An Example of how COTS can be used effectively for trustworthy security architectures

Securing Windows NT

Dr. Wayne Summers
Mathematics and Computer Science Dept.
New Mexico Highlands University
Las Vegas, NM 87701
e-mail: summers_wayne@ColumbusState.edu
http://csc.ColumbusState.edu/summers

ABSTRACT

If configured properly, Microsoft's operating system Windows NT can satisfy the criteria for the Class C2 security level. Systems qualifying for this level must provide for need-to-know access as well as accountability and basic auditing. Microsoft's Windows NT has become an important operating system used by most universities, but often in an unsecured environment. This paper outlines many of the features of Windows NT that need to be activated in order to ensure a Class C2 security level.

WHAT IS REQUIRED FOR A C2 LEVEL SECURITY

In a C2 system (http://www.radium.ncsc.mil/tpep/library/rainbow/5200.28-STD.html#HDR2.2),

each user must be allowed a method for specifying how other users, or groups of users are allowed to access their data.
Users are required to identify and authenticate themselves prior to performing any actions, and then the user's identity is used to account for their actions on the system.
The data used to verify the identity of the user must be protected from unauthorized access.
C2 systems may allow or disallow object access at all levels down to a single user.
C2 systems prohibit the reuse of objects, such as memory, by not allowing more than one process to access the object and ensuring that the object's data cannot be read after it is released back to the system.
C2 systems must provide for extensive audits and be able to create, maintain, and protect the results of these audits.

WINDOWS NT AND C2 LEVEL SECURITY

In 1996, the National Computer Security Center (NCSC) released a detailed report (http://www.radium.ncsc.mil/tpep/epl/entries/CSC-EPL-95-003.html) that certified Windows NT version 3.5 with Service pack 3 as complying with the requirements of C2 Level Security. All versions since have complied with these requirements. Windows NT does not by default satisfy the requirements for C2 Level Security. The easiest way to test for C2 and then to ensure that the tested installation of NT satisfies the C2 Level Security is by running the C2 Security or Configuration Manager found on the Windows NT Resource Kit.

HOW TO MEET C2 LEVEL SECURITY REQUIREMENTS WITH WINDOWS NT

1) Windows NT must be the only operating system installed.
2) Only the file system NTFS supports Discretionary Access Control, so all non-NTFS partitions must be converted.
3) C2 requires that the system creates, maintains, and protects from modification, unauthorized access, or destruction audit trails for objects that the system protects. The "Do Not Overwrite Events" options must be selected for the audit logs.
4) When the audit logs are full, the system must halt. The setting "Halt system when security log is full" must be activated.
5) A log-on message or warning that warns each potential user that accessing the system is restricted needs to be displayed. This is not part of C2, but should be activated.
6) When NT starts up, it by default displays the last user to log on to the system. Although this is also not required for C2, it should be disabled.
7) By default, any user can shut down the system by entering their username and password. This is also not a part of C2, by should be disallowed for all but administrators.
8) Blank passwords cannot be allowed for C2 Level Security. In fact passwords need to be at least 8 characters (with at least upper and lower case and digits). The passwords should be allowed to expire and should be unique for the user. Account lockout should also be activated after a small number number of bad logon attempts. The PASSFILT.DLL that comes with Service Pack 2 and 3 for Windows NT 4.0 should be used to force strong password choices on the users.
9) The Guest account needs to be disabled for C2 security. In addition, the Administrator account should either be disabled or its administrator rights and privileges removed. The number of administrator accounts needs to be kept very small and its membership checked frequently. Periodically check your system for unwanted user accounts.
10) Windows NT's C2 certification was conducted on a stand-alone computer. Hence the computer needs to be disconnected from the network by uninstalling all network hardware and software on the system. [If you must network your computer, consider the following:

a) Be careful about establishing NT domain trusts.
b) If possible, disable NetBIOS over TCP/IP network bindings.
c) Block all non-essential TCP/IP ports (both inbound and outbound).
d) Revoke the "Access From Network" right for users that don't need to connect to the system.
e) Monitor your networks closely.
f) Disable the Simple TCP/IP Services.

11) Although not required by C2, only administrators should be allowed to assign printer and drive letters.
12) While not required by C2 security, access to removable drives (floppy disks and CD-ROMs) need to limited.
13) The security of the registry keys needs to be set for C2 compliance.
14) The security of the file system needs to be set for C2 compliance.
15) C2 Level Security requires that the system use a power-on password. This must be set in the BIOS of the system.
16) For RISC based Windows NT systems, the system partition needs to be secured.
17) The User Manager for Domains needs to be replaced by the standard User Manager.
18) Don't run services that you don't actually need.
19) Help raise awareness of security issues by educating students and colleagues about computer security.

CONCLUSION

Although it is possible to create a Windows NT system that complies with C2 Level Security, it is not as functional as many would like. By following the above suggestions as closely as possible, Windows NT systems can be created that are reasonably trustworthy.