HostedDB - Dedicated UNIX Servers

Proxy Installation

Proxy instalation


*** Warning ***

We put this information public only to help others in setting this type of system and to receive comments or suggestions about it and CERTAINLY NOT to invite you to break (or crack, if you prefer) our systems. All breaking attempts are monitored and we reserve the right to take countermeasures against you if we think it is necessary.

If you AGREE with this warning you can proceed reading the document.
If not, we which you a nice day.

Any comments or suggestions are welcome. Please send your mail to: admmail@comnet.be


Last Update: 16 September 1998
Author: Victor Fernandes

Note: This procedure needs/uses the following utilities:

  • From the NT resource Kit:
    • regcmd.exe
    • regdmp.exe
    • regini.exe
    • secadd.exe
    • xcacls.exe
    • sysdiff.exe
    • filever.exe
  • From the NT OS:
    • rdisk.exe
  • My files:
  • Others
    • grep.exe (any good one will do)

  • Prepare the hardware and System BIOS configuration:
    • Install two Ethernet cards
      • I prefer to install two different cards, to avoid sharing the same device driver
    • Set System Setup and Boot passwords
    • Disable boot on the diskette and CD-ROM drivers (eventually you will have to wait until the OS is installed to set this settings J )
  • Install NT server 4.0 as Stand Alone Server included on the Internal NT Domain:
    • All local file systems MUST be NTFS
    • No other Operating System allowed
    • DNS
    • IIS2.0 (only WWW service)
    • Install ONLY the necessary protocols
      • TCP/IP Protocol
    • TCP/IP Parameters:
      • Static IP's
      • NO IP forwarding
      • On the external interface
        • Set the Default Gateway to the ISP router
        • No Primary WINS server IP
      • On the internal interface
        • Use non-routable Internet IP's:
          • 10.X.X.X, 192.168.X.X or 172.16.X.X-172.31.X.X
        • No Default Gateway defined
        • Set Primary WINS server IP to internal WINS server
    • From the Network properties on the Binding section:
      • For the external Ethernet interface:
        • Disable WINS Client (TCP/IP), this will unbind the:
          • NetBIOS interface
          • Server
          • WorkSation
    • Change Administrator login name on the local SAM
    • Set BOOT.INI timeout to 0 (zero). If you can login you can change it if need.
    • Clear Automatically Reboot on the Systems Properties->StartUp/ShutDown
  • Install Anti Virus Software
  • I suggest installing a disk de-fragmentation program with scheduling facilities and set de-fragmentation scheduling each night.
    • De-fragment the local hard disks.
  • Set a fixed size pagefile on all local hard disks(set the size of each pagefile to twice the memory size)
  • DNS:
    • Create domain zone file + external IP in-arpa zone file
    • On the SOA record change user name mail destination. Default is Administrator, change to some (alias) internal mail user and server. Check all zone files. If you create new zones later you must change again, because the current administrator's name will be used!
    • Set forwarder to the ISP DNS server
    • Set MX record for Domain Mail
      • Note: Pay attention to the IP you will use. The Proxy service will elect the higher IP number as the default address for the system. If you add a new IP that is higher then the one in use the last add will be the default after reboot!!!
  • Install MSIE 3.02 (SP3 CD) in case we need to do some tests.
  • IIS2:
    • Set the root IIS directory on a different disk partition as the one used by the operating system
    • Change local User Name and password of the user used by IIS
      • Remove this user from the local Guests group
      • Set proper file permissions on necessary files and directories for this new user (these are set in the batch file: PermsProxy.bat, must set there the proper variables):
        • Note: Set Add To and Read Only on files on the %WINDIR% directory. If set to read-only the ASP stops with error on Event Log, the proxy service is blocked and the system must be rebooted
    • Password Authentication set only to Allow Anonymous
    • No directory browsing allowed
    • Set logging to weekly and NCSA format + log directory on a different disk partition as the one used by the operating system
  • Install ASP (SP3 CD)
  • Apply SP3 (Installs IIS3.0)
  • Apply Hot Fixes (see/execute batch file - PutFixs.bat)
  • Install NT Proxy Server services 2.0:
    • Enable packet filtering
      • Set filtering exceptions:

