From: Subject: Beginner's guide to armoring NT 4.0 Date: Sun, 17 Jun 2001 12:34:43 +0900 MIME-Version: 1.0 Content-Type: text/html; charset="iso-8859-1" Content-Transfer-Encoding: quoted-printable Content-Location: http://www.enteract.com/~lspitz/nt.html X-MimeOLE: Produced By Microsoft MimeOLE V5.00.3018.1300 Beginner's guide to armoring NT 4.0
Preparing NT=20 for a firewall
Armoring = NT=20

Lance=20 Spitzner
http://www.enteract.com/~lspitz<= /A>=20
Last Modified: 16 April, 2000


Firewalls are one of = the=20 fastest growing tools in the field of information security. However, a = firewall=20 is only as secure as the operating system it resides upon. This article = will=20 take a step by step look at how you can best armor your NT box in = preparation=20 for a firewall. These steps can apply to any situation, however I will = be using=20 Checkpoint Firewall 1 on NT 4.0 as an example.=20

Installation
The best place to = start in=20 armoring your NT system is at the beginning, OS installation. Since this = is your=20 firewall, you cannot trust any previous installations. You want to start = clean,=20 where you can guarantee the system integrity.  Also, NT is unique = in that a=20 great deal of the system armoring happens during the installation = process. =20 Even if you have just received the system from the manufacture, I = recommend=20 rebuilding the system so you know exactly what is running .=20

Place your system in an isolated network. At no time do you want to = connect=20 this box to an active network nor the Internet, exposing the system to a = possible compromise. To get service packs and hotfixes later, you will = need a=20 second box that acts as a go between. This second box will download = files from=20 the Internet, then either burn them to a cdrom, or connect to your = isolated,=20 configuration "network" to transfer critical files.  I have = personally=20 witnessed systems hacked within 15 minutes of connecting to the = Internet. =20 Morale of the story is keep your system isolated until it is fully = armored.=20

Once you have placed your future firewall in an isolated network, you = are=20 ready to begin.  For NT, a great deal of armoring happens during = the=20 installation process, so we will be covering it in detail. To begin = with, we=20 have two different options of which software to install, Workstation or=20 Server.  I recommend Server for several reasons.  First, NT = Server=20 comes with the ability to mirror drives, whereas NT Workstation doesn't = come=20 standard with that ability.  Second, NT server can handle far more=20 connections then NT workstation (default is 5).  This is critical = if you=20 intend on running any proxy applications on your firewall, such as the = http or=20 telnet security servers.   Also, the registry permissions on = NT Server=20 are more restrictive.=20

NT installation begins with the command line interface.  Here = you select=20 which partitions you install on and what file system you want, FAT or=20 NTFS.  I highly recommend NTFS, as it allows far great control and = security=20 of your file system.  After this, you will begin the GUI part of = the=20 installation. From here you will select what kind of server to install, = which=20 services will run, and general system configuration.  Remember, the = whole=20 idea during this process is to install and configure as few services as=20 possible.  The fewer services that are running, the fewer exploits = or=20 security issues you will have.=20

Following some initial licensing questions,  you will  be = asked=20 which OS package to load,  There are three options, Primary Domain=20 Controller, Backup Domain Controller, and Stand-Alone.  I recommend = Stand-Alone as this is our firewall and it should be doing only one = thing,=20 firewalling.   After several more system options, you will be = asked to=20 select software components.  By default, the system will install=20 Accessories, Communications, Multimedia, and Accessibility.  I = highly=20 recommend you eliminate at least Communications, Multimedia and=20 Accessibility.  Once again, the less software you install, the=20 better.  The system will then ask you if you want to install IIS = web server=20 (by default, it does).  Do NOT install this, a web server is the = last thing=20 you want running on your firewall.  After this, you will install = and=20 configure your NICs (Network Interface Cards).  By default, the = system=20 installs both IPX and TCP/IP for the cards.  Be sure you select = only=20 TCP/IP.  Firewall 1 does not filter IPX.  If your system is = routing=20 IPX, all IPX traffic will go right through the firewall (normally = considered a=20 bad thing).=20

Next, you will select what services you want to install.  By = default,=20 the system will install RPC, Net BIOS, Workstation, and Server.  We = cannot=20 de-select these services now, however we will be removing  them=20 later.  The only service you may want to add here is snmp.  = The=20 firewall Management Module uses snmp to monitor firewall modules (System = Status=20 Viewer).  If you will not be using this feature, or do not have any = distributed firewalls, you do not need snmp.=20

After that, you configure your TCP/IP stack.  Here you select = the IP=20 address, default router, and DNS server.  Do NOT configure a WINS = server or=20 DHCP relay.  We want to minimize what the firewall communicates = with. =20 Remember to enable IP Forwarding.  If you do not enable this, your = firewall=20 will not route traffic (this however definitely makes for a more secure = network=20 :).  The last thing the install process configures is what Domain = or=20 Workgroup you want to belong to.  Well, you don't, you want to = isolate the=20 system as much as possible.  I recommend creating a nonexistent = Workgroup.=20

