S 4.55 Secure installation of Windows NT

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

Before installation of Windows NT, a number of observations should be made which are briefly outlined below.

Secure system version

Even during the process of acquisition, a decision must be made as to whether the English or German version of Windows is to be run. Furthermore, to be on the safe side, Windows NT must be operated from at least version 3.51 onwards, together with the current version of Service Pack4 (also refer to S 4.77 Reliable system versions of Windows NT). If an older Windows NT installation exists, this should, if possible, be updated to version 4 or at least to version 3.51.

Partitions and file systems

Alongside its own file system NTFS, Windows NT also supports the DOS file system FAT and the OS/2 file system HPFS. A large part of the settings relevant to security are, however, only valid under NTFS. when installing Windows NT, you should ensure that no HPFS or DOS partitions are created, as no access protection applies to them, with the result that such partitions can be misused to undermine the protection of Windows NT. Instead, all partitions must be formatted using the NTFS file system or, if earlier data is to be kept, they must be converted to this file system.

However, support of the FAT file system for floppy disks is necessary as, due to its size, the NTFS file system cannot be accommodated on diskettes. For this reason, access to disk drives should be limited (see S 4.52 Equipment protection under Windows NT).

Configuration of the log-on procedure

At log-on, Windows NT usually displays the name of the last user who has logged in on the computer concerned. This display should be prevented by entering/changing the value "DontDisplayLastUserName" in the key "SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon" of the sector HKEY_LOCAL_MACHINE of the registry to the value REG_SZ = "1".

In order to warn unauthorised users against illegal access to the system, before the actual log-on procedure a window containing an appropriate text should be displayed. This is achieved by inputting suitable wording into the two entries "LegalNoticeCaption" and "LegalNoticeText" in the key "SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon" of the sector HKEY_LOCAL_MACHINE of the registry.

The relevant changes can be made with the help of Registry Editor (of the program REGEDT32.EXE in the Windows system directory %SystemRoot%\SYSTEM32). When doing this particular caution should be exercised, as incorrect settings in the registry can lead to a situation in which the system is no longer able to run. From version 4.0 of Windows NT onwards, these values can be specified centrally for the individual workstations with the aid of System Policy Editor.

Loading of sub-systems

The optional sub-systems POSIX and OS/2 should, in fact, only remain installed if they are also needed for executing applications. If this is not the case, their installation should not take place or, if it has already occurred, the systems should be deleted again. To do this the sub-directories POSIX and OS2 of the Windows system directory %SystemRoot%\SYSTEM32 should be deleted along with any of their sub-directories. Furthermore, the following programs and loadable libraries in the Windows directory %SystemRoot%\SYSTEM32 should be deleted:

Starting of services

If services which are not standard services of Windows NT are to be configured, when determining the start type of these services (using the system control option "Services") provision should be made, if possible, for a separate user account to start each of these services, in order to be able to restrict the authorisations of the service concerned in a suitable manner. The user account used in such cases must have the right "Start as service", and it should not be used except for this service, i.e. in particular it should also not allow users to log in. Services which have not been allocated in this way to a special user account, run in the context of the special user group SYSTEM (see S 4.50 Structured system administration under Windows NT), i.e. generally with the most extensive access permissions.

Device protection

If the computer has disk drives, CD ROM drives and/or tape drives, these should, if possible, be specifically protected, as outlined in Safeguard S 4.52 Equipment protection under Windows NT.

Emergency repair disk

At the time of installation, Windows NT offers to produce an emergency repair disk containing the most important configuration information. Use should be made of this capability and when changes are made to the system each disk should be updated (see S 6.42 Creation of emergency repair disks for Windows NT). It is advisable to carry out the updating of each emergency repair disk after the next system start-up, if there is a guarantee that the changed system can still be started.

Pre-defined user accounts

The pre-defined administrator account is a member of the pre-defined "Administrators" group. It receives the rights and permissions which were granted to this group. The administrator account is used by the person who administrates the overall configuration of the workstation or the server. The administrator has more supervisory capabilities over the Windows NT computer than any other user. This is why this account especially has to be protected (see S 4.77 Protection of administrator accounts under Windows NT). The pre-defined guest user account is a member of the "Guests" group. It receives the rights and permissions which were granted to this group. For example, a user can log on to the guest account, create files and delete them again and read files for which an administrator grants read permission to guests. The guest account is set up as a service for users who use the computer occasionally or only once, so that they can log on and work with a restricted range of functions. When Windows NT 4.0 is installed, the guest account is initially locked out, and it is installed using a blank password. The guest account should, in any event, be given a secure password, and the lockout should not be cancelled if there are no serious grounds for its use. The pre-defined guest account can be renamed but not deleted. It should be renamed immediately after installation.

The first user account is set up for the first user of a workstation. As it is a member of the "Administrators" group, the workstation can be administrated in its entirety with the first user account. The first user account is created when Windows NT is installed, if the workstation is added to a workgroup or if it was not configured for network operation. The system invites the input of a user name and a password. If the computer is added to a domain when Windows NT is installed, the first user account is not created, because it is expected that the user will log on using an account from the domain.

Note: If Windows NT sets up a first user account on installation, this should be used as the account for system management.

Installation in the network

Furthermore, it should be noted that when their network software is configured, all clients are configured as members of one of the previously defined domains (and not as members of workgroups). If user accounts are needed on them, they must always be defined as domain-wide accounts and not as local accounts, in order to avoid the formation of unclear rights structures.

To simplify the installation of a relatively large number of clients, scripts should be defined beforehand enabling the automatic installation and configuration of these clients to take place. Software of all types should be made available centrally on a server and installed from there on to the appropriate computer.

Additional controls:

• Which users have been notified of the access supervision information (user name, password) to the pre-defined user accounts?

• Are regular checks carried out to determine whether the guest account is still locked out and, if it has to be used, are the access rights granted to the group "Guests" and the group allocation of the guest account regularly checked?