The official home for this FAQ is currently The Royal Institute of Technology, http://www.it.kth.se/~rom/ntsec.html
It will probably move to Incolumitas future WWW-server, whenever we feel that there is a webserver that is secure enough and we got the time to set it up.
First off, unfortunately, I must include this goobedygook.
This compilation is copyrighted material. Copyright © 1996, 1997 Robert Malmgren. You are hereby granted a permission to use the material for non-commercial purposes as long as you keep this copyright message, not pretend that you wrote the material and give me and/or the other contributors proper credits.
The current version number of the FAQ is 0.39 The FAQ was last updated 19th of Feb1997
Please submit contributions and requests for updates to the current maintainer of the FAQ Robert Malmgren (rom@incolumitas.se)
Version 0.39, Feb 19, 1997
Version 0.38, Feb 16, 1997
Version 0.37, Jan 24, 1997
Version 0.36, Jan 11, 1997
Version 0.35, Jan 4, 1997
Version 0.34, 1997-Jan-01
Version 0.33, 1996-Dec-24
Version 0.32, 1996-Nov-09
Version 0.31, 1996-Nov-08
Version 0.30, 1996-Nov-07
Version 0.29, 1996-Nov-07
Dan Shearer <itudps@lux.levels.unisa.edu.au>
David LeBlanc <dleblanc@iss.net>
Larry Buickel <larry@austin.ibm.com>
Mikko Hermanni Hyppönen <Mikko.Hypponen@DataFellows.com>
Patrik Carlsson <patrik@netman.se>
The so called orange book is part of the DoD "rainbow" series of books. The official name is Department of Defense Trusted Computer System Evaluation Criteria. There is another book, a red one, which is a "interpretation" of the Orange Book. The NCSC has published a number of different interpretations of the TCSEC. These interpretations clarify Orange Book requirements with respect to specific system components. The formal name of the red book is the NCSC's Trusted Network Interpretation of the Trusted Computer System Evaluation Criteria. It is an interpretation of Orange Book security requirements as they would be applied to the networking component of a secure system. The Red Book does not change the original requirements, it simply describes how a network system should operate in order to meet Orange Book requirements for a C2 secure system.
Microsoft had a certain version of Windows NT, with a specific configuration, on a specific hardware platform evaluated by NSA. The outcome was that that specific setup is considered C2 compliant and the NSA guys from the National Computer Security Center, NCSC, also wrote a report entitled the NSA’s Final Evaluation Report on Microsoft. Inc.: Windows NT Workstation and Server Version 3.5 with U.S. Service Pack 3. National Computer Security Center, 23 June 1995.
The people at National Computer Security Center have an online description of the Microsoft NT evaluation, (http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html) including information on what type of hardware was used during the test. They have an general page on evaluation ,http://www.radium.ncsc.mil/tpep, and a frequently asked question, FAQ, area (http://www.radium.ncsc.mil/tpep/process/faq.html).
The evaluation was just according to the orange book, not the red book. Microsoft has since them continued the evaluation process to also match the red book (i.e. networking parts) criterias, but this is not yet finalized.
To have a C2 compliant setup, you must amongst other things have
In practice, it also means that you have to
That leaves you a not so usable client-server system. There is a tool that come with the resource kit called c2config that you might use to harden your system to a C2 level. You might also want to see Microsoft's webpage entitled What is C2 Evaluation? Microsoft Sets the Record Straight (http://www.microsoft.com/NTServer/c2bltn.htm).
There is an on-line html version (http://www.pinsight.com:80/~royg/security/dod/rainbow.html) available of the rainbow series books that you might want to check out. Microsoft has a blurb that describes the characteristics of a secure system — C2 and beyond (http://www.microsoft.com/ntserver/c2char.htm).
There is a paper on a new information technology security standard called common criteria (http://csrc.ncsl.nist.gov/nistpubs/cc) that is available on-line. It is a proposed ISO-standard.
Cryptography is one of the foundations for much of the new computer security mechanisms. It provides protection from interception of clear text data including: passwords, network packets, and storage (DASD and RAM). Cryptotechniques are also used for checksums, integrity control, etc.
The following links might be useful to read up on crypto issues:
You might want to check out some places on the net and subscribe to some mailinglists.
