Windows NT, by default, runs many services that are potential security risks. The following subsections contain some tips for setting up your Windows NT box to make it more secure. Note that the system should be physically disconnected from your network until you have made all of these changes. This minimizes the possibility that your firewall system will be compromised before you even get started. You might wonder why I am bothering to include this despite the fact that Microsoft will no longer support Windows NT after the end of 2003. The fact is that Windows NT is well understood by many organizations and will likely still be in use long after Microsoft stops supporting it. Almost all security issues that may be present in Windows NT can be mitigated by proper configuration of the platform. Network ProtocolsWhen setting up Windows NT for FireWall-1, only TCP/IP is needed. Use a static IP address. Machine Name and DomainChoose a machine name (firewall seems like a good choice, though do not choose fw, fw-1, firewall-1, or similar), and choose a domain/workgroup that is unreachable. Disable Microsoft Networking services as well. ServicesBy default, Windows NT installs the following services:
None of these services are needed by FireWall-1. Remove NetBIOS, RPC, and Server. The others will be disabled subsequently. You also need to install the SNMP service at this time (FireWall-1 uses this service). Install SNMP before installing FireWall-1 or any service packs . You may wonder why Workstation remains. The AT utility requires the Workstation service, which is useful. Computer Browser remains because Workstation has a dependency on it. It will be disabled. IP RoutingIn the Network Control Panel applet, click Protocols, and then double-click TCP/IP. Make sure that IP Routing is enabled in the TCP/IP Properties under the Routing tab. Also ensure that only your external interface has a default route defined (the other interfaces should not). WINS TCP/IPIn the Network Control Panel applet, click Bindings. From the pull-down menu next to Show Bindings For, select All Protocols. Select WINS TCP/IP, and click Disable. WINS ClientIf you are installing Windows NT from scratch, you will not be able to disable WINS Client on install. After a reboot, you will experience a hang of up to two minutes. This is perfectly normal and should not occur after disabling the WINS Client. Go to Devices in Control Panel; scroll down, and find WINS Client (TCP/IP). Click Startup, and change it to Manual. Services to Disable after InstallationGo to Services in Control Panel. For each of the following services, select the service, click Startup, and change it to Manual. When you reboot, these services will be disabled:
Local Hosts FileAlthough not necessarily a security recommendation, it is highly advisable that you make sure that your hostname is resolvable to an IP address. In fact, FireWall-1 4.1 and above automatically add an appropriate entry. Go to the local host file ( %SystemRoot%\System32\drivers\etc\hosts ), and make sure your firewall's hostname has an entry in the hosts file (it probably won't). Make it resolve to your external IP address. Registry HacksSome registry hacks help protect against people physically coming up to the machine and logging on to it.
Account Names PoliciesIt is important that you change the name of the Administrator account. Everyone knows that on a Windows NT platform, it is called Administrator. Changing this name to something else adds another level of security. Have all Admin users log on with their own respective accounts, and do not give them the password for the Admin account. This allows you to track who is doing what. Another idea is to create a new fictitious Administrator account that has no privileges and track to see if anyone attempts to log on with that account. Next, you want to control who has access to what on the system. No more than two groups should have access to the firewall: Administrators (for full access) and Power Users or Users (depending on what access they need). If access can be limited to only members of the Administrators group , that is even better. Regardless, the actual number of people who have authorized access should be no more than two to four people. The next step is to focus on and modify the system policies, specifically the Account Policies:
Whenever users are done using the system for a particular session, they should always log out using Ctrl-Alt-Del. In case users forget to do this, ensure that you have a password-protected screen saver that kicks in within five minutes of inactivity. Service Packs and Critical UpdatesMake sure the latest service pack and critical updates are installed on your platform. You can downloaded them from http://www.microsoft.com/ntserver/nts/downloads/default.asp. |