Following  your installation (and reboot) we will want to = install the=20 latest Service Pack (current Service=20 Pack 6a ) and the latest h= otfixes. =20 Staying current with the latest exploits is critical for a secure = system.=20
 =20

Eliminating Services & Tweaking =
Once you=20 have installed the latest Service Pack and hotfixes, there is allot of = cleaning=20 up to do.  The first priority is turning off the services we had to = install=20 earlier.   Go into Network Neighborhood properties and select=20 Services.  From here, remove RPC Configuration, Net BIOS Interface, = Workstation,  Server, and Computer Browser.  None of these = services=20 are required to run a firewall, they only add possible security=20 vulnerabilities.  The only thing we should have left is SNMP Service (if = you opted=20 to install it). Several people have mentioned that they do not like to = remove=20 Workstation or Server because they lose some specific =20 functionality.   I leave the decision up to you, the reader :) =

" I like to keep workstation because it allows useful things = like=20 AT to run. I like to keep server because if  you tweak the = service for=20 network applications, the firewall does run faster than not having the = server=20 service installed. Besides, if you unbind WINS and setup rules to = block NBT to=20 the firewall, you are killing access to these services at two levels = already.=20 If you really want to be secure, open user manager and remove = everyone's right=20 to logon from the network. (Chris Brenton)"
There are two = other=20 places we can eliminate  services.  The first is to disable = WINS from=20 our NICs (Network Interface Cards).  This is done by going into = Network=20 Properties -> Bindings -> All Protocols -> WINS = Client(TCP/IP). =20 It should look something like=20 this.   The second place is the services menu itself, = found in=20 Settings -> Control Panel -> Services.  Here you can disable = several=20 services that are manually or automatically started at bootup.  I = recommend=20 disabling  TCP/IP=20 NetBIOS Helper.  Anything else is done at your own risk :)=20

No additional services should be installed on the firewall, such as = telnet,=20 ftp, or PCanywhere.  Limit access to console only.  Most = firewalls,=20 including, Check Point Firewall-1, provide a client GUI that allows = remote=20 management of the firewall.  All other system administration should = be done=20 physically on the system.  The only software you may want to = install is=20 some form of anti-virus protection.  Once again, the less that is = running=20 on our firewall, the better.
 
Next, we want to prevent the = logon=20 name of the last user from being displayed on the screen.  To do = this, set=20 the Registry value of DontDisplayLastUsername to 1.  You can find = this at:=20
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current=20 Version\Winlogon=20

We also want to create a logon banner for all users.  This = banner will=20 be a legal warning, forbidding any unauthorized access.  To do = this, set=20 the Registry value LegalNoticeCaption with a short caption, and = LegalNoticeText with the=20 banner itself.  You can find this at
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current=20 Version\Winlogon=20

To restrict anonymous connections to list account names, set RestrictAnonymous to 1=20
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa<= /FONT>=20

To restrict network access to the registry, create the following = registry=20 key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Control\SecurePipeS= ervers\winreg=20

Accounts and Policies
There are a = variety of=20 modifications we can make to system accounts and permissions. The first = is to=20 change the name Administrator.  By default, this is the logon = account that=20 has full privileges, so we want to protect this account.  By = changing the=20 name, which everyone in the world already knows, we add one more layer = of=20 security.  Also, have all admin users logon with their own = respective=20 accounts , without giving them the password for the "Admin" = account.  This=20 allows you to track who is doing what. Another idea is to create a new = dummy=20 Administrator account that has no privileges, and track to see if anyone = attempts to logon with the account.=20

Next, we want to control who has access to what on the system.  = I=20 recommend having no more then two groups with access to the firewall,=20 Administrators (for full access) and Power Users or Users (depending on = what=20 access they need).  If you can limit access to only Administrators, = that is=20 even better.  Regardless, the actual number of people who are = authorized=20 access should be no more then 2-4 people. The fewer hands that touch the = keyboard, the better.=20

The next step is focusing on the system policies, specifically = "Account",=20 "User Rights" and "Audit", which you will find under User manager.=20

Whenever a user is done using the system for a = particular=20 session, they should ALWAYS logout with CTL-ALT-DEL.  In case they = forgot=20 to do this, ensure you have a password protected screen saver that kicks = in=20 after no more then 5 minutes of inactivity.=20

Staying Current
The problem with = security is,=20 by the time your system is secured, a  new exploit has been = released! =20 So, to help you stay current, I recommend the following:=20

Conclusion
We have covered = some of the=20 more basic steps involved in armoring a NT 4.0 box. The key to a secure = system=20 is having the minimal software installed, with security in layers. There = are=20 many additional steps that can be taken, such as file permissions, = additional=20 registry hacks, 3rd party software, etc. Remember, no system is truly = 100%=20 secure. However, with the steps outlined above, you greatly reduce the = security=20 risks.
 =20

Author's = bio=20
Lance Spitzner is an active member of the Honeynet Project. He enjoys = learning by=20 blowing up systems in his lab at home. Before this, he was an tanker in the = Rapid=20 Deployment Force, where he blew up things of a different nature. You = can=20 reach him at lance@honeynet.org .=20
 
 =20

Whitepapers=
 =20