logo, be prepared for some hassles if you do it. And, Microsoft missed a few, in particular the need to remove Everyone Read from the system logs, \%systemroot%\system32\config and its contents.

Help topics 'Special Access Directory Permissions' and 'Special Access File Permissions' describe the 6 types of permission in the NT file system. Each can be applied to directories and files on a top-down then individual basis. Windows Explorer may be used (Properties) to apply ownership and permissions to directories and files for small systems.

Under Windows NT, deny access takes precedence over grant access (article Q102608). When NT checks permissions, it does so in one pass, not discriminating between users and groups. As soon as any "deny access" permission is reached, the search is terminated and access to the resource is denied. So, if Everyone No Access is in the list for something, that's exactly what it means. (NT Everyone is not Unix World! The only way to recover from that misconception is for an administrator to forcibly take ownership of the item then amend the permissions.) To give Owner full access and everyone ELSE read-only, grant Creator/Owner Full Control, Users Read; to refuse access to everyone else, simply omit any entry for Users. It is essential to retain System Full Control of all NT system files, unless you enjoy plugging hard drives into other machines to get them working again.

A useful structure for an independent user environment is to create a directory \<username> with permission <username> Full Control, then designate that as the user's root directory. The same permission should be applied to \%systemroot%\System32\Profiles\<username> and all its contents. If users are to maintain their own phone books, Users Read/Write is needed for the \%systemroot%\System32\RAS directory, then <username> Full Control for the <username>.pbk file in it when the user creates it.

Some programs with 16-bit code in them (e.g. WordPerfect 8) require Change permission to the \Temp directory so they can store swap files (to bypass the 16-bit memory limit). Unfortunately, in NT this directory is used for sensitive system files, so real security is not possible if such programs are used.

Legacy programs often assume full access to their system registry entries. Regedt32 (Security) is used to apply permissions to individual registry entries. If you get abnormal behavior of a program, try granting Everyone Full Control to all the keys under the company's name in the Local Machine registry section. (Backup the registry first, of course, for restore if it doesn't work.) For example: WordPerfect 8 announces that ASCII files are an 'unsupported format' unless Users have Full Control of the Corel key and all its subkeys; Storm's EasyPhoto terminates with 'lego not found' unless Users have Full Control of the Storm registry. Most TWAIN systems require Users Change access to \WinNT and all Twain*/Twunk* files in it.

You can get what look like permission or sharing problems if you use the Internet Explorer Connection Wizard to set up Internet connections - Fax enabled can prevent modem access etc. You should delete all IE-generated connections and establish new ones with the NT Dial-up Networking system, not the IE system. Individual account connections should be set up in user phone lists, not the (default) system list, especially if users store their passwords. (This can be forced by granting only Administrator and System access to rasphone.pbk)

Reports on groups, users, ownership and permissions are not available from Microsoft (article Q137848), but are available from others. See http://www.microsoft.com/security/default.asp for links to these and other advanced NT security resources.

Contributed by John Sankey

Q. How can I restrict guest access to Event logs?

A. By default guests and anonymous can view the event log, this may give away important information and so anonymous/guest access can be disabled as follows:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog
  3. Move to the subkey Application
  4. From the Edit menu select New - DWORD value. Enter a name of RestrictGuestAccess. click OK
  5. Double click the new value and set to 1
  6. Repeat steps 4 and 5 for the Security and System sub-keys also.

In fact this is also governed by the registry rights on the corresponding eventlog paramters (HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog - application and system). You can even remove Administrators rights to read the files by using the registry rights. Use REGEDT32.EXE to change these rights.

Q. How can I enable auditing of base objects?

A. To enable auditing of base objects perform the following:

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. From the Edit menu select New - DWORD value. Enter a name of AuditBaseObjects. click OK
  4. Double click the new value and set to 1

You can also turn on full privilege auditing (but this will fill your event log):

  1. Start the registry editor (regedit.exe)
  2. Move to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
  3. From the Edit menu select New - DWORD value. Enter a name of FullPrivilegeAuditing. click OK
  4. Double click the new value and set to 1

Q. How can I configure my system to be C2 compliant?

A. The National Computer Security Center (NCSC) is the United States government agency responsible for performing software product security evaluations. These evaluations are carried out against a set of requirements outlined in the NCSC publication Department of Defense Trusted Computer System Evaluation Criteria, which is commonly referred to as the Orange Book. Windows NT has been successfully evaluated by the NCSC at the C2 level as defined in the Orange Book however to confirm you system meets the criteria to be C2 compliant you should use the C2CONFIG.EXE utility supplied with the Windows NT/Windows 2000 resource kit.

