NT Security - Frequently Asked Questions version 0.41

0.0 Information related to this FAQ

The official home for this FAQ is currently The Royal Institute of Technology, http://www.it.kth.se/~rom/ntsec.html

It will probably move to Incolumitas future WWW-server, whenever we feel that there is a web server that is secure enough and we got the time to set it up.

0.1 Legaleeze

First off, unfortunately, I must include this goobedygook.

This text is not an endorsement for any product.

Nor is it a cookbook to be used by crackers to gain access to Windows NT systems. The text tries to shed some light at security related issues and problems with Windows NT. Microsoft, and more especially, their technical writers and sales forces, often leave out several key words and key information when describing Windows NT.

The document is mainly a collection of pointers to other information already available, if you know where to look.

I am in no way affiliated with Microsoft

All trademarks, etc. are honored. Microsoft probably is the biggest holder of trademarks in this document. To keep them happy and their lawyers unhappy, I'll include extra blurb for them here. Microsoft is the keeper of the following trademarks, amongst others, e.g. product names:

Microsoft, Windows, Windows NT, MSN, the Microsoft Network

All included material are copyrighted by their respective owners/copyright holders.

This compilation is copyrighted material. Copyright © 1996, 1997 Robert Malmgren. You are hereby granted a permission to use the material for non-commercial purposes as long as you keep this copyright message, not pretend that you wrote the material and give me and/or the other contributors proper credits.

0.2 Conventions used in this document

Links to all kind of protected pages where you have to be a member of some exclusive club of any sort, such as the Microsoft MSDN Online, is denoted with three dollar signs. Example: $$$: Exclusive Members Only

0.3 Current version and updating information

The current version number of the FAQ is 0.41 The FAQ was last updated 29th of October 1997.

Please submit contributions and requests for updates to the current maintainers (ntsec@incolumitas.se) of the FAQ.

0.4 Changes

Version 0.41, Oct 29, 1997 Changes to

1.1 fixed broken link
2.1.10 correction of inital password
2.2.1 fixed broken link
2.2.5 clarification
2.8.4 added link
2.13.1 clarification of SAM encryption
2.14 added general info
2.14.1 added reference to lsadump

Version 0.40, Oct 9, 1997

Major changes to the whole document.

Version 0.39, Feb 19, 1997

Added 3.1.7 The NetBIOS Auditing Tool
Updated 2.6 and 2.6.3 to include references to _*H's paper on attacks and problems with CIFS/SMB

Version 0.38, Feb 16, 1997

Added 3.2.5 TIS Gauntlet firewall
Added 3.5.3 Shade file/disk encryption
Added 3.6.2 Steel-belt RADIUS server for Windows NT
Added 4.1.2 on the NTBugTraq mailing list
Added 4.2.8 NT Shop's NT Security pages

Version 0.37, Jan 24, 1997

Added 2.5.9 on the Denial-of-Service attack on RPC
Renumbered 1.3.1 to 1.4.1 and added a 1.4

Version 0.36, Jan 11, 1997

Added 2.3.1 on HKEY_LOCAL_MACHINE
Fixed some spelling errors

Version 0.35, Jan 4, 1997

Added 1.3.1 on ntsecurity@iss.net

Version 0.34, 1997-Jan-01

Started to add URLs as text, not only as links. Makes the FAQ more useful when used in a printed form.
Added more links to paragraph 1.2, 1.3
Changed 0.1, 0.5, 2.0.1, 2.0.2, 2.0.3, 2.4.2, 2.6.1
Changed 2.7.1 to include the "GET ../.." bug
Changed 0.4 to hyper link all listed changes to the changed paragraphs.
Added 2.0.4, 2.0.5, 2.0.6, 2.1.4, 3.3.4

Version 0.33, 1996-Dec-24

Changes to 5.0

Version 0.32, 1996-Nov-09

Changes to 2.5.8

Version 0.31, 1996-Nov-08

Updated all sections that contain links to Microsofts Knowledge Base. Since Microsoft have changed their file structure and naturally the links that points to the articles, we have to follow it. Please report broken links to the maintainer.

Version 0.30, 1996-Nov-07

Added 0.4, 3.6

Version 0.29, 1996-Nov-07

Changed 1.1
Added 2.1.2, 2.0.3, 2.2.3, 2.6.7

0.5 Credits

Posters to the NT-security mailing list <ntsecurity-request@iss.net>.All texts posted to the list is included by kind permissions of their respective author.
People who have gotten texts included in this FAQ are
Dan Shearer <itudps@lux.levels.unisa.edu.au>
David LeBlanc <dleblanc@iss.net>
Larry Buickel <larry@austin.ibm.com>
Mikko Hermanni Hyppönen <Mikko.Hypponen@DataFellows.com>
Patrik Carlsson <patrik@netman.se>
Paul Ashton <paul@argo.demon.co.uk>
Carl Byington <carl@five-ten-sg.com>
Ondrej Holas <oholas@digi-trade.cz>

1.0 Definitions and general security issues

1.1 Orange book, red book and C2 security

The so called orange book is part of the DoD "rainbow" series of books. The official name is Department of Defense Trusted Computer System Evaluation Criteria. There is another book, a red one, which is a "interpretation" of the Orange Book. The NCSC has published a number of different interpretations of the TCSEC. These interpretations clarify Orange Book requirements with respect to specific system components. The formal name of the red book is the NCSC's Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria. It is an interpretation of Orange Book security requirements as they would be applied to the networking component of a secure system. The Red Book does not change the original requirements, it simply describes how a network system should operate in order to meet Orange Book requirements for a C2 secure system.

Microsoft had a certain version of Windows NT, with a specific configuration, on a specific hardware platform evaluated by NSA. The outcome was that that specific setup is considered C2 compliant and the NSA guys from the National Computer Security Center, NCSC, also wrote a report entitled the NSA?s Final Evaluation Report on Microsoft. Inc.: Windows NT Workstation and Server Version 3.5 with U.S. Service Pack 3. National Computer Security Center, 23 June 1995.

The people at National Computer Security Center have an online description of the Microsoft NT evaluation, (http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html) including information on what type of hardware was used during the test. They have an general page on evaluation ,http://www.radium.ncsc.mil/tpep, and a frequently asked question, FAQ, area (http://www.radium.ncsc.mil/tpep/process/faq.html).

The evaluation was just according to the orange book, not the red book. Microsoft has since them continued the evaluation process to also match the red book (i.e. networking parts) criterias, but this is not yet finalized.

To have a C2 compliant setup, you must amongst other things have

Identification and Authentication mechanisms
Discretionary Access Control mechanisms
Auditing
Object Reuse

In practice, it also means that you have to

Turn off networking completely (since NT is just evaluated to the orange book, not the red)
Disable floppy disk
Change the standard file system permissions to be more restrictive
Change a lot of permissions in the registry

That leaves you a not so usable client-server system. There is a tool that come with the resource kit called c2config that you might use to harden your system to a C2 level. You might also want to see Microsoft's web page entitled What is C2 Evaluation? Microsoft Sets the Record Straight (http://www.microsoft.com/syspro/technet/boes/winnt/nt351/c2bltn.htm).

There is an on-line html version (http://www.pinsight.com:80/~royg/security/dod/rainbow.html) available of the rainbow series books that you might want to check out. Microsoft has a blurb that describes the characteristics of a secure system - C2 and beyond (http://www.microsoft.com/ntserver/c2char.htm).

There is a paper on a new information technology security standard called common criteria (http://csrc.ncsl.nist.gov/nistpubs/cc) that is available on-line. It is a proposed ISO-standard.

1.2 Crypto

Cryptography is one of the foundations for much of the new computer security mechanisms. It provides protection from interception of clear text data including: passwords, network packets, and storage (DASD and RAM). Crypto techniques are also used for checksums, integrity control, etc.