      Filters meaning:

      1. Accept TCP traffic in both directions to the local DNS port on any external proxy IP address (IP 0.0.0.0 on the filter configuration) from any remote port and IP address. Used for DNS traffic, like zone transfers.
      2. Accept TCP traffic in both directions to non-privileged local ports (Dynamic port on the filter configuration) on any external proxy IP address (IP 0.0.0.0 on the filter configuration) from any remote port and IP address. Use for the WinSock service to serve internal windows sockets applications to connect externally, e.g.: telnet clients.
      3. Accept inbound TCP traffic to the HTTP Server local port on any external proxy IP address from any remote port and IP address. This is the predefined filter HTTP Server (port 80) on the filter configuration. Used for HTTP traffic to internal web servers.
      4. Accept inbound TCP traffic to the SMTP Service local port on any external proxy IP address from any remote port and IP address. Used to receive SMTP mail to internal domains.
      5. Accept UDP traffic in both directions to any local port on any external proxy IP address (IP 0.0.0.0 on the filter configuration) from a DNS remote port and any remote IP address. . This is the predefined filter DNS Lookup on the filter configuration. Used for internal client's DNS lookup.
      6. Accept UDP traffic in both directions to the local DNS port on any external proxy IP address (IP 0.0.0.0 on the filter configuration) from any remote port and IP address. Used for DNS traffic, like external DNS lookups.
  • Enable Web Publishing on local server
  • Enable Access Controls if needed
  • Configure Caching (if wanted) to be on a different disk partition as the one used by the operating system
  • Configure alerting, add SMTP mail alerting (set parameters)
    • Add a mail address for internal administrative and alert mail (e.g: NotifyAdmin@server.domain)
  • Configure logging for Security, Proxy, WinSock and Socks, set directory for logging on a different disk partition as the one used by the operating system. Are there some utilities to analyse these logs? Or I will have to build my own!
  • If control access on internal clients is needed, enable control
  • Copy the contents of the mspclnt share, created by Proxy setup, to an internal server. Define the equivalent share on the server and set pertinent permissions on it. Remove the share from the external server (proxy)
  • Backup Proxy Server Configuration
  • Define new external IP's and WWW virtual servers as needed (see above note on DNS point)
  • Install an internal DNS server, for internal use
    • Internal DNS server forwards to external DNS server
  • To access the system, internal Clients must:
    • Configure client applications to use the proxy server internal IP
    • Use WinSock configuration program from the mspclnt share defined on the internal server if needed
    • Use proxy server internal IP as default gateway
    • Use the internal DNS server
  • Create needed users for the web site contents administration - only the ones really needed (NO regular users allowed on the system). These users can be created on the internal NT domain SAM and included on the server Web Administrators Local group, see point below
  • On the local SAM (from User Manager point to the local machine) remove ALL membership on the existing groups. Include only the local administrator on the Local Administrators Group.
    • NB: I suggest removing the Domain Administrators group from the Local Administrators Group.
  • Check that the Guest account is disable
  • Create a Web Administrators Local group on the server local SAM, include on it allowed user(s), remove these users from the Local Users group (local SAM) if created on the local SAM and set proper file permissions on necessary files and directories for this new group (these are set in the batch file: PermsProxy.bat, must set there the proper variables):
  • We will active the Schedule service. We need it for:
    • Automated backups
    • Log analyses
    • Mail alerts
    • Etc…
  • If RAS services are to be used, some suggestions from Ref.[2]
    • 2.9 RAS security
      • There are a number of things to do to get better security on remote connections
      • Putting the RAS servers on one or more own interfaces in the firewall
      • Be sure to turn on auditing for the RAS function
      • Enable authentication
      • Enable session encryption
      • Enable dialback
      • Specify which hours remote users are allowed
      • To turn on auditing for RAS, use the regedit utility to set the key
  • Run rdisk to update configuration information on disk and on diskette (first time just in case).
  • Set proper setting for the event logs. From Event Viewer set System, Security and Applications as:

Note: We can accept to overwrite the logs because we will analyse and save them before the defined period. This setting is just in case we will not be able to clear old staff in time!

