Procedures for Hardening Windows NT:

Procedures for Hardening Windows NT Workstation:

By Luqman Mahmud, FedEx Data Security

Install Windows NT on a clean hard disk (use Fdisk to remove all partitions.) Make sure the version is the 128bit US version. Make sure you use NTFS on all partitions.
Install the latest service pack (currently version 3) 128bit version
Install the post service pack hotfixes found at
ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/usa/nt40/hotfixes-postSP3
The following hotfixes need to be applied. Please install them in the following order to ensure an older one does not replace a newer fix.

dns-fix

iis-fix

zip-fix

roll-up

winsupd-fix

ndis-fix

scsi-fix

2gcrash

simptcp-fix

ide-fix

wan-fix

pent-fix (x86 only)

joystick-fix (x86 only)

SAG-fix

iis4-fix

teardrop2-fix

tapi21-fix

pcm-fix

srv-fix

y2k-fix

euro-fix

atapi-fix

netbt-fix

prnt-fix

sfm-fix

pptp2-fix

lsa2-fix

ssl-fix

privfix
Implement the System Key and strong encryption of the password database by running C:\WINNT\SYSKEY.EXE. Also enforce use of a Floppy System Key for boot up if deemed necessary.
Install and run Passprop.exe from the NT Resource Kit to enforce strong passwords and Administrator account lockout.
Remove the Serial port devices under Control Panel | Ports
Remove the LPT port under Control Panel | Devices

Remove or disable the Parallel and Parport device drivers

8. Implement a Hardware Power On password.

Implement the following file level security:

FILE PERMISSIONS:

Directory	Permissions
\ (this is the root directory C:\)	Administrators: Full Control System: Full Control Authenticated Users: Read

\Boot.ini \Ntdetect.com \Ntldr	Administrators: Full Control System: Full Control Authenticated Users: Read

\Autoexec.bat \Config.sys	Administrators: Full Control System: Full Control Power Users: Change Authenticated Users: Read
\TEMP	Administrators: Full Control Creator Owner: Full Control System: Full Control Power Users: Change Authenticated Users: Special Directory Access-Read, Write, Execute, Special File Access: None

\WINNT and all subdirectories	Administrators: Full Control Creator Owner: Full Control Authenticated Users: Read, Execute

\WINNT\Repair	Administrators: Full Control

\WINNT\System32\config	Administrators: Full Control Creator Owner: Full Control System: Full Control Power Users: Change Authenticated Users: List

\WINNT\System32\spool	Administrators: Full Control Creator Owner: Full Control System: Full Control Power Users: Change Authenticated Users: Read

\WINNT\Cookies \WINNT\Forms \WINNT\History \WINNT\OCCache \WINNT\Profiles \WINNT\Sendto \WINNT\Temporary Internet Files \WINNT\Downloaded Program Files	Administrators: Full Control Creator Owner: Full Control Authenticated Users: Special Directory Access: -Read, Write, Execute, Special File Access: None System: Full Control

Services:

Disable or remove the following Services:

Alerter

Clipbook Server

Computer Browser

DHCP Client

Directory Replicator

Messenger

Remote Procedure Call Locator

SNMP Trap Service

Spooler (Make sure print directly to printer is checked in the Printer Properties box)

TCP/IP NetBIOS helper

Telephony Service

Protocols:

Make Sure only TCP/IP is loaded.

Under the TCP/IP Properties Advanced setting, Make sure security is enabled and disable all unnecessary ports.

Disable the NetBIOS Interface, Server and Workstation services from the WINS client in the bindings.

Policies:

Under User Manager | Policies | Accounts

Rename the Administrator and lock it out.
Create a new account with full administrative privileges.
Utilize the following account restrictions:

Password expires in 30 days

Minimum password length 10 characters

Account lockout after 5 attempts.

Reset count after 30 minutes.

Account lockout forever

User must login to change password

Allow changes in 1 day

Remember last 5 passwords

Under User Manager | Policies | User Rights:

Remove all user access to the computer from the Network
Only Authenticated Users can bypass transverse checking
Remove all user access to Force Shutdown from a remote system
Logon Locally is restricted to Authenticated Users and Administrators (remove all other access)
Shutdown the system is restricted to Authenticated Users and Administrators

Under User Manager | Policies | Audit

Audit the following events:

Logon and Logoff Success and Failure

File and Object access Failure

User and group Management Success and Failure

Security policy Changes Success and Failure

Restart, Shutdown and System Failure

The Registry:

Display legal Notices at logon by editing the following keys:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

Key name: LegalNoticeCaption

Data Type: REG_SZ

Value: Legal Notice!

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

Key name: LegalNoticeText

Data Type: REG_SZ

Value: This system is for authorized users only! Unauthorized use is subject to prosecution.

All activity on this machine is being logged.

Hide the name of the last user to logon:

HKEY_LOCAL_MACHINE\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon

Key name: DontDisplayLastUserName

Data Type: REG_SZ

Value: 1

Restrict Anonymous Access to the Registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA

Key Name: RestrictAnonymous

Data Type: REG_DWORD

Value: 1

Also create the following key

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\SecurePipeServers\winreg

Enable SMB signing

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Rdr\Parameters

Add the following two keys:

Key Name: EnableSecuritySignature

Data Type: REG_DWORD

Value: 1

Key Name: RequireSecuritySignature

Data Type: REG_DWORD

Value: 1

Hide the machine in Network Neighborhood

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Key Name: Hidden

Data Type: REG_DWORD

Value: 1

Disable Default Admin Shares HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Key Name: EnableSharedNetDrives

Data Type: REG_DWORD

Value: 0

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters

Key Name: AutoAdminWKS

Data Type: REG_DWORD

Value: 0

Disable LanMan Password Hash support

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Key Name: LMCompatibilityLevel

Data Type: REG_DWORD

Value: 2

Erase Pagefile on Clean Shutdown

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management

Key Name: ClearPageFileAtShutdown

Data Type: REG_DWORD

Value: 1

Allocate Floppies and CD-ROMs

Create the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

Key Name: AllocateFloppies

Data Type: REG_SZ

Value: 1

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon

Key Name: AllocateCDRoms

Data Type: REG_SZ

Value: 1

Disable AutoRun on CDs

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Cdrom

Key Name: Autorun

Data Type: REG_DWORD

Value: 0

Enable Full Privilege Auditing

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Key Name: FullPrivilegeAuditing

Data Type: REG_BINARY

Value: 1

Restrict Event Log Access

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Application

Key Name: RestrictGuestAccess

Data Type: REG_DWORD

Value: 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\Security

Key Name: RestrictGuestAccess

Data Type: REG_DWORD

Value: 1

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\EventLog\System

Key Name: RestrictGuestAccess

Data Type: REG_DWORD

Value: 1

Double Checking:

Run the C2 Level Configuration tool from the Resource Kit and implement all recommendations
except removing Network Services, Files System security and Halt on Audit Failure. Make sure OS2
and Posix subsystems are removed.