Check out the following webpages:
Recommended mailinglists
Check out the Security Mailinglists FAQ for more information on what lists that is available.
Microsoft have an on-line database, called the software library, with program fixes for both the NT operating system as well as applications. In Microsoft lingo a patch or program fix is called service pack. There are a number of service packs out, both for different versions of Windows NT as well as applications such as SNA server.
A specialized fix, one that you might pay to have Microsoft customize for you, i.e. you have to have a special type of maintainance contract, are called a hot fix.
If you cannot, or do not want to download software like this from the net, you can contact your local Microsoft representant and ask them about the service pack you need.
Visit Microsofts library of service packs.
Impersonation is the ability of a thread to execute in a security context other than from that of the process that owns the thread. This enables a server to act on behalf of a client to access its own objects.
For more information, see
SID stands for Security Identifier and is an internal value used to uniquely identify a user or a group.
A SID contain
For more information, see
A privilege is used to control access to a service or object more strictly than is normal with discretionary access control.
For more information, see
For more information, see
Access-Control Entries that is used to build Access-Control Lists (ACLs).
Each ACE contains the following information:
For more information, see
In general, any computer that is not physically secured is not fully secured. If anyone is able to get access to the machine, it is possible to boot it from a diskette, CD-ROM or just steal the harddisk and use it in another computer.
Symantec has a nice webpage called Understanding Virus Behavior in the Windows NT Environment. (http://www.symantec.com/avcenter/reference/vbnt.html)
Some types of viruses, such as those written in a high-level language such as Java, MS Word scripting language, Excel macros, etc, will be able to perform some tricks on a NT machine as well.
According to DR Solomon, the MS Word based concept virus spread widely in part because several companies, including Microsoft, have shipped CD-ROMs containing the virus.
Windows NT machines can be affected by other types of viruses if you use, for example, dual boot to run some other type of operating system on the same hardware, e.g. OS/2, UNIX or other version of Windows. When using a coexisting, bootable operating system, if you have a virus in effect that destroy the boot sector or something like that, your NT partition will probably be destroyed as well.
Mikko Hermanni Hyppönen <Mikko.Hypponen@DataFellows.com> pointed out that
"many old DOS viruses work fine in a DOS box under NT. Most old boot viruses will prevent NT from booting and might give a 'inaccesible boot device' error. "
Since Windows NT machines are used as file servers for other systems, such as MS-DOS, Windows 3.X and other clients, there are a number of NT-based anti-virus programs. Some of them are
On the CD-ROM that is included in the NT Resource Kit, there is a program called c2config that can be used for tighten the security of a NT based computer.
Be aware, that c2config will not work well on systems with localized environment, e.g. a german NT that uses ACLs in german, not in english.
See also Microsoft's webpage entitled What is C2 Evaluation? Microsoft Sets the Record Straight
Yes. In version 3.5 and 3.51, if the administrator decide to kick a user off, then the admin has a small time window to see the content of the users current screen and desktop.
See article Q130932 in the Knowledge Base.
Another problem is that a tool from the Resource kit might be (miss-)used to deactivate the screensaver on a remote computer. See article Q142018 on shutdown.exe in the Knowledge Base.
One way to make it harder for the local user to do any harm to the system is to have a local PC without any harddisk or floppy disk. To boot, the system will need to talk to a boot server over the network.
Check out Dan Shearer's document on remote boot (ftp://lux.levels.unisa.edu.au/pub/doc/RemoteBoot.txt)
As shipped from Microsoft, most versions of NT I've ever encountered have had very weird access control list settings on the system files and directories. A lot of files and directories have had "Everyone" with "full control" capabilites. This is true for both NT 3.51 and 4.0.
One way to examine which files that have strange permissions are to use SomarSoft's DumpACL program.
David LeBlanc <dleblanc@iss.net> has written a text on file permission:
If you want to really lock something down hard, then you set the root directory to full access for administrators and system, list access to users (not Everyone). Let that work all the way down the tree. You then go in and loosen things up as need be, but what you've just done is ensure that any new directory that gets created will have those permissions. You then need to make sure the print spool directory has full access to creator\owner (see the NT Resource Kit, 3.51 Update 1 (also known as vol 5)). I'd also go through (using cacls, or you can use the search facility of either file manager or explorer) and set the permissions on all of the executables and DLLs to full access to admins (or if people normally work on that machine under admin status, remove write permission for admins), and list only (read-execute) permissions to users. Note that you've just made it difficult for users to install any software. This could be good or bad, depending on what you want to do. You could make a list of common DLLs that are updated often and give users delete permission.