The following links might be useful to read up on crypto issues:

RSA has a neat FAQ on crypto issues (http://www.rsa.com/rsalabs/newfaq) you might want to look at.
Consensus has a FAQ on the Secure Socket Layer, SSL (http://www.consensus.com/security/ssl-talk-faq.html)
U.S Navy has a nice page called Introduction to cryptographic standards
Helsinki University have a number of nice web pages such as
- International Cryptographics Software Pages for Encryption, Decryption, Cryptanalysis, Steganography and related methods (http://www.cs.hut.fi/ssh/crypto)
- A neat introduction to cryptography (http://www.cs.hut.fi/ssh/crypto/intro.html)
- A collection of pointers to crypto software (http://www.cs.hut.fi/crypto/software.html)
A list of Public Key Infrastructure References with pointers to resources on the net
The U.S. Army crypto manual is available on-line (ftp://hubert.wustl.edu/pub/armycryp.zip)
You might want to check out my collection of famous or interesting people in the history of cryptography

1.3 Where do I get generic security information?

You might want to check out some places on the net and subscribe to some mailing lists.

Check out the following web pages:

The Computer Emergency Response Team, CERT (http://www.cert.org)
U.S. DOE Computer Incident Advisory Capability, CIAC (http://ciac.llnl.gov)
Forum of Incident Response Teams, FIRST, (http://www.first.org/first)
Telstra's security pages (http://www.telstra.com.au/info/security.html)
COAST home page (http://www.cs.purdue.edu/coast/coast.html)

Recommended mailing lists

CERT advisories <cert-advisory-request@cert.org>
Best-of-Security (BoS) <best-of-security-request@suburbia.au>
BugTraq <listserv@netspace.org> send a subscribe bugtraq in the message body.

Check out the Security Mailing lists FAQ for more information on what lists that is available.

2.0 Questions and answers on NT security

2.0.1 How do I contact Microsoft on security issues?

Microsoft have a mail alias which everyone can use to send questions, alerts, bug reports, etc. According to Microsoft, members from development teams participate on an internal mail exploder. The mail address is secure@microsoft.com Get their PGP-keys here (http://www.microsoft.com/security/pgpkeys.txt). For information on PGP, see the PGP-section in this FAQ.

2.1 Security model

2.1.1 Where do I get patches, or, what is a Service Pack or a Hot Fix?

Microsoft have an on-line database, called the software library, with program fixes for both the NT operating system as well as applications. In Microsoft lingo a patch or program fix is called service pack (SP). There are a number of service packs out, both for different versions of Windows NT as well as applications such as SNA server.

Service packs are cumulative. This means that SP2 contains all of SP1 as well as the fixes introduced in SP2. Service packs often update a great amount of code by replacing major DLLs. Since most large applications (such as back office and development components) bring their own versions of "system" DLLs, service packs has to be applied after each and every "system update", where the term "system update" is not clearly defined. Any action that replaces any component updated by a service pack or hotfix has to be followed by applying latest SP and all hotfixes. Remember that adding hardware often install new software, which may have to be updated by SP and/or hotfix.

Hot fixes are intermediate fixes released between service packs and are not considered fully regression tested, and as such not recommended by Microsoft to be applied unless one really need the feature they provide. Lately, a bunch of security problems have been solved by means of releasing hot fixes.

Another thing on the subject is language or locale. If you are running a non US version of NT, you will not be able to apply all of the hotfixes. Some of them are not language dependent, while others refuse to install on anything else but a US version. If you have the option to do so, run US version of NT at least on your servers. By doing so, you will have the option of installing a hot fix dealing with a security problem immediately when it's released and not have to wait for the next SP to appear. Not to mention that you'd have to wait for the next SP to be ported to your language, which of course may take a while, the time depending on what language you are using.

If you cannot, or do not want to, download software like this from the net, you can contact your local Microsoft representant and ask them about the service pack you need.

Visit Microsofts library of service packs or go directly to their FTP server.

2.1.2 What is impersonation?

Impersonation is the ability of a thread to execute in a security context other than from that of the process that owns the thread. This enables a server to act on behalf of a client to access its own objects.

For more information, see

Microsofts article on impersonation
The different levels of impersonation

2.1.3 What is a SID (Security ID)?

SID stands for Security Identifier and is an internal value used to uniquely identify a user or a group.

A SID contain

User and group security descriptors
48-bit ID authority
Revision level
Variable subauthority values

For more information, see

$$$: Well-Known SIDs (http://premium.microsoft.com/msdn/library/sdkdoc/accctrl_416b.htm)
$$$: SID Components (http://premium.microsoft.com/msdn/library/sdkdoc/accctrl_26wj.htm)

2.1.4 What are privileges (user rights)?

A privilege is used to control access to a service or object more strictly than is normal with discretionary access control.

For more information, see

Microsofts article on Privileges (http://www.microsoft.com/msdn/sdk/platforms/doc/sdk/win32/sys/src/security_15.htm)

2.1.5 What is an ACE (Access Control Entry)?

Access-Control Entries that is used to build Access-Control Lists (ACLs).

Each ACE contains the following information:

A SID, that identifies the trustee. A trustee can be a user account, group account, or a logon account for a program such as a Windows NT service.
An access mask specifying access rights controlled by the ACE.
Flags that indicates the type of ACE and flags that determine whether other objects or containers can inherit the ACE from the primary object to which the ACL is attached.

For more information, see

Microsofts article on Access-Control Entries, ACEs (http://www.microsoft.com/msdn/sdk/platforms/doc/sdk/win32/sys/src/security_10.htm)

2.1.6 What is an ACL (Access Control List)?

An ACL is a list of ACEs.

For more information, see

Microsofts article on Access-Control Lists, ACLs (http://www.microsoft.com/msdn/sdk/platforms/doc/sdk/win32/sys/src/security_9.htm)

2.1.7 What is SRM (Security Reference Monitor)?

The Security Reference Monitor is the kernel mode component that does the actual access validation, as well as audit generation.

2.1.8 What is LSA (Local Security Authority)?

LSA stands for Local Security Authority. This is an internal subsystem (as opposed to an environmental ditto, such as Win32) within Windows NT that "generates access tokens [...], manages the local security policy, and provides interactive user authentication services" (from "Windows NT resource guide", ISBN 1-55615-653-7).

2.1.9 What is SAM (Security Account Manager)?

SAM stands for Security Account Manager and is the one who maintains the security database, stored in the registry under HKLM\SAM. It serves the Local Security Authority (LSA) with SIDs. The SAM maintains the user account database.

2.1.10 What is a secure channel?

There is some confusion on this point when you consult the Microsoft sources on the subject. Ever since MS discovered the Internet, a secure channel is any point-to-point network connection established between a client and a server that "provides privacy, integrity, and authentication" (see $$$: Microsoft Internet Security Framework: Answers to Frequently Asked Questions ).

"Before Internet", a secure channel was (and still is) the magic connection between WNT computers in a domain. This kind of channel is used for transportation of sensitive data, such as user credentials during a domain logon and replication of the account database between DCs.

The secure channel is established as soon as the domain member machine is booted and is based on a shared secret that is used as the key for encrypting the data that travels through the channel. Each domain member has a machine account defined in the domain SAM database that is created when the machine joins the domain. The password of this account is used as the shared secret for encryption of the channel. The member machine stores it in the registry, where it can be retrieved using the lsadump program by Paul Ashton <paul@argo.demon.co.uk>.

A problem with this is that the initial password (on a WS account) is poorly chosen (unicode(machine-name)). This means that anybody that can listen in to the network at the time of a domain join will be able to calculate the session key used to encrypt the channel, and by this can get hold of the user credentials of anybody doing a network logon from that particular machine. The password is changed as soon as the machine is rebooted after joining the domain and then periodically changed every 7:th day, but the new password is communicated through -- guess what -- the now not so secure channel, so as long as the listener keeps his ear on the wire, he will have the session key. No known solution, but the algorithm for encrypting the new password is not published (yet).

2.1.11 How does the logon process work?

See

Q122422: Example of a Remote Logon with Windows NT Server (http://www.microsoft.com/kb/articles/q122/4/22.htm)
Q102716: User Authentication with Windows NT (http://www.microsoft.com/kb/articles/Q102/7/16.htm)

2.1.12 What is an access token?

Each process has an associated access token which is used by the system to verify whether the process should be granted access to a particular object or not. The access token consists of a user SID, a list of group SIDs representing the groups the user belongs to, and a list of user rights (privileges) the user is blessed with.

