workstation
Help to Secure Your System From Intrusion

    Manage User Rights

  1. In User Manager, go to the Policies/User Rights... menu item. The User Rights dialog will appear, and you might be surprised at what you see: the very first Right, "access this computer from network", is granted to Administrator, Everyone, and Power User by default!

    You really need to remove at least the Everyone group for this right! And if you don't plan to access the computer from a network, remove all groups, including Administrator.

    User Rights dialog snapshot

    Furthermore, you should remove all users' right to "force shutdown from a remote system".

    Use a Non-Administrator Account for Internet Browsing

  2. Perhaps most importantly, don't surf the net using your Administrator account. If this sounds like a real PITA, consider purchasing the Resource Kit, and using the utility VDESK: it allows multiple desktops on which you can be logged in with different user rights. It provides a new Task Manager that lets you switch among those desktops easily, all within the same session. Therefore, you should be able to have an "Administrator" desktop with your management utilities available and running; and a desktop for Internet use using very restricted user rights.

    Also, you can secure your Registry from remote access by all users except Administrators by adding the following key in the Registry:

      HKLM\CurrentControlSet\Control\SecurePipeServers\winreg=1

    This key is set automatically in NT Server 4, but not Workstation. While it won't stop someone with Administrator rights, it will stop everyone else from changing your Registry from a remote compter. Hence, another reason to use a more restricted User account for web surfing.

  3. Be Aware of your Browsers' Security Holes

    And not just applets and Active X objects. There have been a fistful of security holes found in many browsers. (But be sure to read Russ Cooper's "ActiveX and NT Security" editorial on NTBugTraq!).

    For Internet Explorer 4.01, visit Microsoft's Security page for news and the latest updates (these patches are not available through the Internet Explorer Active Setup page).

    Remove or Disable Unnecessary Network Services

  4. Entirely disable the Server service. If you need it for whatever reason (remember, this is a workstation site, although I concede you might be networked to your son's computer in the next room), ensure that the network card bindings are set to exclude RAS services ie, the Remote Access WAN Wrapper).

    Secure Your Files

  5. Use NTFS as your file system.

  6. Make as many directories and files as possible Not Shared.

    General Security Issues

  7. Regardless of how many user accounts you have, you should change the Administrator account to another name, and use the Registry to ensure that the Last User isn't shown on the Login dialog. The Registry setting for this option is:

      HKLM\Software\Microsoft\Windows NT\Current Version\Winlogon\DontDisplayLastUserName=1

    Be aware, though, that anyone can find out the name of your Administrator account by running the following command:

      nbtstat -A <ip-address>

    However, any deterrent must be looked upon positively. If you don't keep a RAS connection constantly, a would-be hacker would have one more step to take before getting access to your system. I guess you could decide to change your Administrator account name on a regular basis, also.

  8. Make a good password and change it often.

    If someone can gain access to your computer (direct or remote) with Administrator privileges, they can run a program which hacks into your Registry and dumps your password. Even though Microsoft made it harder to hack the password hash in Service Pack 3 (and that is if you read how to enable the new security features, and then implemented them), if you have a simpleton password, a brute-force dictionary password attack can crack it!

  9. Finally, if you don't need dial-in capability, then ensure that RAS is configured to Dial Out Only by using the Network applet in the Control Panel: select the Services tab, double-click on "Remote Access Service", and select "Configure". In that dialog, ensure that the option "Dial Out Only" is checked.
Buy it now from Amazon!

Maximum Security : A Hacker's Guide to Protecting Your Internet Site and Network, Anonymous, July 1997

note: you can read Maximum Security online FREE at MacMillan Personal Bookshelf [registration required, but thrn you have access to hundreds of computer-related titles, most with hotlinks to web sites]

Buy it now from Amazon!

Internet Security With Windows NT, Mark Joseph Edwards, November 1997.

Web Sites

NTBugTraq is the home of the security mailing lists, and includes an NT Fixes Status Page for hotfixes.

What used to be NT Security, highly recommended last year on this page, is now a more corporate website for Aelita, makers of enterprise mgmt tools like Virtuosity and ERDisk. The former site had a non-intrusive (and simple) test for your security settings: it's not there anymore. Please Don't Flame Me! And poke around the Aelita site to find other gems, like their consise security checklist.

Also, try the NT security setup checklist provided by ISS; or the much more involved NT Security FAQ.