Now you apply the "smoke test" - log in as a user, and see what is broken. Some programs insist on being able to write to an .ini file in the system tree - if users can't write to (or create) these files, these programs will fail. Change the permissions as need be. If you go overboard, you can even get a situation where non-admins either can't successfully log in, or get a desktop that is completely blank (I did this, much to my astonishment).
If you want to allow users to store file locally, make sure that they have full rights to their own directories. Note that under NT 4.0, a user's desktop profile, and numerous other things are stored under the system tree - look in %systemroot%\profiles, and make sure each user has full rights to their subdirectory - it should be admin, system, and user have full access.
You'll also want to loosen up the temp directory - a good thing is to give users list access, but creator\owner full access. There may be other directories that need work, depending on what apps you have, and whether they have any notion of multiple users - one example would be the cache directory for your browser.
Since people have a lot of different needs, there is no single answer - it depends on your environment.
Examples of things that might break when one tighten file permission security includes
Microsoft has an article with IDQ153094 (http://www.microsoft.com/kb/articles/q153/0/94/htm) that describes what to do if you secure some files and change some ACLs that you should not. Fixing Microsofts broken file system permission setup might hang your system real bad and make it un-bootable. Read the article before actually changing your system.
Microsoft has a salesblurb on NTFS that descibes it from a security perspective. (http://www.microsoft.com/ntserver/ntfs_mb.htm)
There are some known instances where service packs have reset permission to the state the permissions where on the first installation.
For examples, see Knowledge Base articles Q108103
There is a known problem in 3.5, 3.51 and 4.0 versions of NT that users might be able to delete files without permission. Check out Knowledge Base article Q142017 on the subject
Yes. There are at least two different OSes that is capable of this, MS-DOS and Linux.
It is possible to use the NTFSDOS.exe program from MS-DOS to read information of a NTFS formatted disk.
As shipped from Microsoft, most versions of NT have very weird access control list settings on the system registry keys. Some registry keys have had permissions that let everyone access and change them over the network.
Dan Shearer <itudps@lux.levels.unisa.edu.au> wrote in message <"ydd1N.0.UA4.0BSJo"@suburbia> dated Sat, 28 Sep 1996 14:05:28 +0930
> here's some more:
> ppl can read portions of the registry remotely (via regedt32.exe).
By default they can _write_ to it too, at least under 3.51 the default permissions gave Everyone write access to quite a few things. The canonical example was (is) the key that determines the association between an application and its extension in file manager. That can be changed by an unpriveliged, even unknown user with access to regedt32 on a connected network. Should the .txt entry be changed to point to:
\\SomeNTorUnixWorkstation\UnprotectedShare\bogus.cmd
where bogus.cmd contains:
net user administrator xxxxx /y
notepad %1 %2 %2 %3 %4 %5
all somone with admin privelige at the console has to do is double-click on a text file and the admin password is changed. Of course this is a pretty basic example because the admin would (hopefully) be suspicious on seeing a dos box pop up. But it is trivial to write a win32 app that both launches notepad and does some malicious trapdoor stuff with the admin privelige it has been given.
This is true for NT 3.51.
David LeBlanc <dleblanc@iss.net> has written some text on the registry
In the registry, I'd go in and remove write permission to Everyone from HKEY_CLASSES_ROOT, and give full access to creator\owner, which is what Microsoft did with NT 4.0 - much more secure.
Microsoft has an article in the Knowledge Base, article Q153183 titled How to Restrict Access to NT Registry from a Remote Computer that gives some information on how to fix this very severe security problem.
Playing around with permissions on objects in the registry might damage the system. Check out the article Q139342 Incorrect Permission in Registry Cause Unpredictable Results from the Knowledge Base.
See also
The HKEY_LOCAL_MACHINE key is recreated by the system each time the system is booted. This have the effect that changes in the ACLs for this key does not persist over a reboot.
