• Get as much knowledge on the Windows system, and how it works, as possible. This is especially important in the NT case since the system at a first glance seems to be so simple to administrate. It is especially important to learn a lot about the Registry.
• Have a policy for managing the logs
• Review the Security Logs. (NTLast)
• Protect the NT log files
  • set proper permissions on log files
  • store log files on separate server
  • make regular backups of log files
  • use write once media
  • encrypt log files
• Make sure that the configuration is the one that you want. There are utilities that will help in this situation. There are also a lot of recommendations in books and on the Internet. Take an extra look at the links below.
• Disable the functionality that is not needed by the users. There are few users who need to install program or export shares.
• Limit the number of user accounts on local machine. On a local machine the SAM database is usually much more exposed than on a Domain Controller. Never use the same password on the local administrator account as on the domain administrator account. Delete the copy of the SAM in the repair folder.
• Have a strong password policy (Setting Account Policy)
  • Enforce the use of strong passwords
  • Disable LAN Manager authentication (How to Disable LM Authentication on Windows NT (Q147706)
  • Implement SYSKEY security enhancements (provided with Service Pack 3) Windows NT System Key Permits Strong Encryption of the SAM (Q143475)
  • Audit access to key files (Tripwire)
  • Use one-time passwords
  • Use Biometric authentication
• Limit Who Has Domain Administrator Access How to Identify the User Who Changed the Administrator Password (Q173939)
• Do not connect any NT system to an outside network without putting a well working firewall between the outside network and the NT system. There are weaknesses in the protocols used to connect different machines in the system and one should not let outsiders take advantage of that. Especially block ports 135-139. No inbound or outbound traffic should be allowed on those ports.
• Install an intrusion detection system. The earlier an attacker can be detected the faster one can block the hole in the defense, or at least detach the system from the outside network until a fix for the exploit is found.
  • Examine the files on a disk drive for unauthorized activity. (Forensic Toolkit)
  • Listen for attempts to scan ports (Attacker)
  • Scan for Cracking Tools
    • BOPing - checks for BackOrifice
    • Retina - Network Security Scanner
    • DDOSPing - checks for DDOS zombies
  • Keep an Inventory of Active Accounts
• Consider using encryption on network connection and file systems and stronger authentication mechanisms if you are very concerned about security. Programs like SSH are available for NT.
• Check baseline security settings (Level-1 Benchmark for Windows 2000
• Educate the users. Most of them will probably come from a Windows 95, 98, or Windows ME environment and will be used to almost no restrictions regarding installation of programs or access to resources. It is essential to explain to them why these restrictions are important, otherwise they might try to circumvent them.

• Trusted Systems guide to the National Security Agency (NSA)
• The US Navy's Guide to Securing NT
• Analysis of the Security of Windows NT

Please mail any comments about this page to summers_wayne@ColumbusState.edu