nt4 sp4 security
DESCRIPTION
NT4 SP4 Security. Jack Schmidt - Fermilab [email protected]. New Features. 3 new Event Log Messages Security Log access locked down from Domain Admins NTLMv2- new version of NTLM Security Configuration Editor. 3 New Event Log Messages. Event 6006 - Clean Shutdown Event - PowerPoint PPT PresentationTRANSCRIPT
New Features
3 new Event Log Messages Security Log access locked down from
Domain Admins NTLMv2- new version of NTLM Security Configuration Editor
3 New Event Log Messages
Event 6006 - Clean Shutdown Event“The Event log service was stopped.”
Event 6008 - Dirty Shutdown Event“The previous system shutdown at 7:01 AM on
11/12/98 was unexpected.”
Event 6009 - System Version Event“Microsoft (R) Windows NT (R) 4.0 1381
Service Pack 4 Uniprocessor Free.”
Security Log Viewing
Fixed so Security Rights need to be enabled in order to view and manage the Security event log-– Default allowed members of the Administrator
group to view log but Security Advisor not always a System Admin
– Message- “Required Privilege not held by the client”
NTLMv2 Security Enhancements to the NTLM security protocols called
NTLMv2 improves both authentication and session security.
Before SP4, NT Supported two kinds of challenge/response authentication:
– LanManager (LM) challenge/response (WFW)
– Windows NT challenge/response (also known as NTLM challenge/response)
To allow access to servers that only support LM authentication, Windows NT clients prior to SP4 always use both authentication methods, even to Windows NT servers that supported NTLM authentication.
NTLMv2 Security (cont) SP4 systems can be configured to make use of the new authentication
options
– Level 0 - Send LM response and NTLM response; never use NTLMv2 session security
– Level 1 - Use NTLMv2 session security if negotiated
– Level 2 - Send NTLM response only
– Level 3 - Send NTLMv2 response only
– Level 4 - DC refuses LM responses
– Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2) See http://support.microsoft.com/support/kb/articles
/q147/7/06.asp
Security Configuration Editor Consolidates all security related settings
into a single configuration file– User Manager, Server Manager, Resource Kit,
Registry Settings, File Explorer Settings can be applied to any number of
NT machines (server and workstation) Sample Configuration templates provided Command line and GUI interface supported
A Peak at the SCE
Policies and Settings
Account Policies Local Policies Event Log Restricted Groups System Services Registry File System
Account Policies
Password settings such as length, uniqueness, minimum and max age, complexity, must logon to change.
Account lockout settings including lockout count, length of lockout time, reset account lockout after so many minutes
Local Policies
Audit Policy- audit settings (success/failure) of account management, logon events, object access, policy changes, privilege use, process tracking and system events
User Rights - such as add workstations to domain, change system time, take ownership of files
Security Options- such as rename Admin account, Logon messages, disconnect idle users, number of passwords to cache, restrict floppy and CDROM access
Settings
Event Log settings - maximum size for logs, restrict guest access, retention method for log files, shutdown when security log is full
Restricted Groups - ability to add and remove members from Domain Admin defined `sensitive’ groups. Designed for Windows 2000
Settings
System Services- In the future 3rd Party vendors can build in SCE attachments. Microsoft is planning attachments for services: spooler, TCP/IP, file sharing, etc…
Registry and File System - Provide ability to configure and analyze settings for object ownership, ACLs, and auditing information. Not fully implemented.
Predefined Configuration Templates Templates can be used to configure systems and to
perform security analysis of systems. Templates are text-based .inf files. Configuration
information is broken down into sections which can be applied as a full policy or in part.
Ability to exclude items from an audit. (shows as Not Configured)
Designed to allow new sections to be added. GUI Interface allows modification of templates to
provide customization.
Predefined Configuration Templates Compatible Configuration
– COMPDC4, COMPWS4– Improvement over default security settings. Errs on the
side of applications when making a tradeoff between functionality and security
Secure Configuration– SECURDC4, SECURWS4– Improvement over compatible settings. Errs on the side
of security when making a tradeoff between functionality and security
Predefined Configuration Templates High Secure Configuration
– HISECDC4, HISECWS4
– Enforces ideal security settings without consideration for application functionality. Most applications won’t work under this setting. Designed to promote the development of future “security conscious” applications.
Basic Configuration– BASICDC4,BASICSV4,BASICWK4
– Provided as a means to “undo” the application of a more secure configuration. Does NOT “rollback” settings!
SCE Adventures
`Out of the Box’ analysis based on Basic Configuration files.– Must apply a more secure configuration before
attempting audit Analysis results are easy to interpret Remote Analysis not yet possible Log files are useful for summarization but
are not detailed.
SCE Adventures (cont)
Command line tool can be used for applying only certain sections of the policy or the full policy
SCE must be applied to all systems. New users not always able to log on locally after
SCE installed. New file permission box Password complexity box has correct message...
Security Analysis results
Configuration
New File Permissions View
Advanced File Permissions
Password Change Message
Suggestions
Edit either the COMP or SECUR .inf files and make changes based on your security plan (you do have a security plan don’t you?)
Save the file with a new name such as COMP4DC-FNAL.inf
Apply the Configuration file to your system. Password configurations applied to PDC will affect entire domain.
Do a security analysis and make sure items were changed. Check servers monthly. Run audit to see if system has
changed and why.
Command Line Tool
The command line tool (secedit.exe) is useful for applying predefined configuration files to many systems using distributed management tools (such as SMS).
WARNING!
Applying a secure configuration to an NT System may result in a loss of performance and functionality!– Many applications expect that all users have
Change (Read, Write, Execute, Delete) permissions on root, systemroot, and systemroot\system32 directories
Further Information
http://www.microsoft.com/security/ntprod.htm(doesn’t work yet!)
http://www-dcd.fnal.gov/hepnt-security
Any Questions?