2.1.13 What about passwords?

See 2.14

2.2 Host security

In general, any computer that is not physically secured is not fully secured. If anyone is able to get access to the machine, it is possible to boot it from a diskette, CD-ROM or just steal the hard disk and use it in another computer.

2.2.1 Are there any NT based viruses, or can NT be susceptible for other viruses?

Symantec has a nice web page called Understanding Virus Behavior in the Windows NT Environment. (http://www.symantec.com/avcenter/reference/vbnt.html)

Some types of viruses, such as those written in a high-level language such as Java, MS Word scripting language, Excel macros, etc, will be able to perform some tricks on a NT machine as well.

According to DR Solomon, the MS Word based concept virus spread widely in part because several companies, including Microsoft, have shipped CD-ROMs containing the virus.

Windows NT machines can be affected by other types of viruses if you use, for example, dual boot to run some other type of operating system on the same hardware, e.g. OS/2, UNIX or other version of Windows. When using a coexisting, bootable operating system, if you have a virus in effect that destroy the boot sector or something like that, your NT partition will probably be destroyed as well.

Mikko Hermanni Hyppönen <Mikko.Hypponen@DataFellows.com> pointed out that

"many old DOS viruses work fine in a DOS box under NT. Most old boot viruses will prevent NT from booting and might give a 'inaccessible boot device' error. " Since Windows NT machines are used as file servers for other systems, such as MS-DOS, Windows 3.X and other clients, there are a number of NT-based anti-virus programs. Some of them are

Sophos SWEEP for Windows NT (http://sophos.com/Marketing/ntgui.html)
WinGuard from DR Solomon (http://www.drsolomon.com)
Symantec's Norton Antivirus for NT (http://www.symantec.com/nav/fs_nav20nt.html)
Datafellows F-PROT (http://www.datafellows.com)

Windows NT is susceptible of application based macro viruses. A well-known example of this is word based macro viruses.

For more information,

visit Microsoft information page on macro viruses called Macro Virus Protection Tool Information Page (www.microsoft.com/word/freestuff/mvtool/virusinfo.htm)
NCSA Virus Lab alerts and hoaxes

2.2.2 How do I get my computer C2-level secure, or, what is c2config?

On the CD-ROM that is included in the NT Resource Kit, there is a program called c2config that can be used for tighten the security of a NT based computer.

Be aware, that c2config will not work well on systems with localized environment, e.g. a german NT that uses ACLs in german, not in english.

See also Microsoft's web page entitled What is C2 Evaluation? Microsoft Sets the Record Straight (http://www.microsoft.com/syspro/technet/boes/winnt/nt351/c2bltn.htm).

2.2.3 Are there any known problems with the screen saver / screen lock program?

Yes. In version 3.5 and 3.51, if the administrator decide to kick a user off, then the admin has a small time window to see the content of the users current screen and desktop.

See article Q130932 in the Knowledge Base.

Another problem is that a tool from the Resource kit might be (miss-)used to deactivate the screen saver on a remote computer. See article Q142018 on shutdown.exe in the Knowledge Base.

2.2.4 How can I secure my client computers against my users?

One way to make it harder for the local user to do any harm to the system is to have a local PC without any hard disk or floppy disk. To boot, the system will need to talk to a boot server over the network.

Check out Dan Shearer's document on remote boot (ftp://lux.levels.unisa.edu.au/pub/doc/RemoteBoot.txt)

In the case that you do have a hard disk, mandatory profiles is a way of restricting the users access to the computer. A couple of things pointed out by David LeBlanc in a posting to the NT Security mailing list:

Remove the execute right from the inheritance ACL of each directory where the user can create files. This way, any file that the user in one way or another after all managed to create on the disk would be impossible to execute.
If the machine has a mail reader installed on it, make sure that the mailer is configured to not allow running of any executables attached to a mail.

2.2.5 Can my page file hold sensitive data?

It can. Memory pages are swapped or paged to disk when an application needs physical memory. Even though the page file (see Control Panel->System->Performance->Virtual Memory) is not accessible while the system is running, it can be accessed by, for example, booting another OS.

There is a registry key that can be created so that the memory manager clears the page file when the system goes down:

HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\MemoryManagement\ClearPageFileAtShutdown: 1

Note that the clearing of the page file only is done when the system is brought down in a controlled fashion. If the machine is just switched off or brought down in any other brute way, of course no clearing will be performed.

2.3 File system

As shipped from Microsoft, most versions of NT I've ever encountered have had very weird access control list settings on the system files and directories. A lot of files and directories have had "Everyone" with "full control" capabilities. This is true for both NT 3.51 and 4.0.

One way to examine which files that have strange permissions are to use SomarSoft's DumpACL program.

David LeBlanc <dleblanc@iss.net> has written a text on file permission:

Now you apply the "smoke test" - log in as a user, and see what is broken. Some programs insist on being able to write to an .ini file in the system tree - if users can't write to (or create) these files, these programs will fail. Change the permissions as need be. If you go overboard, you can even get a situation where non-admins either can't successfully log in, or get a desktop that is completely blank (I did this, much to my astonishment).

If you want to allow users to store file locally, make sure that they have full rights to their own directories. Note that under NT 4.0, a user's desktop profile, and numerous other things are stored under the system tree - look in %systemroot%\profiles, and make sure each user has full rights to their subdirectory - it should be admin, system, and user have full access.

You'll also want to loosen up the temp directory - a good thing is to give users list access, but creator\owner full access. There may be other directories that need work, depending on what apps you have, and whether they have any notion of multiple users - one example would be the cache directory for your browser.

Since people have a lot of different needs, there is no single answer - it depends on your environment.

Examples of things that might break when one tighten file permission security includes

Various applications
The UNIX line printer client lpr (http://www.microsoft.com/kb/articles/q133/4/88.htm)
The virtual memory (VM) system (http://www.microsoft.com/kb/articles/q130/0/16.htm)
Boot (http://www.microsoft.com/kb/articles/q109/0/76.htm)

Microsoft has an article with IDQ153094 (http://www.microsoft.com/kb/articles/q153/0/94/htm) that describes what to do if you secure some files and change some ACLs that you should not. Fixing Microsofts broken file system permission setup might hang your system real bad and make it un-bootable. Read the article before actually changing your system.

Microsoft has a salesblurb on NTFS that describes it from a security perspective. (http://www.microsoft.com/ntserver/ntfs_mb.htm)

2.3.1 I Just installed a service pack. Why is my file permissions changed?

There are some known instances where service packs have reset permission to the state the permissions where on the first installation.

For examples, see Knowledge Base articles Q108103

2.3.2 Why can users without permissions delete files?

There is a known problem in 3.5, 3.51 and 4.0 versions of NT that users might be able to delete files without permission. Check out Knowledge Base article Q142017 on the subject

2.3.3 Is it possible to read or write data on a NTFS disk from another OS?

Yes. There are at least two different OSes that is capable of this, MS-DOS and Linux.

It is possible to use the NTFSDOS.exe program from MS-DOS to read information of a NTFS formatted disk.

2.4 Registry

As shipped from Microsoft, most versions of NT have very weird access control list settings on the system registry keys. Some registry keys have had permissions that let everyone access and change them over the network.

Dan Shearer <itudps@lux.levels.unisa.edu.au> wrote in message <"ydd1N.0.UA4.0BSJo"@suburbia> dated Sat, 28 Sept 1996 14:05:28 +0930

By default they can _write_ to it too, at least under 3.51 the default permissions gave Everyone write access to quite a few things. The canonical example was (is) the key that determines the association between an application and its extension in file manager. That can be changed by an unpriveliged, even unknown user with access to regedt32 on a connected network. Should the .txt entry be changed to point to:

\\SomeNTorUnixWorkstation\UnprotectedShare\bogus.cmd

where bogus.cmd contains:

net user administrator xxxxx /y
notepad %1 %2 %2 %3 %4 %5

all someone with admin privilege at the console has to do is double-click on a text file and the admin password is changed. Of course this is a pretty basic example because the admin would (hopefully) be suspicious on seeing a dos box pop up. But it is trivial to write a win32 app that both launches notepad and does some malicious trapdoor stuff with the admin privilege it has been given.

This is true for NT 3.51.

