IT Baseline Protection Manual - Chapter 6.4 Windows NT network

-->

6.4 Windows NT network

Description

This chapter concerns a Windows NT network functioning as a client-server system under the Windows NT operating system (version 3.51 or 4.0). The security aspects of a Windows NT server are dealt with.

The client-specific safeguards are covered in chapter 5. There are only marginal references to aspects of Windows NT applications specific to security, for example in relation to Mail, Schedule+, Direct-Data-Exchange (DDE) or Remote Access Service (RAS). In addition to the dangers and protection safeguards detailed here, the safeguards specified in Section 6.1 for a general server-supported network still apply. If the Peer-to-Peer functionality of Windows NT is used in the Windows NT network, the contents of Section 6.3 should also be taken into account.

Threat Scenario

The following typical threats are assumed for IT baseline protection of a server-supported network under the Windows NT operating system:

Organisational Shortcomings:

T 2.23 Security flaws involved in integrating DOS PCs into a server-based network
T 2.25 Reduction of transmission or execution speed caused by Peer-to-Peer functions
T 2.30 Inadequate domain planning
T 2.31 Inadequate protection of the Windows NT system

Technical Failure:

T 4.10 Complexity of access possibilities to networked IT systems
T 4.23 Automatic CD-ROM-recognition

Deliberate Acts:

T 5.23 Computer viruses
T 5.40 Monitoring rooms using computers equipped with microphones
T 5.43 Macro viruses
T 5.52 Misuse of administrator rights in Windows NT systems
T 5.79 Unauthorised acquisition of administrator rights under Windows NT

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

When processing the specific Windows NT safeguards, a safety strategy should first be drawn up using safeguard S 2.91 Determining a security strategy for the Windows NT client-server network. In addition, given that Peer-to-Peer functionality is used, safeguard S 2.67 Determining a security strategy for the Peer-to-Peer network, as this is the basis for the further safeguards.

The actual planning of the Windows NT network should then be carried out as described in safeguard S 2.93 Planning of the Windows NT network. In accordance with the specifications drawn up during this process, a server should first be installed and tested out with a small number of clients in order to be able to optimise and adapt the fixed structures, before they are deployed in detail.

For the systems networked under Windows NT the safeguards specified here must be implemented in addition to the safeguards outlined in Chapter 6.1. It seems sensible to install the file server in a separate server room. The appropriate measures are described in Chapter 4.3.2. As an alternative, server cabinets can be used (c.f. Chapter 4.4).

For any clients connected, the safeguards outlined in chapter 5 must be implemented. Given that the Peer-to-Peer functionality of Windows NT is also being used, the safeguards specified in Section 6.3 must also be implemented.

Safeguards marked with the suffix "optional" exceed, at least partially, the requirements of IT baseline protection, or they refer to special usage environments. They should be implemented if the usage conditions concerned exist and/or specific threats warded off by these safeguards can be expected.

The safeguard measures regarding a "Windows NT network" are presented in the following:

Organisation:

S 2.91 (1) Determining a security strategy for the Windows NT client-server network
S 2.92 (2) Performing security checks in the Windows NT client-server network
S 2.93 (1) Planning of a Windows NT network
S 2.94 (3) Sharing of directories under Windows NT

Hardware/Software:

S 4.40 (3) Preventing unauthorised use of computer microphones
S 4.48 (1) Password protection under Windows NT
S 4.49 (1) Safeguarding the boot-up procedure for a Windows NT system
S 4.50 (2) Structured system administration under Windows NT (optional)
S 4.51 (3) User profiles to restrict the usage possibilities of Windows NT (optional)
S 4.52 (2) Protection of devices under Windows NT
S 4.53 (2) Restrictive allocation of access rights to files and directories underWindows NT
S 4.54 (2) Logging under Windows NT
S 4.55 (2) Secure installation of Windows NT
S 4.56 (3) Secure deletion under Windows NT and Windows 95
S 4.57 (2) Deactivating automatic CD-ROM recognition
S 4.75 (1) Protection of the registry under Windows NT
S 4.76 (2) Secure system version of Windows NT
S 4.77 (1) Protection of administrator accounts under Windows NT
S 4.93 (1) Regular integrity checking

Communications:

S 5.36 (3) Encryption under Unix and Windows NT (optional)
S 5.37 (3) Restricting Peer-to-Peer functions when using WfW, Windows 95 or Windows NT in a server-supported network
S 5.40 (1) Secure integration of DOS-PCs to a Windows NT network
S 5.41 (2) Secure configuration of remote access under Windows NT
S 5.42 (2) Secure configuration of TCP/IP network administration under Windows NT
S 5.43 (2) Secure configuration of TCP/IP network services under Windows NT

Contingency Planning:

S 6.32 (1) Regular data backup
S 6.42 (2) Creating start-up disks for Windows NT
S 6.43 (3) Use of redundant Windows NT servers (optional)
S 6.44 (1) Data back-up under Windows NT

last update:
July 1999

home