  • From User Manager:
    • Set Auditing options

  • Set Account Policy

  • Modify User Rights on the server local account policy
    • We will use User Manager for this. We could do it with the ntrights utility from the RK, but I prefer to check all settings manually J !
User Right Only For
Log on locally Local Administrators Group
Local Web Administrators Group
Local defined IIS User
Shut down the system Local Administrators Group
Access this computer from the network No one
Change system Time Local Administrators Group
Manage Auditing and Security Logs Local Administrators Group
Take ownership of files or other objects Local Administrators Group
Force shutdown from a remote system No one
  • Set Auditing on all these file types on all disks as shown below:
    • .EXE - executable files
    • .COM - executable files
    • .CMD - command files
    • .BAT - batch files
    • .DLL - dynamic linked libraries files
    • .SYS - system files (note: exclude ALL pagefile.sys files)
    • .DRV - system drivers
    • .INI - configuration files
    • .SCR - screen savers
    • .CPL - control panel applets
    • .MOD - module files
    • .OCX - OLE controls

From explorer perform a find on the specified file types go to properties and auditing:

  • Set Auditing on all or some registry keys.
    • I must test this before. I didn't had the time yet J ( see ref: 14 page 158)
  • Activate the Alert Service on the system to send alerts to some available persons or systems. A good choice is to send the alerts to the internal systems that are always up (like domain controllers).
  • Set proper ACL's File System and Registry Permissions/Options
    • Run batch file: PermsProxy.bat. The batch calls RegIni to set registry options and permissions. NB: Read the batch file and regini script (RegProxy.txt) before executing them. Some variables MUST be updated for the system configuration.
  • Reboot and test/verify the system if everything OK run rdisk to update configuration information on disk and on diskette
  • Execute SysDiff (NT RK) on the system to collect the complete snapshot of the current state (check sysdiff help file for details and edit the sysdiff.inf file for your installation).
    • If you suspect something re-execute SysDiff to get the differences and correct them if necessary. Don't forget to update the snapshot if new software is installed, e.g.:
      • Sysdiff /snap oriconf.snp
      • Sysdiff /diff oriconf.snp curconf.snp
        • Sysdiff /dump curconf.snp modif.txt
  • De-fragment the local hard disks again.
  • Full Backup the system

Note: If any new software is installed reapply the security settings (re-execute the batch file: PermsProxy.bat, etc, etc…)


References for Security Settings and Information: 

  1. Securing Windows NT 4.0 Installation - Microsoft paper
  2. NT Security - Frequently Asked Questions version 0.41
  3. http://www.it.kth.se/~rom/ntsec.html
  4. Building a Secure Marble OFX Gateway (Windows NT 4.0) - Microsoft paper
  5. Microsoft Knowledge Base (TechNet)
  6. Minimizing Network Intrusion - Some Basics http://www.ntsecurity.net/security/tips.htm
  7. Steps for Evaluating the Security of a Windows NTŪ Installation http://www.ntresearch.com/ntchecks.htm
  8. Windows NT Security FAQ http://www.iss.net/vd/ntfaq.html
  9. Internet Scanner™ for Windows NT Reported Vulnerabilities http://www.iss.net/vd/nt_vulnerabilities.html
  10. Security FAQ's http://www.iss.net/vd/faqoffaqs.html
  11. Understanding ProxyServer 2.0 and FireWall Strategies by NeonSurge http://207.98.195.250/textware/
  12. Microsoft Proxy Server Documentation
  13. Firewalls and Internet Security - William R. Cheswick and Steven M. Bellovin ISBN: 0-201-63357-4
  14. And Lots of Security Mailing Lists and Web Sites
  15. Windows NT Security - Charles B. Rutstein - ISBN:0-07-057833-8

My thanks for the comments given. To:  


Copyright 1998 ComNet