David LeBlanc <dleblanc@iss.net> has written some text on the registry

In the registry, I'd go in and remove write permission to Everyone from HKEY_CLASSES_ROOT, and give full access to creator\owner, which is what Microsoft did with NT 4.0 - much more secure. Microsoft has an article in the Knowledge Base, article Q153183 titled How to Restrict Access to NT Registry from a Remote Computer that gives some information on how to fix this very severe security problem.

Playing around with permissions on objects in the registry might damage the system. Check out the article Q139342 Incorrect Permission in Registry Cause Unpredictable Results from the Knowledge Base.

Some applications still uses old .INI-type files for initialization, especially ports of old Windows 3 and MS-DOS programs. Those programs might have vulnerabilities in such way that the file protection are wrong and by that let someone read sensitive data, such as password, or change data.

2.4.1 Why does the HKEY_LOCAL_MACHINE key drop its settings?

The HKEY_LOCAL_MACHINE key is recreated by the system each time the system is booted. This have the effect that changes in the ACLs for this key does not persist over a reboot.

2.4.2 Is the registry accessible over the network?

It depends on the version and role of the computer.

In NT 3.51, the registry is remotely accessible by default.

In NT 4.0, the ACL on the registry key HKLM\CurrentcontrolSet\Control\SecurePipeServers\winreg (DWORD:1) defines who can access the registry remotely. On a NT server, this key exists with permissions set to Administrators:Full Control, but on a workstation there is no such key. The workstation do look for it though, so just create it and set its permissions if this is an issue.

2.4.3 Are there any especially interesting keys to watch?

The following keys are well suited for planting a back door in one way or another. Always ensure the ACLs on these are ok. To keep track of changes or tries to change them, one can set up auditing on the keys as well. See 2.10.5 Auditing .

HKLM\SYSTEM\CCS\Services\LanmanServer\Parameters\NullSession{Shares|Pipes}
This keys lists shares and named pipes that are accessible without logging in to the system, a so called NULL session connection (see 2.7.4 ). One scary aspect of this is that if you by coincident happen to create a share or named pipe which name matches any of the names in these lists, they are accessible from a NULL session connection. Note that the RestrictAnonymous key under Control/LSA mentioned in $$$: Q143474 does not prevent access to resources listed here.
On a fresh NT 4.0, the defaults are:
- Pipes: COMNAP, COMNODE, SQL\QUERY, SPOOLSS, LLSRPC, EPMAPPER, LOCATOR
- Shares: COMCFG, DFS$.
HKLM\SYSTEM\CurrentControlSet\Control\Lsa\Notification Packages
Lists the DLLs that is to be invoked when a user change its password. The perfect point for a password snitcher. See 2.14.2.

Please note that this is not an extensive list. There are more of these, and there is no way of knowing when new ones appear. Any suggestions of things that would fit here is gladly accepted. Contact the current maintainer of this FAQ.

2.5 User security

Users are susceptible to a number of attacks, such as dictionary password guessing. In Windows NT, one way to protect against those types of attacks is to set the number of failed logins before disabling the account temporary or until the system manager manually enables it again.

For more info regarding passwords in Windows NT, see 2.14 Passwords.

David LeBlanc <dleblanc@iss.net> wrote in a mail

As to user rights, I like to go through and make sure Guest is not only disabled, but that it has no rights to anything. Give careful attention to who is allowed to log on from the network and locally. One thing to consider is that the administrator account is on every machine, and can't be locked out from too many bad passwords. A good way around this is to remove the administrator's group from the permissions to log on from the network, and add back in the individual users who are the admins. Now go set it up to audit failed login attempts, lock out users for a few minutes if there are too many login failures, and require a password of decent length - 6 characters is acceptable. This makes brute force attacks very difficult. If you want to prevent other users from accessing the machine remotely, you can also remove the users from the right to log on from the network - that confines the users to having to use the shares on the server. This also prevents anyone not given that right from accessing the event log, the registry, and the shares on the machine. You might also want to pay attention to who can and cannot shut the machine down, and perhaps make it to where you need to log in to shut it down.

2.5.1 Administrator account

Microsoft recommends that you changes the name of the administrator account so that outsiders cannot guess the name.

This is of course just one of the things you can do. But unlike what some Microsoft employees believe, security does not stop there. Just changing name of administrator is to trying to protect yourself by the lowest level of security there is, security by obscurity .

It is possible to obtain the new name of the administrator by using the command

nbtstat -A <ip-address> when the administrator is logged in on the console.

2.5.2 Guest account

As shipped, some older versions of Windows NT had a guest account that was easily used by outsiders. Newer versions of NT have their guest account closed as shipped from Microsoft. Anyway, you should check out your guest account and disable it as much as possible.

Some people remove the guest account from their system, but unfortunately, Microsoft ship some product that relies upon the usage of that account. For example, if you use Microsoft Internet Studio in combination with Microsoft SQL or Microsoft Access running on another computer than the one running Internet Studio.

2.6 Network security

For some background information on Internet and Internet security, see

Windows NT Magazines article Is the Internet a Safe Place to Live?
John Neystadt's article How to Create Internet Site with Windows NT only
Windows NT Internet FAQ

2.6.1 Is NT susceptible to SYN flood attacks?

Yes. To my knowledge, all IP based systems are possible victims for the attack.

According to the article in phrack magazine, volume 48, (http://www.fc.net/phrach/files/p48/p48-13.html) NT have a queue size of 6 outstanding SYN packets. The article will serve as good reading if you want to understand the details of the problem.

Check out

CERTs advisory CA-96.21 for more information about the problem.
3Com's excellent article on the problem. It contain allot of pointers to more information

2.6.2 Is it possible to use packet filters on an NT machine?

NT 4 comes with built-in support for packet filtering. It is a simple but still usable filtering function that the administrator can configure to just let some IP packets reach the actual applications running on the system.

You find configuration panel for the filtering function on "Control Panel->Network->TCP/IP->Services->Advanced->Security"

Be aware that this simple filtering mechanism is not a substitute for a real firewall since it cannot do advanced stuff like protection against ip-spoofing, etc.

2.6.3 What ports must I enable to let NBT (NetBios over TCP/IP) through my firewall

First of all, you should really, really reconsider if this is such a good idea to let NBT traffic through your firewall. Especially if the firewall is between your internal network and Internet.

The problem with NBT is that at once you open it up through the firewall, people will have potential access to all NetBios services, not just a selection of them, such as printing.

The following is a list of the ports used by NBT.

netbios-ns 137/tcp NETBIOS Name Service
netbios-ns 137/udp NETBIOS Name Service
netbios-dgm 138/tcp NETBIOS Datagram Service
netbios-dgm 138/udp NETBIOS Datagram Service
netbios-ssn 139/tcp NETBIOS Session Service
netbios-ssn 139/udp NETBIOS Session Service

For more information, see RFC 1001, RFC 1002 and the list of IANA assigned port numbers

2.6.4 What is Authenticode?

Authenticode is a way to ensure users that code they download from the net has not been tampered with and gives the code an etched in ID of the software publisher. Microsoft is pushing this as a new way of getting better security into software distribution over the net.

For more information, see Microsoft's FAQ on Authenticode

2.6.5 What should I think about when using SNMP?

In other SNMP-enabled machines you can configure both an write and a read community name. On a Windows NT system you can only set one. Not having a community name does not disable the service, as one might expect. According to David LeBlanc, <dleblanc@iss.net>:

If you don't specify a community name, it will answer to anyone.

2.6.6 Is there any known problems with SNA?

Check out item 2.8.8 on Microsoft's SNA

2.6.7 What servers have TCP ports opened on my NT system? Or: Is netstat broken?

Normally, the netstat program should report information on the status of the networking connections, routing information, etc. With the option -A or -a, it should list all TCP and UDP available connections and servers that are accepting connection. On Windows NT, even though the documentation states otherwise, this is not the case.

There are no simple way to check what services that are running with TCP ports opened to accept connections. Currently the only way to get some information about this is to use a port scanner program and test through each TCP port on the NT machine. This is not a fool proof way of dealing with the problem.

This is a serious problem if you plan to have NT based computers in the firewall environment. You cannot easily hardened them to become bastion hosts, since you are not confident what types of network services that might be reachable from the outside.

