Proxy instalation
*** Warning ***
We put this information public only to help others in setting this type of system and
to receive comments or suggestions about it and CERTAINLY NOT to invite you to break (or
crack, if you prefer) our systems. All breaking attempts are monitored and we reserve the
right to take countermeasures against you if we think it is necessary.
If you AGREE with this warning you can proceed reading the
document.
If not, we which you a nice day.
Any comments or suggestions are welcome. Please send your mail to: admmail@comnet.be
Last Update: 16 September 1998
Author: Victor Fernandes
Note: This procedure needs/uses the following utilities:
- From the NT resource Kit:
- regcmd.exe
- regdmp.exe
- regini.exe
- secadd.exe
- xcacls.exe
- sysdiff.exe
- filever.exe
- From the NT OS:
- My files:
- Others
- grep.exe (any good one will do)
- Prepare the hardware and System BIOS configuration:
- Install two Ethernet cards
- I prefer to install two different cards, to avoid sharing the same device driver
- Set System Setup and Boot passwords
- Disable boot on the diskette and CD-ROM drivers (eventually you will have to wait until
the OS is installed to set this settings J )
- Install NT server 4.0 as Stand Alone Server included on the Internal NT Domain:
- All local file systems MUST be NTFS
- No other Operating System allowed
- DNS
- IIS2.0 (only WWW service)
- Install ONLY the necessary protocols
- TCP/IP Parameters:
- Static IP's
- NO IP forwarding
- On the external interface
- Set the Default Gateway to the ISP router
- No Primary WINS server IP
- On the internal interface
- Use non-routable Internet IP's:
- 10.X.X.X, 192.168.X.X or 172.16.X.X-172.31.X.X
- No Default Gateway defined
- Set Primary WINS server IP to internal WINS server
- From the Network properties on the Binding section:
- For the external Ethernet interface:
- Disable WINS Client (TCP/IP), this will unbind the:
- NetBIOS interface
- Server
- WorkSation
- Change Administrator login name on the local SAM
- Set BOOT.INI timeout to 0 (zero). If you can login you can change it if need.
- Clear Automatically Reboot on the Systems Properties->StartUp/ShutDown
- Install Anti Virus Software
- I suggest installing a disk de-fragmentation program with scheduling facilities and set
de-fragmentation scheduling each night.
- De-fragment the local hard disks.
- Set a fixed size pagefile on all local hard disks(set the size of each pagefile to twice
the memory size)
- DNS:
- Create domain zone file + external IP in-arpa zone file
- On the SOA record change user name mail destination. Default is Administrator, change to
some (alias) internal mail user and server. Check all zone files. If you create new zones
later you must change again, because the current administrator's name will be used!
- Set forwarder to the ISP DNS server
- Set MX record for Domain Mail
- Note: Pay attention to the IP you will use. The Proxy service will elect the higher IP
number as the default address for the system. If you add a new IP that is higher then the
one in use the last add will be the default after reboot!!!
- Install MSIE 3.02 (SP3 CD) in case we need to do some tests.
- IIS2:
- Set the root IIS directory on a different disk partition as the one used by the
operating system
- Change local User Name and password of the user used by IIS
- Remove this user from the local Guests group
- Set proper file permissions on necessary files and directories for this new user (these
are set in the batch file: PermsProxy.bat, must set there the
proper variables):
- Note: Set Add To and Read Only on files on the %WINDIR% directory. If set to read-only
the ASP stops with error on Event Log, the proxy service is blocked and the system must be
rebooted
- Password Authentication set only to Allow Anonymous
- No directory browsing allowed
- Set logging to weekly and NCSA format + log directory on a different disk partition as
the one used by the operating system
- Apply SP3 (Installs IIS3.0)
- Install NT Proxy Server services 2.0:
- Enable packet filtering
- Set filtering exceptions:
Filters meaning:
- Accept TCP traffic in both directions to the local DNS port on any external proxy IP
address (IP 0.0.0.0 on the filter configuration) from any remote port and IP address. Used
for DNS traffic, like zone transfers.
- Accept TCP traffic in both directions to non-privileged local ports (Dynamic port on the
filter configuration) on any external proxy IP address (IP 0.0.0.0 on the filter
configuration) from any remote port and IP address. Use for the WinSock service to serve
internal windows sockets applications to connect externally, e.g.: telnet clients.
- Accept inbound TCP traffic to the HTTP Server local port on any external proxy IP
address from any remote port and IP address. This is the predefined filter HTTP Server
(port 80) on the filter configuration. Used for HTTP traffic to internal web servers.
- Accept inbound TCP traffic to the SMTP Service local port on any external proxy IP
address from any remote port and IP address. Used to receive SMTP mail to internal
domains.
- Accept UDP traffic in both directions to any local port on any external proxy IP address
(IP 0.0.0.0 on the filter configuration) from a DNS remote port and any remote IP address.
. This is the predefined filter DNS Lookup on the filter configuration. Used for internal
client's DNS lookup.
- Accept UDP traffic in both directions to the local DNS port on any external proxy IP
address (IP 0.0.0.0 on the filter configuration) from any remote port and IP address. Used
for DNS traffic, like external DNS lookups.
- Enable Web Publishing on local server
- Enable Access Controls if needed
- Configure Caching (if wanted) to be on a different disk partition as the one used by the
operating system
- Configure alerting, add SMTP mail alerting (set parameters)
- Add a mail address for internal administrative and alert mail (e.g:
NotifyAdmin@server.domain)
- Configure logging for Security, Proxy, WinSock and Socks, set directory for logging on a
different disk partition as the one used by the operating system. Are there some utilities
to analyse these logs? Or I will have to build my own!
- If control access on internal clients is needed, enable control
- Copy the contents of the mspclnt share, created by Proxy setup, to an internal server.