Users are susceptible to a number of attacks, such as dictionary password guessing. In Windows NT, one way to protect against those types of attacks is to set the number of failed logins before disabling the account temporary or until the system manager manually enables it again.
David LeBlanc <dleblanc@iss.net> wrote in a mail
As to user rights, I like to go through and make sure Guest is not only disabled, but that it has no rights to anything. Give careful attention to who is allowed to log on from the network and locally. One thing to consider is that the administrator account is on every machine, and can't be locked out from too many bad passwords. A good way around this is to remove the administrator's group from the permissions to log on from the network, and add back in the individual users who are the admins. Now go set it up to audit failed login attempts, lock out users for a few minutes if there are too many login failures, and require a password of decent length - 6 characters is acceptable. This makes brute force attacks very difficult. If you want to prevent other users from accessing the machine remotely, you can also remove the users from the right to log on from the network - that confines the users to having to use the shares on the server. This also prevents anyone not given that right from accessing the event log, the registry, and the shares on the machine. You might also want to pay attention to who can and cannot shut the machine down, and perhaps make it to where you need to log in to shut it down.
Microsoft recommends that you changes the name of the administrator account so that outsiders cannot guess the name.
This is of course just one of the things you can do. But unlike what some Microsoft employees believe, security does not stop there. Just changing name of administrator is to trying to protect yourself by the lowest level of security there is, security by obscurity.
It is possible to obtain the new name of the administrator by using the command
nbtstat -A <ip-address>
As shipped, some older versions of Windows NT had a guest account that was easily used by outsiders. Newer versions of NT have their guest account closed as shipped from Microsoft. Anyway, you should check out your guest account and disable it as much as possible.
Some people remove the guest account from their system, but unfortunately, Microsoft ship some product that relies upon the usage of that account. For example, if you use Microsoft Internet Studio in combination with Microsoft SQL or Microsoft Access running on another computer than the one running Internet Studio.
For some background information on Internet and Internet security, see
Yes. To my knowledge, all IP based systems are possible victims for the attack.
According to the article in phrack magazine, volume 48, (http://www.fc.net/phrach/files/p48/p48-13.html) NT have a queue size of 6 outstanding SYN packets. The article will serve as good reading if you want to understand the details of the problem.
Check out
NT 4 comes with built-in support for packet filtering. It is a simple but still usable filtering function that the administrator can configure to just let some IP pakets reach the actual applications running on the system.
You find configuration panel for the filtering function on "Control Panel->Network->TCP/IP->Services->Advanced->Security"
Be aware that this simple filtering mechanism is not a substitute for a real firewall since it cannot do advanced stuff like protection against ip-spoofing, etc.
First of all, you should really, really reconsider if this is such a good idea to let NBT traffic through your firewall. Especially if the firewall is between your internal network and Internet.
The problem with NBT is that at once you open it up through the firewall, people will have potential access to all NetBios services, not just a selection of them, such as printing.
The following is a list of the ports used by NBT.
For more information, see RFC 1001, RFC 1002 and the list of IANA assigned port numbers
Authenticode is a way to ensure users that code they download from the net has not been tampered with and gives the code an etched in ID of the software publisher. Microsoft is pushing this as a new way of getting better security into software distribution over the net.
For more information, see Microsoft's FAQ on Authenticode
In other SNMP-enabled machines you can configure both an write and a read community name. On a Windows NT system you can only set one. Not having a community name does not disable the service, as one might expect. According to David LeBlanc, <dleblanc@iss.net>:
If you don't specify a community name, it will answer to anyone.
Check out item 2.7.8 on Microsoft's SNA
Normally, the netstat program should report information on the status of the networking connections, routing information, etc. With the option -A or -a, it should list all TCP and UDP available connections and servers that are accepting connection. On Windows NT, even though the documentation states otherwise, this is not the case.
There are no simple way to check what services that are running with TCP ports opened to accept connections. Currently the only way to get some information about this is to use a portscanner program and test through each TCP port on the NT machine. This is not a fool proof way of dealing with the problem.
This is a serious problem if you plan to have NT based computers in the firewall environment. You cannot easily hardened them to become bastion hosts, since you are not confident what types of network services that might be reachable from the outside.
It is a confirmed bug in Windows NT 3.5, 3.51 and 4.0. I do not expect Microsoft to fix it soon enough.