It is a confirmed bug in Windows NT 3.5, 3.51 and 4.0. I do not expect Microsoft to fix it soon enough.

Update:
netstat.exe is fixed as of NT4 SP3, but it still shows some strange behavior. For example, on a moderately loaded machine, you can find numerous duplicates of open connections. Why is that?

For more information see

Knowledge base articles Q134404 and Q131482
To get more information on TCPs three way handshake and the different states of a TCP connection, see Microsoft's paper TCP Connection States and Netstat Output

2.6.8 What are giant packets? Or, is Windows NT susceptible to the PING attack?

There are mixed reports whether or not NT is vulnerable to this attack. By using ping to send a large packet to certain systems, they might hang or crash.

Windows NT 3.51 seem to be vulnerable to this attack. A knowledge base article, Q132470, describes symptoms in Windows NT 3.51, and also include a pointer to a patch for this problem

Check out Mike Bremford's Ping o' Death web page (http://www.sophist.demon.co.uk/ping) for more information on what systems are vulnerable and how.

Update: The PoD site has moved to http://prospect.epresence.com/ping, which doesn't seem to exist in the DNS for the moment.

There is a PoD II, which utilizes a bug in the way Microsofts IP-stack assembles fragmented IP packets.

See $$$: Q154174 - Invalid ICMP Datagram Fragments Hang Windows NT, Windows95

There is a fix for this, both NT4 and NT3.51, released in July 1997:

NT4 icmp-fix (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/icmp-fix).
NT3.51 icmp-fix (ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT351/hotfixes-postSP5/icmp-fix).

2.6.9 What about the denial-of-service problem with RPC

There exists a problem with the RPC on port 135. This can be misused to launch a denial-of-service attack against a NT system. The example below, which uses the SAMBA package, illustrates how this can be done

$ smbclient -U verylongname -M hostname

Microsoft have issued a fix for this problem ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/RPC-fix.

This fix is included in SP3.

2.6.11 Chargen flooding?

The "Simple TCP/IP Services" service is susceptible to a denial of service attack. See $$$: Q154460.

Microsoft has released a fix for this: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/simptcp-fix.

2.6.12 WINS denial of service?

The WINS server is susceptible to a denial of service attack. See $$$: Q155701.

Microsoft has released a fix for this: ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/NT40/hotfixes-postSP3/winsupd-fix.

2.6.13 Dynamic Host Configuration Protocol, DHCP

Security problems with DHCP include, but is not limited to

Fake DHCP-servers
Non-existing logs of who used what IP-address at a certain occasion in past time.

One of the big limitations with DHCP has been the inability to log and keep a historical track of which machine has leased which IP-address in the past. In SP3 Microsoft is said to have added this possibility. (Note: Not verified by FAQ maintainer.)

2.6.14 How do I enumerate all listening named pipes?

Beats me. Any clue? Mail ntsec@incolumitas.se

Same goes for RPC servers.

2.6.15 What is the OOB (Out of Band) attack?

The "OOB attack" is a denial of service attack that utilizes a bug in Microsofts implementation of its IP-stack. Source code for a program called Winnuke that does this was posted to BugTraq in May 1997 by _eci <myst@LIGHT-HOUSE.NET>.

See

There is a fix for this called icmp-fix, see 2.6.8 What are giant packets? Or, is Windows NT susceptible to the PING attack?

2.6.16 How does NT deal with fragmented IP packets?

Prior to NT4 SP3, not too good.

Due to a bug in Microsofts IP implementation, one can fool the stack to reassemble fragmented packets in such ways that it is possible to send arbitrary data to an arbitrary port even when the target machine is protected by a firewall. There are firewalls that prevent this by handling all reassembling before forwarding the complete packet to the target host. It is probably wise to check up your firewall and/or apply SP3 if not done already.

Visit Thomas Lopatic's <thomas@dataprotect.com> page A New Fragmentation Attack (http://www.dataprotect.com/ntfrag/).

2.7 File sharing security

For more information see

2.7.1 What is CIFS?

CIFS stand for Common Internet File System and is a specification for a file sharing protocol. It is based on the Server Message Block protocol, SMB.

There is a mailing list where the designers from Microsoft and the designers of SAMBA and other network file systems discuss CIFS. Check it out on 'listserv@msn.com'. Send the command subscribe CIFS yourname to subscribe. The mailing list is archived at http://microsoft.ease.lsoft.com/archives/cifs.html

For more information see

The protocol specification for Common Internet File System Protocol (CIFS/1.0) (ftp://ietf.cnri.reston.va.us/internet-drafts/draft-heizer-cifs-v1-spec-00.txt) has been submitted to the IETF

2.7.2 Is it possible to turn off the default sharing?

NT by default makes a share for each hard disk or partition. One have to manually disable this behavior.

Patrik Carlsson <patrik@netman.se> gives a solution for the problem in a mail to NT-security mailing list:

If the non-sharing of the default shares is an issue you could probably write som sort of batch or cmd file that runs every time you start the machine and disables the sharing. something like net share c$ /DELETE.

Another way is to create the registry key AutoShareServer or AutoShareWks, depending on the machine role, as a REG_DWORD under HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters and set it to 0. Restart the Server service.

Note that this does not prevent IPC$ to be shared! A safer bet is to stop and disable the Server service altogether if that is an option.

(Note: I have verified this a while ago, but cannot reproduce it on my current installation. Please report any better luck to ntsec@incolumitas.se. BTW, try to search MS for the string "C$", on the web or the MSDN Library CD.)

There is a KB article touching the subject: $$$: Q156365 - Hidden Shares Are No Longer Available After Using System Policy

2.7.3 Are there any known bugs for File sharing?

Yes. Some good security enhancements, include

Enable scope-id
Enable packet signing (available from NT4.0 SP3)

See *Hobbit*'s excellent paper (http://www.avian.org/avian/papers/cifs.txt) on the Common Internet File System, CIFS, and its security problems.

2.7.4 What is a NULL session?

A NULL session connection, also known as Anonymous Logon, is a way of letting a not logged on user to retrieve information such as user names and shares over the network. It is used by applications such as explorer.exe to enumerate shares on remote servers. The sad part is that it lets non-authorized users to do more than that. Particularly interesting is remote registry access, where the NULL session user has the same permissions as built-in group Everyone.

With SP3 for NT4.0 or a fix for NT3.51, a system administrator can restrict the NULL session access, see $$$: Q143474. With this fix, a new well-known SID is defined, named "Authenticated Users", which is Everyone except NULL session connected users. Replacing Everyone in all ACLs on the machine with this Authenticated User would be a good thing. To do this in a controlled fashion, one can use cacls.exe for the file system, but have to rely on some third party product for the registry ACLs. Using explorer.exe/winfile.exe or regedt32.exe will most certainly break the system. The cause for this is that these tools replace the ACL instead of editing it.

2.8 Application and subsystem security

2.8.1 Web server security

There are a number of problems with web servers. Bugs in the server, stupid CGI scripts, erroneous configurations, strange other services (e.g. data base connections) are just a few things that might be used to damage your security.

You might want to look at the WWW Security FAQ to get some general security information on WWW.

If you install an Windows NT machine as a web server or a firewall, you should tighten up the security on that box more that you should do to ordinary machines on your internal network since a machine accessible from the Internet are more vulnerable and more likely to be attacked. Securing the machine gives you a bastion host. Some of the things you should do include

Remove all protocol stacks except TCP/IP, since IP is the only protocol that runs on the Internet
Remove some network bindings
Disable all unnecessary accounts, like guest
Remove share permissions and default shares
Remove network access for everyone (User Manger -> Policies -> User rights, "Access this computer from the network")
Disable unnecessary services (FTP, etc)
Enable audit logging
Track the audit information

Internet Information Server

Check out Andy Baron's bug reports on earlier versions of the Internet Information Server. Microsoft also has some information on this bug as well as suggestions to workaround in Knowledge Base article Q148188.