Define the equivalent share on the server and set pertinent permissions on it. Remove the
share from the external server (proxy)
- Backup Proxy Server Configuration
- Define new external IP's and WWW virtual servers as needed (see above note on DNS point)
- Install an internal DNS server, for internal use
- Internal DNS server forwards to external DNS server
- To access the system, internal Clients must:
- Configure client applications to use the proxy server internal IP
- Use WinSock configuration program from the mspclnt share defined on the internal server
if needed
- Use proxy server internal IP as default gateway
- Use the internal DNS server
- Create needed users for the web site contents administration - only the ones really
needed (NO regular users allowed on the system). These users can be created on the
internal NT domain SAM and included on the server Web Administrators Local group, see
point below
- On the local SAM (from User Manager point to the local machine) remove ALL membership on
the existing groups. Include only the local administrator on the Local Administrators
Group.
- NB: I suggest removing the Domain Administrators group from the Local Administrators
Group.
- Check that the Guest account is disable
- Create a Web Administrators Local group on the server local SAM, include on it allowed
user(s), remove these users from the Local Users group (local SAM) if created on the local
SAM and set proper file permissions on necessary files and directories for this new group
(these are set in the batch file: PermsProxy.bat, must set
there the proper variables):
- We will active the Schedule service. We need it for:
- Automated backups
- Log analyses
- Mail alerts
- Etc
- If RAS services are to be used, some suggestions from Ref.[2]
- 2.9 RAS security
- There are a number of things to do to get better security on remote connections
- Putting the RAS servers on one or more own interfaces in the firewall
- Be sure to turn on auditing for the RAS function
- Enable authentication
- Enable session encryption
- Enable dialback
- Specify which hours remote users are allowed
- To turn on auditing for RAS, use the regedit utility to set the key
- Run rdisk to update configuration information on disk and on diskette (first time just
in case).
- Set proper setting for the event logs. From Event Viewer set System, Security and
Applications as:
Note: We can accept to overwrite the logs because we will analyse and save them before
the defined period. This setting is just in case we will not be able to clear old staff in
time!
- Modify User Rights on the server local account policy
- We will use User Manager for this. We could do it with the ntrights utility from the RK,
but I prefer to check all settings manually J !
User Right |
Only For |
Log on locally |
Local Administrators Group
Local Web Administrators Group
Local defined IIS User |
Shut down the system |
Local Administrators Group |
Access this computer from the network |
No one |
Change system Time |
Local Administrators Group |
Manage Auditing and Security Logs |
Local Administrators Group |
Take ownership of files or other objects |
Local Administrators Group |
Force shutdown from a remote system |
No one |
- Set Auditing on all these file types on all disks as shown below:
- .EXE - executable files
- .COM - executable files
- .CMD - command files
- .BAT - batch files
- .DLL - dynamic linked libraries files
- .SYS - system files (note: exclude ALL pagefile.sys files)
- .DRV - system drivers
- .INI - configuration files
- .SCR - screen savers
- .CPL - control panel applets
- .MOD - module files
- .OCX - OLE controls
From explorer perform a find on the specified file types go to properties and auditing:
- Set Auditing on all or some registry keys.
- I must test this before. I didn't had the time yet J ( see
ref: 14 page 158)
- Activate the Alert Service on the system to send alerts to some available persons or
systems. A good choice is to send the alerts to the internal systems that are always up
(like domain controllers).
- Set proper ACL's File System and Registry Permissions/Options
- Run batch file: PermsProxy.bat. The batch calls RegIni to
set registry options and permissions. NB: Read the batch file and regini script (RegProxy.txt) before executing them. Some variables MUST be
updated for the system configuration.
- Reboot and test/verify the system if everything OK run rdisk to update configuration
information on disk and on diskette
- Execute SysDiff (NT RK) on the system to collect the complete snapshot of the current
state (check sysdiff help file for details and edit the sysdiff.inf file for your
installation).
- If you suspect something re-execute SysDiff to get the differences and correct them if
necessary. Don't forget to update the snapshot if new software is installed, e.g.:
- Sysdiff /snap oriconf.snp
- Sysdiff /diff oriconf.snp curconf.snp
- Sysdiff /dump curconf.snp modif.txt
- De-fragment the local hard disks again.
Note: If any new software is installed reapply the security settings (re-execute the
batch file: PermsProxy.bat, etc, etc
)
References for Security Settings and Information:
- Securing Windows NT 4.0 Installation - Microsoft paper
- NT Security - Frequently Asked Questions version 0.41
- http://www.it.kth.se/~rom/ntsec.html
- Building a Secure Marble OFX Gateway (Windows NT 4.0) - Microsoft paper
- Microsoft Knowledge Base (TechNet)
- Minimizing Network Intrusion - Some Basics http://www.ntsecurity.net/security/tips.htm
- Steps for Evaluating the Security of a Windows NTŪ Installation http://www.ntresearch.com/ntchecks.htm
- Windows NT Security FAQ http://www.iss.net/vd/ntfaq.html
- Internet Scanner™ for Windows NT Reported Vulnerabilities http://www.iss.net/vd/nt_vulnerabilities.html
- Security FAQ's http://www.iss.net/vd/faqoffaqs.html
- Understanding ProxyServer 2.0 and FireWall Strategies by NeonSurge http://207.98.195.250/textware/
- Microsoft Proxy Server Documentation
- Firewalls and Internet Security - William R. Cheswick and Steven M. Bellovin ISBN:
0-201-63357-4
- And Lots of Security Mailing Lists and Web Sites
- Windows NT Security - Charles B. Rutstein - ISBN:0-07-057833-8
My thanks for the comments given. To:
Copyright 1998 ComNet |