For more information see
There are mixed reports wheter or not NT is vulnerable to this attack. By using ping to send a large packet to certain systems, they might hang or crash.
Windows NT 3.51 seem to be vulnerable to this attack. A knowledge base article, Q132470, describes symptoms in Windows NT 3.51, and also include a pointer to a patch for this problem
Check out Mike Bremford's Ping o' Death webpage (http://www.sophist.demon.co.uk/ping) for more information on what systems are vulnerable and how.
There exist a problem with the RPC on port 135. This can be misused to launch a denial-of-service attack against a NT system.
Microsoft have issued a fix for this problem ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP2/RPC-fix
For more information see
CIFS stand for Common Internet File System and is a specification for a file sharing protocol. It is based on the Server Message Block protocol, SMB.
There are a mailinglist where the designers from Microsoft, the designers of SAMBA and other network file systems discuss CIFS. Check it out on 'listserv@msn.com'. Send the command subscribe CIFS yourname to subscribe. The mailinglist is archived at http://microsoft.ease.lsoft.com/archives/cifs.html
For more information see
NT by default makes a share for each harddisk or partition. One have to manually disable this behaviour.
Patrik Carlsson <patrik@netman.se> gives a solution for the problem in a mail to NT-security mailing list:
If the non-sharing of the default shares is an issue you could probably write som sort of batch or cmd file that runs everytime you start the machine and disables the sharing. something like net share c$ /DELETE.
Yes.
See *Hobbit*'s excelent paper (http://www.avian.org/avian/papers/cifs.txt) on the Common Internet File System, CIFS, and its security problems.
There are a number of problems with webservers. Bugs in the server, stupid CGI scripts, erroneous configurations, strange other services (e.g. data base connections) are just a few things that might be used to dammage your security.
You might want to look at the WWW Security FAQ to get some general security information on WWW.
If you install an Windows NT machine as a web server or a firewall, you should tighten up the security on that box more that you should do to ordinary machines on your internal network since a machine accessible from the Internet are more vulnerable and more likely to be attacked. Securing the machine gives you a bastion host. Some of the things you should do include
Internet Information Server
Check out Andy Baron's bug reports on earlier versions of the Internet Information Server. Microsoft also has some information on this bug as well as suggestions to workaround in Knowledge Base article Q148188.
Microsoft has some information on known vulnerabilities in IIS available in Knowledge Base
Another bug has been found in IIS servers that will hang or kill the web server. Sending the HTTP command "GET ../.." will hang a IIS version 2.0 server on NT 4. There are conflicting rumours wheter this will work on NT 3.51 or not.
Microsoft recommend that you upgrade your IIS server to version 3.0 or the latest available version.
Netscape
People have found bugs in Netscape's Communications server on NT as well. Check out this e-mail to the www-security mailinglist.
One should definately be aware of CERTs advisory CA-96.11 that describes the problem with having a perl interpreter accessible over the net.
There is some work going on to get a better situation for people who want to use perl on NT-machines running webs. Check out Softshore's webpage on PERL for NT.
Microsoft have some on-line articles on security and webservers. There is articles on
There are an article on the Bug Net Alert that describes some security problems in Frontpage.
There are some texts on Microsoft's webserver on frontpage security
There is known problems with the FTP server that ships with Windows NT. There is another FTP server that comes with the Internet Information Server, IIS, that is supposedly more secure.
As stated elsewhere in this document, logging is not turned on by default. To turn on logging of the FTP server, there are a number of registry key parameters that can be changed. They are located under the following key
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\FtpSvc\Parameters
Some of the paramenters are LogAnonymous, LogFileAccess, LogNonAnonymous.
See Microsoft's articles on how to turn on
For more information on Internet Explorer see Microsofts webpage on IE Security.
On the NT 4.0 CD-ROM there are a utility called rollback.exe that will corrupt your system if runned. It is not intended for end-users, but someone slipped and the tool is now out on many users systems.
Without any sign of warning, rollback.exe will remove all system registry entries, which in turn will leave the system in a state where there are not easy way to recover. One have to grab the emergency repair disk and do a restore from the latest backup.
For more information see
There are a bug in the utility shutdown.exe that are part of the NT Resource Kit. That bug disables the screensaver on a remote machine.