Microsoft has some information on known vulnerabilities in IIS available in Knowledge Base

Article Q142631 describes a problem where a users might access unwanted directories
Article Q147691 describes a problem where Anonymous Users Have Same Access as Domain Users in IIS

Another bug has been found in IIS servers that will hang or kill the web server. Sending the HTTP command "GET ../.." will hang a IIS version 2.0 server on NT 4. There are conflicting rumors whether this will work on NT 3.51 or not.

Microsoft recommend that you upgrade your IIS server to version 3.0 or the latest available version.

IIS version 2.0 and 3.0 is vulnerable of a denial of service attack using a "CGI request from a browser that contains between 4 and 8 kilobytes of data in the URL" (cited from Q143484 - IIS Services Stop with Large Client Requests).

A fix can be found at ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3/iis-fix/.

Netscape

People have found bugs in Netscape's Communications server on NT as well. Check out this e-mail to the www-security mailing list.

One should definitely be aware of CERTs advisory CA-96.11 that describes the problem with having a perl interpreter accessible over the net.

There is some work going on to get a better situation for people who want to use perl on NT-machines running webs. Check out Softshore's web page on PERL for NT.

Microsoft have some on-line articles on security and web servers. There is articles on

2.8.2 Frontpage

There are an article on the Bug Net Alert that describes some security problems in Frontpage.

There are some texts on Microsoft's web server on Frontpage security

2.8.3 FTP server security

There is known problems with the FTP server that ships with Windows NT. There is another FTP server that comes with the Internet Information Server, IIS, that is supposedly more secure.

As stated elsewhere in this document, logging is not turned on by default. To turn on logging of the FTP server, there are a number of registry key parameters that can be changed. They are located under the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FtpSvc\Parameters

Some of the parameters are LogAnonymous, LogFileAccess, LogNonAnonymous.

See Microsoft's articles on how to turn on

2.8.4 Internet Explorer

Some of the security issues on MSIE:

IE sending away your password hash.
Warning! Following the links below using Internet Explorer may reveal your user name and password. Use a temporary fake account with a dummy password or any other WEB browser.
- Over NetBIOS (http://www.ee.washington.edu/computing/iebug/)
- Over HTTP (http://www.efsl.com/security/ntie/)
  Source code for this one at http://www.argo.demon.co.uk/info/ntie.tar.gz.
Bad Java Virtual Machine in some versions of MSIE: Internet Explorer File Corruption Bug (http://web.mit.edu/twm/www/expbug2/)
Executing applications on browser machine through Powerpoint: Two Options Now Available for Fixing PowerPoint Browsing Security Issue (http://www.microsoft.com/ie/security/?/ie/security/powerpoint.htm)

For more information on Internet Explorer see Microsofts web page "Microsoft Internet Explorer Security Information" (http://www.microsoft.com/security/ieprod.htm).

2.8.5 Rollback.exe

On the NT 4.0 CD-ROM there are a utility called rollback.exe that will corrupt your system if run. It is not intended for end-users, but someone slipped and the tool is now out on many users systems.

Without any sign of warning, rollback.exe will remove all system registry entries, which in turn will leave the system in a state where there are not easy way to recover. One have to grab the emergency repair disk and do a restore from the latest backup.

For more information see

2.8.6 Shutdown.exe

There are a bug in the utility shutdown.exe that are part of the NT Resource Kit. That bug disables the screen saver on a remote machine.

It is confirmed to be a problem on 3.51 systems.

For more information see

BUG: Shutdown.exe Disables Windows NT ScreenSaver

2.8.7 Exchange

There is some information both on Microsoft's web and FTP server as well on some other sites

Hints on how to secure your Exchange server.
Help with Microsoft Exchange Disaster Recovery
There are at least two service packs for Exchange that fixes a number of bugs.
There is an Exchange FAQ with lots of Q &A's. Especially, check out chapter 17 on security.

2.8.8 Microsoft SNA

When installing the complete SNA package, you will get at least three more services, AFTP, NVAlert and NVRunCmd.

AFTP is like its TCP/IP counterpart FTP a tool to transfer files over the net. It might be used for anonymous logins as well.
NVRunCmd is a service that lets someone running the NetView network monitoring tool send ordinary commands over the net that will be executed locally on the Windows NT machine.

Make sure that you have disabled these services if you want to run a more secure setup.

2.8.9 cc:Mail

According to a posting to Bugtraq by Carl Byington <carl@five-ten-sg.com >, default installation of cc:Mail version 8 with an smtp link has some problems:

After installing a cc:Mail release 8 postoffice (and link to smtp) on an NT3.51 machine, I noticed that the nightly reclaim process is scheduled via the standard NT "at" command which runs %systemroot%\~callmnt.bat. This batch file simply runs yet another batch file %systemroot%\~ccmaint.bat. Why do this? Because the second batch file is "hidden", but a simple "attrib" command removes that "protection", and then your master postoffice password is nicely visible. But you might ask, what are the NT security permissions on these batch files? Simply "everyone full control". Oh well, at least I don't need to worry about forgetting that password.

2.8.10 NT Spooler Service

According to a posting to NTBugTraq by Ondøej Holas <OHolas@EXCH.DIGI-TRADE.CZ>, the Spooler Service shipping with Windows NT is susceptible to a denial of service attack:

After connecting to \\server\PIPE\SPOOLSS you can send probably any amount of data to that pipe. Final effect is a memory leak in SPOOLSS.EXE. The worst thing is, by default this connection can be initiated over null-session (setting RestrictAnonymous to 1 has no effect). To disable attack over null-session, you must remove line "SPOOLSS" from HKLM\System\CCS\Services\LanmanServer\Parameters\NullSessionPipes (REG_MULTI_SZ), but after that authenticated users can still fill up server's memory.

2.8.11 ODBC Security

There are several security issues related to ODBC usage

Add hooks
Tracing ODBC connections

Any call with indirections, such as calls to ODBC data sources, are possible to intercept by attaching to pre-made hooks. By tracing ODBC connections, which is a completely legitime thing to do during software development, you can get access to sensitive data, such as user name for the connected database. For more information, see

Microsofts white paper on ODBC security (http://www.microsoft.com/data/odbc/wpapers/odbcsecurity.htm)
Microsofts whitepaper on changing NT registry settings to prevent ODBC tracing

2.9 RAS security

There are a number of things to do to get better security on remote connections

Putting the RAS servers on one or more own interfaces in the firewall
Be sure to turn on auditing for the RAS function
Enable authentication
Enable session encryption
Enable dialback
Specify which hours remote users are allowed

To turn on auditing for RAS, use the regedit utility to set the key

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters\Logging

to 1, then restart RAS.

Microsoft have a generic RAS FAQ entitled Windows NT Remote Access Services - Common Questions and Answers.

2.10 Logging and auditing

By default, all auditing in Windows NT is turned off. You have to manually turn on auditing on whatever object you want audited. First off, you should have a policy for

what to log (user behaviors, changes on files or processes)
for how long to keep the logs
whether or not you should turn on auditing on all your machines, or if you only turn on logging on the servers

Then you should configure the auditing. You should also remember that it is hard to have a good use of auditing (or any use at all), if you don't have good tools and a good suite of policies on how to handle the logs.

You have to remember that cranking up auditing might give you performance degradation. The trick is to find the balance between how much to log without getting problem.

Remember that Windows NT saves the logs locally on disk. If someone can take control over the machine, it is quite likely that the logs might be manipulated as well. A better solution might be to send away the logs to one or more protected, centralized log-servers.

For more information see, Microsofts paper called Auditing, or the Other Side of Security

2.10.1 Is there a syslog function in NT?

No, not out of the box. If you want to have centralized logging for both UNIX and NT machines you can check out Larry Kahn's syslogutils. To get access to it, you have to send an email to an autoresponder, access@kahn.drcoffsite.com, which mail you back information on how to access his FTP server.

Another syslog server is a program called SL4NT by Franz Krainer.

Also, see the section 3.4 Logging products.

2.10.2 Can I move the logs to another partition?

Yes. There is a note on this in the Knowledge Base.

2.10.3 Can I grant access to someone to view or change the logfiles?

Yes you can, but there is an error on the manual on how to do it. Check out Knowledge Base article Q142615 to see why the "Manage auditing and security log" privilege does not work as documented.

