S 2.92 Performing security checks in the Windows NT client-server network

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

The following points should be checked regularly at the level of the servers in a Windows NT client-server network in terms of whether they are being followed and their effectiveness (see also S 4.54 Logging under Windows NT):

• System security settings

The correct setting of the entries relevant to security in the registry, i.e. essentially the entries in the sector HKEY_LOCAL_MACHINE, must be checked regularly by checking the entries of the security logs which refer to the registry.

• Use of privileged user accounts

The use of privileged user accounts, i.e. of accounts with extended rights and authorisations e.g. for administrators, must be checked regularly by checking the entries in the security log. Likewise the log must be checked for log-on attempts to the guest user account.

• Failed access attempts (authorisation violations)

If access to files and/or the registry is recorded, the security log must be checked weekly, or more often when required, for the occurrence of failed log-on attempts. If authorisation violations are discovered, the cause must be established.

• System integrity

System integrity must be checked regularly; in particular, the data relating to the last modification and the rights to access important system files must be checked and compared with the values obtained directly after installation of the system and at each previous check. Since this check, with the aid of the capabilities offered by Windows NT, is relatively expensive, suitable ancillary tools should be used here, for example the shareware program DumpACL, or the service program WinDiff supplied with the Technical Reference (the "resource kit") for Windows NT, with which the contents of directories and files can be compared.

• Unused user accounts

It must be ensured that the accounts of former employees are immediately deactivated and deleted from the system after a suitable transitional period (approx. 1/2 year). As the time of the last log-on to the system is not indicated, then, for this purpose, all user accounts should, if, possible, be supplied with an expiry date which has to be updated at certain intervals (e.g. annually) at the request of the user. Inactive, i.e. expired user accounts must be deleted. The owners must first be informed. The list of defined users must be checked regularly to ensure that only active employees are working on the system.

• Group membership

A structured system administration requires an allocation of system and object rights to user groups instead of individual users wherever possible. It must be ensured that individual memberships in user groups are matched with organisational specifications following any change in the employment profile. Consequently, regular checks are required as to whether the memberships of individual employees in the various user groups have been updated to comply with the current environment. Checks are also required as to whether any changes in a user's group membership result in an accumulation of user rights. In particular, regular checks are needed as to whether the allocation of special rights to groups and individual users corresponds with currently applicable organisational specifications.

• Authorisation control

It must be ensured that the owners of files and directories understand their obligation that other users should only be granted access if this is required. File Manager and Explorer must be used to regularly ensure that excessively wide-ranging authorisation has not been granted for sensitive data. Authorisations for the group "Everyone" and "Guests" as well as "Domain Guests" are particularly critical. As far as temporary authorisations are used, there must be a guarantee that this only occurs if it is required and that such authorisations are carefully monitored.

Procedures and methods should be developed for the eventuality that deviations from the fixed settings occur. These procedures must include the following points:

• who is informed and when,

• reasons for the possible choice of differing settings and a statement as to whether these might result in a security weakness,

• steps to remove the security weakness,

• steps to identify the cause of the security weakness.

Performing the checks described here at the level of clients should only be carried out if it is ensured that no improper performance controls of the users of these clients are associated with them, and if a guarantee can be given that the logging details will be handled correctly in relation to the data privacy act.

Additional controls:

• Is the network administrator informed of irregularities?

• Are deviations of the security settings from the permissible value corrected without delay?

• Are the possible consequences of such deviations analysed?