It is confirmed to be a problem on 3.51 systems.
For more information see
There is some information both on Microsoft's web and FTP server as well on some other sites
When installing the complete SNA package, you will get at least three more services, AFTP, NVAlert and NVRunCmd.
Make sure that you have disabled these services if you want to run a more secure setup.
There are a number of things to do to get better security on remote connections
To turn on auditing for RAS, use the regedit utility to set the key
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\RasMan\Parameters\Logging
to 1, then restart RAS.
Microsoft have a generic RAS FAQ entitled Windows NT Remote Access Services - Common Questions and Answers.
By default, all auditing in Windows NT is turned off. You have to manually turn on auditing on whatever object you want audited. First off, you should have a policy for
Then you should configure the auditing. You should also remember that it is hard to have a good use of auditing (or any use at all), if you don't have good tools and a good suite of policies on how to handle the logs.
You have to remember that cranking up auditing might give you performance degradation. The trick is to find the balance between how much to log without getting problem.
Remember that Windows NT saves the logs locally on disk. If someone can take control over the machine, it is quite likely that the logs might be manipulated as well. A better solution might be to send away the logs to one or more protected, centralized log-server.
For more information see, Microsofts paper called Auditing, or the Other Side of Security
No, not out of the box. If you want to have centralized logging for both UNIX and NT machines you can check out Larry Kahn's syslogutils. To get access to it, you have to send an email to an autoresponder, access@kahn.drcoffsite.com, which mail you back information on how to access his FTP server.
Another syslog server is a program called SL4NT by Franz Krainer.
Yes. There is a note on this in the Knowledge Base.
Yes you can, but there is an error on the manual on how to do it. Check out Knowledge Base article Q142615 to see why the "Manage auditing and security log" privilege does not work as documented.
CryptoAPI is a set of encryption APIs that allow developers to develop applications that work securely over non-secure networks, such as the Internet.
CryptoAPI is shipped with NT version 4 and the Internet Explorer 3.0.
To get more information on the CryptoAPI, see
See also
To secure a system, one good idea is to use automatic tools that checks the system for misconfigurations, vulnerabilities, breakins, etc.
Intrusion Detection Inc. have a product called Kane Security Analyst that checks your Windows NT system for vulnerabilities.
Axent has a series of tools called OmniGuard that includes single sign on, intruder detection, access control, etc.
Somarsoft have a suit of tools for dumping information from NTs databases and logs.
ScanNT is a dictionary based password cracker that check your NT machine for weak passwords.
A demo version is available from the URL above.
Internet Security Systems, ISS, have a suite of tools for network security testings that are available on the NT platform.
There is a shareware program called NTPortscan that scans the net for open TCP ports.
Secure Networks Inc. has released a tool called NetBIOS Auditing Tool that will check file shares, password integrity, extract information, etc, from a remote host.
The tool is free of charge and released with source code and distributed under the GNU public license.
Check out Secure Networks' NAT webpage (http://www.secnet.com/ntinfo/ntaudit.html) or download the
For details and descriptions on how, what and why on firewalls, check out Marcus's firewalls FAQ.
The National Computer Security Association has certified a number of firewalls for all types of platforms. Check out their webpage that lists those firewalls and give detailed information on each product.
For a more complete listing of firewall products, visit Cathy Fulmer's firewalls product list.
Raptor has a version of it's Eagle firewall available for the Windows NT platform.
Click here to get their product information.
Checkpoint Software has a version of it's Firewall-1 firewall available for the Windows NT platform.
The Catapult is a proxy program, which is somewhat different from a pure firewall.
For more information on Catapult, check out Microsofts webpage on Catapult.
Digital Equipment Corp. has a version of it's Altavista firewall for Windows NT.
They also have
In December 1996 Trusted Information Systems, TIS, released their well known Gauntlet firewall for Windows NT. It runs on WNT 4.0 Advanced Server.
For more information
SSH is a software package originally developed by a finish student named Tatu Ylönen to secure network communication between different hosts.
There are currently a beta version out for an windows client.
You can find more information on SSH on Datafellows web server.There is a SSH homepage and a SSH FAQ.
Kerberos gives you secure authentication and an encrypted network session.
To run Kerberos, you have to have at least one Kerberos server available to hold the kerberos tickets. For more information on Kerberos, consult the Kerberos FAQ.