2.10.5 Why doesn't all user right enabling actions show up in the log?

Even though auditing of enabled user rights is turned on in the Policy->Auditing dialog in User Manager (for Domains), there is a bunch of user rights that are not logged. One example, which can cause a lot of confusion, is the Backup and Restore user rights. The cause for these to be excluded is that it would generate too much log entries if enabled. A new log entry would be written for each backed up or restored file. Why is that? Couldn't the backup program just take the backup right once and for all and then backup all of the files, then discard the right?

See Securing Windows NT Installation (http://www.microsoft.com/ntserver/info/secure_NT_con.htm#a23) for a full list of privileges excluded from auditing and ways of turning auditing on for these.

2.11 Crypto

2.11.1 What is CryptoAPI

CryptoAPI is a set of encryption APIs that allow developers to develop applications that work securely over non-secure networks, such as the Internet.

CryptoAPI is shipped with NT version 4 and the Internet Explorer 3.0. Version 2.0 of CryptoAPI comes with SP3 for NT4.

To get more information on the CryptoAPI, see

2.11.2 Is strong cryptography available outside the U.S.?

Yes, of course. There is Eric Young's various crypto implementations at ftp://ftp.psy.uq.oz.au/pub/Crypto/ . An RC4 implementation called arcfour can be found in the SSH distribution.

As pointed out by Paul Ashton in a posting to the NT Security list, you can even use the same functions that Microsoft them self uses:

#include <windows.h>
#define rc4crypt SystemFunction032
WINBASEAPI WINAPI rc4crypt();

/* rc4crypt(ustring *data, ustring *key) */
/* Usage: rc4crypt key data */

main(int ac, char *av[])
{
	struct ustring
	{
		DWORD len;
		DWORD maxlen;
		unsigned char *str;
	} data, key;
	int i;
	
	key.len = key.maxlen = strlen(av[1]);
	key.str = av[1];
	data.len = data.maxlen = strlen(av[2]);
	data.str = malloc(data.len + 1);
	strcpy(data.str, av[2]);
	rc4crypt(&data, &key);
	for (i = 0; i < data.len; i++)
		printf("%02x ", data.str[i]);
	printf("\n");
}

Link with advapi32.

Looking at the functions exported by advapi32.dll, you will notice that SystemFunction032() is accompanied with 32 more functions named like that, SystemFunction001 through SystemFunction033. Known today is that they include code for the following:

ECB mode DES for calculating LanMan hashes (see 2.14 Passwords)
RC4 (as mentioned above)
MD4

2.12 E-mail security

2.13 Security related patches

It's always great fun to read the README.TXT's for the service packs. They reveal problems that you weren't aware of directly, but can serve as a clue to other problems you have encountered.

2.13.1 Security enhancements in SP3 for NT 4

See Windows NT 4.0 Service Pack 3 Security Enhancements (http://www.microsoft.com/ntserver/info/secenhance.htm) and

$$$: Q152841 - Windows NT 4.0 Service Pack 3 Readme.txt File (40-bit)

$$$: Q147798 - Windows NT 4.0 Service Pack 3 Readme.txt File (128-bit)

depending on your current browser/proxy location on the globe <sigh>.

Includes things like:

Another obfuscation layer around the SAM database (aka "Strong encryption of password database"). The syskey.exe utility gives the opportunity to encrypt the passwords stored in the registry another round, using a 128-bit key that optionally can be stored on a floppy disk to avoid that it is used by the bad guy to decrypt the data. It has to be stored somewhere though, if the system itself is to validate any logons at all. Most probably, it's not stored on any permanent media but rather in memory, presumably only readable by kernel mode programs. But, of course, even there it could be read if you wrote some code for it (as a device driver for example, or see Run any Ring 0 code from a Win32 application on Windows NT (http://www.sonic.net/~undoc/ntcallgate.html)) and had the power to install it. There is a KB article: Q143475 -Windows NT System Key Permits Strong Encryption of the SAM .
Password filtering. The library passfilt.dll enables some checking of the quality of chosen passwords. It is possible to supply your own version of passfilt.dll. See the following KB articles for more information: $$$: Q161990 - Enable Strong Password Functionality in Windows NT (http://www.microsoft.com/kb/articles/q161/9/90.htm).
Update of CryptoAPI from 1.0 to 2.0
Changes to the default file permissions (ACLs) on the repair and backup directories
Fixes to some denial of service (DoS) attacks
Options to restrict anonymous logon and enumerations
Optional SMB packet signing to prevent forging of packets ( $$$: Q161372 - How to Enable SMB Signing in Windows NT)
Optional restriction on the usage of older authentication protocols which sends authentication data in the non-encrypted form

2.14 Passwords

For starters, do read Alan Ramsbottom's <acr@als.co.uk> excellent NT Cryptographic Password Attacks & Defences FAQ (http://www.ntbugtraq.com/samfaq.htm).

Note that passwords are stored in the registry in two formats, the NT way (MD4) and the old LANman way (three DES encryptions of magic constant using different parts of the password). These are password equivalents in the sense that they are the only thing that is needed for a successfull authentication. This means that you don't have to crack them (using dictionary or brute force) to use them for authentication.

Also, note that the SAM database is backed up to an ordinary file %SystemRoot%\repair\sam._ whenever a repair disk is created with the rdisk.exe program.

2.14.1 Where is the password that I configure a service to start with stored?

From a posting by Paul Ashton <paul@argo.demon.co.uk> on NTBugtraq:

HKLM\SECURITY\Policy\Secrets\_SC_servicename\CurrVal contains the encrypted password of the service. The password is not machine or account dependent. i.e. a user foo with password bar in domain X in NT3.51 has the same encrypted value as user baz in domain Y with NT4.0 (with password bar).

The lsadump program by Paul Ashton can be used to retrieve the plaintext service password.

2.14.2 How do I enforce strong passwords?

See $$$: Q151082 - HOWTO: Password Change Filtering & Notification in Windows NT .

3.0 NT based security tools and products

3.1 Tools for checking and tightening NT security

To secure a system, one good idea is to use automatic tools that checks the system for misconfigurations, vulnerabilities, break-ins, etc.

3.1.1 KSA

Intrusion Detection Inc. have a product called Kane Security Analyst that checks your Windows NT system for vulnerabilities.

3.1.2 OmniGuard

Axent has a series of tools called OmniGuard that includes single sign on, intruder detection, access control, etc.

3.1.3 SomarSoft's DumpACL, DumpEvt and DumpReq

Somarsoft have a suit of tools for dumping information from NTs databases and logs.

3.1.4 Andy Baron's Password Cracker

ScanNT is a dictionary based password cracker that check your NT machine for weak passwords.

A demo version is available from the URL above.

3.1.5 ISS

Internet Security Systems, ISS, have a suite of tools for network security testings that are available on the NT platform.

3.1.6 TCP/IP Portscan

There is a shareware program called NTPortscan that scans the net for open TCP ports.

3.1.7 The NetBIOS Auditing Tool

Secure Networks Inc. has released a tool called NetBIOS Auditing Tool that will check file shares, password integrity, extract information, etc, from a remote host.

The tool is free of charge and released with source code and distributed under the GNU public license.

Check out Secure Networks' NAT web page (http://www.secnet.com/ntinfo/ntaudit.html) or download the

Distribution including source code (ftp://ftp.secnet.com/pub/tools/nat10/nat10.tar.gz)
WinNT/Win95 binaries (ftp://ftp.secnet.com/pub/tools/nat10/nat10bin.zip).

3.2 NT based firewalls

For details and descriptions on how, what and why on firewalls, check out Marcus's firewalls FAQ.

The National Computer Security Association has certified a number of firewalls for all types of platforms. Check out their web page that lists those firewalls and give detailed information on each product.

For a more complete listing of firewall products, visit Cathy Fulmer's firewalls product list.

3.2.1 Raptor Eagle

Raptor has a version of it's Eagle firewall available for the Windows NT platform.

Click here to get their product information.

3.2.2 Firewall-1

Checkpoint Software has a version of it's Firewall-1 firewall available for the Windows NT platform.

3.2.3 The Catapult Microsoft proxy server

The Catapult is a proxy program, which is somewhat different from a pure firewall.

