Windows NT, by default, runs many services that are potential security risks. The following subsections contain some tips for setting up your Windows NT box to make it more secure. Note that the system should be physically disconnected from your network until you have made all of these changes. This minimizes the possibility that your firewall system will be compromised before you even get started.
You might wonder why I am bothering to include this despite the fact that Microsoft will no longer support Windows NT after the end of 2003. The fact is that Windows NT is well understood by many organizations and will likely still be in use long after Microsoft stops supporting it. Almost all security issues that may be present in Windows NT can be mitigated by proper configuration of the platform.
When setting up Windows NT for FireWall-1, only TCP/IP is needed. Use a static IP address.
Choose a machine name (firewall seems like a good choice, though do not choose fw, fw-1, firewall-1, or similar), and choose a domain/workgroup that is unreachable. Disable Microsoft Networking services as well.
By default, Windows NT installs the following services:
Computer Browser
NetBIOS Interface
RPC Configuration
Server
Workstation
None of these services are needed by FireWall-1. Remove NetBIOS, RPC, and Server. The others will be disabled subsequently. You also need to install the SNMP service at this time (FireWall-1 uses this service). Install SNMP before installing FireWall-1 or any service packs.
You may wonder why Workstation remains. The AT utility requires the Workstation service, which is useful. Computer Browser remains because Workstation has a dependency on it. It will be disabled.
In the Network Control Panel applet, click Protocols, and then double-click TCP/IP. Make sure that IP Routing is enabled in the TCP/IP Properties under the Routing tab. Also ensure that only your external interface has a default route defined (the other interfaces should not).
In the Network Control Panel applet, click Bindings. From the pull-down menu next to Show Bindings For, select All Protocols. Select WINS TCP/IP, and click Disable.
If you are installing Windows NT from scratch, you will not be able to disable WINS Client on install. After a reboot, you will experience a hang of up to two minutes. This is perfectly normal and should not occur after disabling the WINS Client.
Go to Devices in Control Panel; scroll down, and find WINS Client (TCP/IP). Click Startup, and change it to Manual.
Go to Services in Control Panel. For each of the following services, select the service, click Startup, and change it to Manual. When you reboot, these services will be disabled:
Computer Browser
TCP/IP NetBIOS Helper
Net Logon
Workstation
Server (if present)
Network DDE
Network DDE NSDM
Messenger
Although not necessarily a security recommendation, it is highly advisable that you make sure that your hostname is resolvable to an IP address. In fact, FireWall-1 4.1 and above automatically add an appropriate entry. Go to the local host file (%SystemRoot%\System32\drivers\etc\hosts), and make sure your firewall's hostname has an entry in the hosts file (it probably won't). Make it resolve to your external IP address.
Some registry hacks help protect against people physically coming up to the machine and logging on to it.
To disable the display of the last userid in the logon window:
Set DontDisplayLastUsername to 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
Current Version\Winlogon (REG_SZ)
To display a warning message when logging on to the server:
Set LegalNoticeCaption to Notice
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
Current Version\Winlogon (REG_SZ)
Set LegalNoticeText to Authorized Users Only
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
Current Version\Wilogon (REG_SZ)
To disable caching of logon credentials:
Set CachedLogonsCount to 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
Current Version\Winlogon (REG_SZ)
To restrict anonymous connections to list account names:
Set RestrictAnonymous to 1
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
(REG_SZ)
To restrict network access to the Registry, create the following Registry key:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentcontrolSet\Control\
SecurePipeServers\win reg
It is important that you change the name of the Administrator account. Everyone knows that on a Windows NT platform, it is called Administrator. Changing this name to something else adds another level of security. Have all Admin users log on with their own respective accounts, and do not give them the password for the Admin account. This allows you to track who is doing what. Another idea is to create a new fictitious Administrator account that has no privileges and track to see if anyone attempts to log on with that account.
Next, you want to control who has access to what on the system. No more than two groups should have access to the firewall: Administrators (for full access) and Power Users or Users (depending on what access they need). If access can be limited to only members of the Administrators group, that is even better. Regardless, the actual number of people who have authorized access should be no more than two to four people.
The next step is to focus on and modify the system policies, specifically the Account Policies:
User Rights and Audit Policies are found under User Manager and control how user passwords and logon accounts are used. Two changes are recommended to these policies:
- Set Minimum Password Length to eight characters.
- Set Account Lockout to lock out users after three bad logon attempts and reset the counter after 30 minutes.
User Rights controls who can access what, such as Log On Locally and Manage Auditing and Security Log. Limiting access to the two Windows NT groups discussed earlier (Administrators and Power Users or Users) is recommended. Be sure to eliminate the group Everyone from all access.
Audit Policy determines which events are logged. Because this is your firewall, you want to log a variety of events you may not normally care to log. You should log the following events:
- Logon and logoff (both success and failure)
- Security policy changes (both success and failure)
- Restart, shutdown, and system (both success and failure)
Whenever users are done using the system for a particular session, they should always log out using Ctrl-Alt-Del. In case users forget to do this, ensure that you have a password-protected screen saver that kicks in within five minutes of inactivity.
Make sure the latest service pack and critical updates are installed on your platform. You can downloaded them from http://www.microsoft.com/ntserver/nts/downloads/default.asp.