There is a Kerberos v. 4 client, currently in beta, available for Windows NT. You can check it out on this ftp server. Unfortunately, there are only UNIX Kerberos server sides available here
SecurID is a token based one-time password system that gives you a secure authentication. There is Windows NT and Windows NT RAS clients available from the vendor, Security Dynamics
Security Dynamics have a some security resources on-line, such as FAQs,white papers, etc
Be aware that there have been alot of controversy lately since a posting of a white paper describing some weaknesses of the product.
Bellcore's S/Key User Authentication System with One-Time Passwords are available both as a client program and should be available as a server program for Windows NT by the time you read this. S/key are available for a number of UNIX platforms, Windows 3.11, 95, NT 3.51 and 4.0.
Check out
The product SeNTry is used for centralized event log viewing and management
Check it out on this site
See 2.9.1 for information on different tools to get the syslog
There are a number of good PGP resources out on the net. The list below is just a short selection
A program called PgpEudra to integrate the Eudora mail handling program with PGP.
There is a product called MIMEsweeper from Integralis that checks e-mail for viruses. Integralis have both a product description page and a FAQ on MIMEsweeper available on the net.
Soft Winter Corporation, located in Israel, does have a product for disk encryption on Windows NT.
Check out the product on their Shade web page
Funk Software have developed a Radius server for Windows NT and NetWare.
For more information see the Steel-Belted Radius for Windows NT Data Sheet
There is a NT security mailing list maintained by the good folks at ISS. You subscribe to it by sending a mail to majordomo@iss.net with the body containing the string "subscribe ntsecurity your email".
The mailinglist have some traffic and on-going discussion, and some people might prefer to subscribe to the digest version instead to reduce their incoming mail. The digest is available by sending mail to the same address but with the text "subscribe ntsecurity-digest your email".
The mailinglist is archived with a webinterface at http://www.iss.net/lists. It is also available for anonymous FTP from ftp://ftp.iss.net/pub/lists/ntsecurity-digest.archive.
The NTBugTraq is the Windows NT counterpart of the BugTraq mailinglist that is mainly for UNIX related bugs with impact on security. It was started by Russ Cooper in the end of January, 1997.
Subscribe by sending a mail to LISTSERV@RC.ON.CA with the mail body
SUB NTBUGTRAQ Your Name
SUB NTBUGTRAQ Russ Cooper (for example)
Microsoft has some information on-line. It might be contained in the Knowledge Base archive, it might be in product white papers. A selection of interesting information from www.microsoft.com
There is a good white paper available from NT Research
Bill Stout of Hidata has a nice paper out where he compare UNIX and NT security mechanisms.
Frank Ramos at SomarSoft have both some information and some tools available on-line. There are demo versions of the tools for downloading.
Andy Baron has some nice information on-line at his site. Some of the information is related to Microsoft's webserver IIS
Internet Security Systems, ISS (http://www.iss.net), have a NT specific area (http://www.iss.net/vd/vuln/nt) in their vulnerability database.
There is a web page at Community connection that is a compilation of known vulnerabilities in different Microsoft systems and application. The name of the webpage is Hack Microsoft! (http://www.c2.org/hackmsoft)
At NT Shop they have a collection of NT related security information such as exploits and white papers on security issues and concerns.
Visit the NT Security web pages (http://www.ntshop.com/security)
Microsoft Press have a book entitled "Microsoft NT 3.5 Guidlines for Security, Audit, and Control." ISBN 1-55615-814-9.
Trusted Systems have a book entitled "Windows NT Security" (http://www.trustedsystems.com/NTBook.html)
Tom Sheldon (tsheldon@msn.com) has written a book entitled "The Windows NT Security Handbook". It is scheduled for publication in october, 1996.
Charlie Rutstein (Charlie_Rutstein@notes.pw.com) has an upcoming book on NT Security. Click here (http://ourworld.compuserve.com/homepages/cbr/toc.html) to see a table of content of the book.
Mark Joseph Edwards, Peter Cardin and Andy Pozo has an upcoming book entitled "Windows NT Internet Security". It will be published on Duke Press and is expected to be available in Mars.
Copyright © 1996, 1997 Robert Malmgren. All rights reserved.