For more information on Catapult, check out

Microsofts proxy server page (http://www.microsoft.com/proxy)
Microsofts own proxy FAQ page (http://www.microsoft.com/proxy/beta/faq.htm)

3.2.4 Digital Altavista Firewall for Windows NT

Digital Equipment Corp. has a version of it's Altavista firewall for Windows NT.

They also have

on-line evaluation copy of the software.
a FAQ on Altavista Firewall

3.2.5 TIS Gauntlet Firewall for Windows NT

In December 1996 Trusted Information Systems, TIS, released their well known Gauntlet firewall for Windows NT. It runs on WNT 4.0 Advanced Server.

For more information

See TIS' Gauntlet NT overview
Check out TIS' press release

3.3 Secure network sessions

3.3.1 Secure Shell, SSH

SSH is a software package originally developed by a finish student named Tatu Ylönen to secure network communication between different hosts.

There are currently a beta version out for an windows client.

You can find more information on SSH on Datafellows web server.There is a SSH homepage and a SSH FAQ.

3.3.2 Kerberos 4 client

Kerberos gives you secure authentication and an encrypted network session.

To run Kerberos, you have to have at least one Kerberos server available to hold the kerberos tickets. For more information on Kerberos, consult the Kerberos FAQ.

There is a Kerberos v. 4 client, currently in beta, available for Windows NT. You can check it out on this ftp server. Unfortunately, there are only UNIX Kerberos server sides available here

3.3.3 SecurID

SecurID is a token based one-time password system that gives you a secure authentication. There is Windows NT and Windows NT RAS clients available from the vendor, Security Dynamics

Security Dynamics have a some security resources on-line, such as FAQs,white papers, etc

Be aware that there have been alot of controversy lately since a posting of a white paper describing some weaknesses of the product.

3.3.4 S/KEY

Bellcore's S/Key User Authentication System with One-Time Passwords are available both as a client program and should be available as a server program for Windows NT by the time you read this. S/key are available for a number of UNIX platforms, Windows 3.11, 95, NT 3.51 and 4.0.

Check out

Bellcore's WWW page for S/KEY (http://www.bellcore.com/SECURITY/skey.html)
Bellcore's S/KEYwhite paper (http://www.bellcore.com/SECURITY/skeywp.html)

3.4 Logging and auditing tools and products

3.4.1 seNTry

The product SeNTry is used for centralized event log viewing and management. This product is not to be confused with Soft Winters disk encryption tool named SENTRY 2020 .

Check it out on http://www.pss.ch/SENTRY.htm

See 2.10.1 for information on different tools to get the syslog

3.4.2 EventSLog

EventSLog from Adiscon, Inc extracts entries from the NT event log and sends them to a syslog server using the syslog protocol.

See http://www.adiscon.com/tools/evntslog/default.htm .

3.5 File encryption and electronic mail

3.5.1 Pretty Good Privacy, PGP

There are a number of good PGP resources out on the net. The list below is just a short selection

PGP Inc's home page (www.pgp.com)
International PGP home page (www.pgp.com)
There is a web page that describes how to use PGP and windows.
Another page to visit is the tutorial called PGP and Anonymous mail made simple using Windows.
Check out Greg Wolfe's PGP Beginner's Guide for DOS - Windows - Email.

A program called PgpEudra to integrate the Eudora mail handling program with PGP.

3.5.2 MIMEsweeper

There is a product called MIMEsweeper from Integralis that checks e-mail for viruses. Integralis have both a product description page and a FAQ on MIMEsweeper available on the net.

3.5.3 SENTRY 2020 (former Shade) disk/file encryption

Soft Winter Corporation, located in Israel, does have a product for disk encryption on Windows NT.

Check out the product on http://www.softwinter.com/

3.6 Other types of security products

3.6.1 CA-UniCenter

3.6.2 Steel-belt RADIUS server for Windows NT

Funk Software have developed a Radius server for Windows NT and NetWare.

For more information see the Steel-Belted Radius for Windows NT Data Sheet

4.0 Where can I find on-line information on NT security

4.1 Mailing lists

4.1.1 NT Security Mailing list

There is a NT security mailing list maintained by the good folks at ISS. You subscribe to it by sending a mail to majordomo@iss.net with the body containing the string "subscribe ntsecurity your email".

The mailing list have some traffic and on-going discussion, and some people might prefer to subscribe to the digest version instead to reduce their incoming mail. The digest is available by sending mail to the same address but with the text "subscribe ntsecurity-digest your email".

The mailing list is archived with a web interface at http://www.iss.net/lists. It is also available for anonymous FTP from ftp://ftp.iss.net/pub/lists/ntsecurity-digest.archive.

4.1.2 NTBugTraq

The NTBugTraq is the Windows NT counterpart of the BugTraq mailing list that is mainly for UNIX related bugs with impact on security. It was started by Russ Cooper <Russ.Cooper@rc.on.ca> in the end of January, 1997. It is a moderated list.

Subscribe by sending a mail to listserv@listserv.ntbugtraq.com. For help with this, have a look at http://www.ntbugtraq.com/ntbugfaq.htm

The NTBugtraq archives are at http://listserv.ntbugtraq.com/archives/ntbugtraq.html

4.2 Web pages and white papers

4.2.1 Microsoft

Microsoft has some information on-line. It might be contained in the Knowledge Base archive, it might be in product white papers. Lately, Microsoft has been moving a lot of information inside some sort of protected area, called MSDN Online . To register as a member, which for now is free, you unfortunately have to enable JavaScript and/or Java in your WEB browser. Once registered you can disable Java, but a lot of things are depending on JavaScript, such as the find button at $$$: http://support.microsoft.com/support/. You should be able to follow the links in this FAQ without enabling either of the two, but for the links denoted with $$$ , such as the one above, you have to be registered as a MSDN Online member. A selection of interesting information from www.microsoft.com

Security Advisor Program
$$$: Search Technical Support . Here, you can punch in a Knowledge Base article number and retrieve the article.
The guts of security
Windows NT Security in Theory and Practice
Security Bits and Pieces
Auditing, or the Other Side of Security

4.2.2 NT Research

There is a good white paper available from NT Research

4.2.4 SomarSoft

Frank Ramos at SomarSoft have both some information and some tools available on-line. There are demo versions of the tools for downloading.

4.2.5 OMNA

Andy Baron has some nice information on-line at his site. Some of the information is related to Microsoft's web server IIS

4.2.6 ISS Vulnerability database

Internet Security Systems, ISS (http://www.iss.net), have a NT specific area (http://www.iss.net/vd/vuln/nt) in their vulnerability database.

4.2.8 NT Shop's NT Security pages

At NT Shop they have a collection of NT related security information such as exploits and white papers on security issues and concerns.

Visit the NT Security web pages (http://www.ntshop.com/security)

4.3 What books on NT security are available?

Microsoft Press have a book entitled "Microsoft NT 3.5 Guidelines for Security, Audit, and Control." ISBN 1-55615-814-9.

Trusted Systems have a book entitled "Windows NT Security" (http://www.trustedsystems.com/NTBook.html)

Tom Sheldon (tsheldon@msn.com) has written a book entitled "The Windows NT Security Handbook". It is scheduled for publication in October, 1996.

Charlie Rutstein (Charlie_Rutstein@notes.pw.com) has an upcoming book on NT Security. Click here (http://ourworld.compuserve.com/homepages/cbr/toc.html) to see a table of content of the book.

Mark Joseph Edwards, Peter Cardin and Andy Baron has written a book entitled "Windows NT Internet Security". "Windows NT Security Handbook - Everything you need to know to protect your network". Unfortunately, in our opinion, it does not live up to its claim to provide all knowledge you need. It have shortcomings in several areas, such as details in file system security.

Another problem is the rapid development in the software area. Microsoft have released a number of new products and technologies and renamed some major and several minor subsystems.

"Windows NT Security Handbook - Everything you need to know to protect your network" has ISBN 0-07-882240-8.
The book "Inside Windows NT", a classic, give an in-depth description on the Windows NT operating system.

5.0 Widely known exploits, security holes and their counter measures

Bill Stout's Known NT Exploits (http://www.ntbugtraq.com/ntexploits.htm)
ISS Security Library (http://www.iss.net/vd/nt_vulnerabilities.html)