Double clicking on an open lock will result in the program offering to resolve the issue, for example disabling the OS/2 subsystem.

Q. How can I enforce an Internet access control policy?

A. If you wish to ensure that web browsing during company time is strictly for
business use, you would have to install a product that can enforce this
policy. There are two ways of doing this:

  1. Installing a proxy server with content control feature
  2. Installing a network monitor/scanner with content control feature.

If you use number 1, you will need to reconfigure all your users browsers.
Additionally, you could suffer a performance penalty. If you already use a
proxy server such as Microsoft Proxy server, you do not need to reconfigure
though, and you can purchase add on modules that do content checking.

Option number 2 requires no network reconfiguration and can block all types
of internet traffic. Examples of such products are:

Q. What does System Key actually protect my passwords from?

A. System key enables stronger encryption of account passwords stored in the registry in the SAM (Security Account Manager) database. With System key installed the passwords have enhanced encryption in the SAM. Note this is only the passwords and not for example the user name.

When System Key encryption has been enabled backups of the SAM database will also be encrypted: For example on back up tapes, RDISK and %systemroot%\repair. Which are often used to crack passwords.

System Key is used to make the decrypting or cracking of your passwords from the SAM more difficult and time consuming. Crackers such as L0pht crack , John the Ripper, Crack 5 with NT Extensions are used often to break NT password hashes. These use dictionary and brute force types of techniques. L0pht Crack is now using a form of intelligent brute forcing, which is the next generation of crackers.

- System Key prevents SAM dumping with the tool built into L0pht Crack 2.5.

- System Key prevents SAM dumping with the tool pwdump.

- System Key does not stop SAM dumping with the tool pwdump2 which uses DLL injection techniques different to pwdump.

- System Key does not prevent password cracking or decryption.

- System Key reuses the keystream used to perform some of the encryption. 
This significantly reduces the strength of the protection it provides by enabling a well-known cryptanalytic attack to be used against it. Todd Sabin from Bindview (www.bindview.com) and the author of pwdump2 discovered this exploit in December-1999.

- System Key still increases the time and complexity to crack password  hashes.

Note; Pwdump and pwdump2 require administrator access to be used.

System Key affects the following system components:
%systemroot%\system32\config\sam HKEY_LOCAL_MACHINE\SAM
%systemroot%\system32\config\security HKEY_LOCAL_MACHINE\Security

and three system security component files: Winlogon.exe, Samsrv.dll, Samlib.dll

Also see Q. How do I use the System Key functionality of Service Pack 3? for installing System Key.

For more information on System Key see Q143475 at http://support.microsoft.com/support/kb/articles/q143/4/75.asp

For information on the "System Key Keystream Reuse" Vulnerability and patch see http://www.microsoft.com/security/bulletins/ms99-056.asp

Contributed by Nathan House

Q. What is a SID (Security ID)?

A. SID stands for Security Identifier and is used within NT/2000 as a value to uniquely identify an object such as a user or a group. The SID assigned to a user becomes part of the access token, which is then attached to any action attempted or process executed by that user or group. If a duplicate SID did exist then all users with this SID would authenticate as what would be seen as the same user. It is possible for cloned machines to have the same SID, which would be seen by the authentication mechanism as the same machine. The SID under normal operation will be unique and will identify an individual object such as a user, group or a machine.

A SID contains:

  • User and group security descriptors
  • 48-bit ID authority
  • Revision level
  • Variable sub-authority values

For example: S-1-5-21-917267712-1342860078-1792151419-500

Below is a list of the values for SIDs on a default NT 4 installation;

Notice the unique value 500 for Administrator and 501 for Guest.

- Built-In Users

DOMAINNAME\ADMINISTRATOR

S-1-5-21-917267712-1342860078-1792151419-500 (=0x1F4)

DOMAINNAME\GUEST

S-1-5-21-917267712-1342860078-1792151419-501 (=0x1F5)

- Built-In Global Groups

DOMAINNAME\DOMAIN ADMINS

S-1-5-21-917267712-1342860078-1792151419-512 (=0x200)

DOMAINNAME\DOMAIN USERS

S-1-5-21-917267712-1342860078-1792151419-513 (=0x201)

DOMAINNAME\DOMAIN GUESTS

S-1-5-21-917267712-1342860078-1792151419-514 (=0x202)

- Built-In Local Groups

BUILTIN\ADMINISTRATORS S-1-5-32-544 (=0x220)

BUILTIN\USERS S-1-5-32-545 (=0x221)

BUILTIN\GUESTS S-1-5-32-546 (=0x222)

BUILTIN\ACCOUNT OPERATORS S-1-5-32-548 (=0x224)

BUILTIN\SERVER OPERATORS S-1-5-32-549 (=0x225)

BUILTIN\PRINT OPERATORS S-1-5-32-550 (=0x226)

BUILTIN\BACKUP OPERATORS S-1-5-32-551 (=0x227)

BUILTIN\REPLICATOR S-1-5-32-552 (=0x228)

- Special Groups

\CREATOR OWNER S-1-3-0

\EVERYONE S-1-1-0

NT AUTHORITY\NETWORK S-1-5-2

NT AUTHORITY\INTERACTIVE S-1-5-4

NT AUTHORITY\SYSTEM S-1-5-18

NT AUTHORITY\authenticated users S-1-5-11 *

* For Windows NT 4.0 Service Pack 3 and later only

 

These values can be displayed by using the utility Getsid.exe from the Windows NT Resource Kit.

C:\>getsid \\MACHINE ACCOUNT \\MACHINE ACCOUNT

The SID for account MACHINE\ ACCOUNT matches account MACHINE\ ACCOUNT

The SID for account MACHINE\ ACCOUNT is

S-1-5-21-1271857391-537538043-240200450-4294967295

The SID for account MACHINE\ ACCOUNT is

S-1-5-21-1271857391-537538043-240200450-4294967295

 

For more information, see Q. How can I tell which User has which SID? and Q. What are the problems with workstations having the same SID?

For more other information, see

http://support.microsoft.com/support/kb/articles/Q163/8/46.asp

For information on extracting the SID from an ACE see

http://support.microsoft.com/support/kb/articles/q102/1/01.asp

For information on how to associate a Username with a Security Identifier (SID) see

http://support.microsoft.com/support/kb/articles/Q154/5/99.asp

Contributed by Nathan House

Q. What security mailing lists exist for keeping up to date?

A. Mailing lists will help keep you up to date with all the latest bugs, exploits and information on security. Hackers like to keep up to date with this information so maybe you should too. If you have and interest and a need for security I personally do recommend joining mailing lists, but do be prepared for the amount of mail you will receive. Digest version of mailing lists are also available which send only the general highlights from a given period of time. Below are two of the most popular mailing lists for NT security.


- NTBugtraq

NTBugtraq is a mailing list for the discussion of security exploits and 
security bugs in Windows NT and its related applications.

To join, send e-mail to listserv@listserv.ntbugtraq.com and, in the text of  your message (not the subject line), write:

subscribe ntbugtraq

To remove, send e-mail to listserv@listserv.ntbugtraq.com and, in the text of your message (not the subject line), write:

unsubscribe ntbugtraq

- NT Security
To join, send e-mail to majordomo@iss.net and, in the text of your message (not the subject line), write:

subscribe ntsecurity

To remove, send e-mail to majordomo@iss.net and, in the text of your message  (not the subject line), write:

unsubscribe ntsecurity

NT Security Mailing List is a moderated mailing list discussing Windows NT 
security as well as the Windows 95 and Windows For Work Group security 
issues. The issues discussed will be everything at the host and application 
level security as well as at the network level.


Below is a list of some of the other well-known and popular security related 
mailing lists:

GENERAL SECURITY MAILING LISTS
Alert
Best of Security
Bugtraq
COAST Security Archive
Computer Privacy Digest (CPD)
Computer Underground Digest (CuD)
Cypherpunks
Cypherpunks-Announce
European Firewalls
Firewalls
Intruder Detection Systems Infsec-L
NTBugtraq
NT Security
Phrack
PRIVACY Forum
Risks
SAS (French Speaking Firewalls)
S-HTTP
Sneakers
Secure Socket Layer - Talk
UNINFSEC - University Info Security Forum
Virus
Virus Alert
WWW Security

SECURITY PRODUCTS
SOS Freestone Firewall package
Tiger
TIS Firewallk Toolkit

VENDORS AND ORGANISATIONS
CERT
CIAC
HP
Sun

See http://xforce.iss.net/maillists/ for more information on security mailing lists and how to join them.

Also see www.sans.org which has information and a mailing list.

Share this article

Receive all the latest articles by email!

Get all articles delivered directly to your mailbox as and when they are released on WindowSecurity.com! Choose between receiving instant updates with the Real-Time Article Update, or a monthly summary with the Monthly Article Update.



Receive all the latest articles by email!

Receive Real-Time & Monthly WindowSecurity.com article updates in your mailbox. Enter your email below!
Click for Real-Time sample & Monthly sample

Become a WindowSecurity.com member!

Discuss your security issues with thousands of other network security experts. Click here to join!

Community Area

Log in | Register

Solution Center

Readers' Choice

Which is your preferred Email Anti Virus solution?