S 5.40 Secure integration of DOS-PCs to a Windows NT network

Initiation responsibility: Head of IT section, IT security management, Administrator

Implementation responsibility: Administrator, IT users

DOS-PCs can be integrated into Windows NT networks in different ways, for example via TCP/IP or the Peer-to-Peer functions of Windows for Workgroups. In contrast to Windows NT systems, DOS-PCs contain less security mechanisms. Everyone with access to a PC can administrate it, thus being able, for example, to change settings or install software.

By installing the appropriate software, a networked PC can be used to eavesdrop the network. Therefore only authorised users may have access to a PC (see also S 1.23 Locked doors and S 2.6 Granting of site access authorisations). Furthermore, it must be ensured that software is not installed without supervision; this should regularly be checked. (see also S 2.9 Ban on using non-approved software and S 2.10 Survey of the software held).

In addition, it is easily possible by changing the configuration of a PC, to fake any computer ID and thus carry out a masquerade.

Computer viruses occur mainly on DOS PC's. When PC's are networked with Windows NT systems, viruses can spread by infected programmes passing from PC to PC. Therefore, the same safeguards must be implemeted here as for the exchange of programmes via data-media or Remote Data Transfer (see also S 4.3 Periodic runs of a virus-detection programme). File-viruses only pose a threat if they are in a position to change executable files under Windows NT in such a way that they can still be executed. However, under certain conditions computer-viruses that threaten to change the boot sector of Intel-based systems such as PCs, can also pose a threat to Windows NT systems on an Intel platform by leaving them in a non-bootable state. This can be avoided by changing the boot sequence (see S 4.3 Periodic runs of a virus-detection programme).

The largest threat that computer-viruses pose for Windows NT systems are on PCs that have access to shared directories on the Windows NT system. Computer-Viruses that change or delete files or directories on a PC can also access shared directories of a Windows NT system and destroy them. Therefore, access rights for directories shared for network access should be restrictively provided. In particular, only read access should be provided for shared directories wherever possible.

Generally, users under Windows NT should restrict the attributes of their files as much as possible so that, for example, other users cannot gain access to them or so that no write-access is possible to files that are not regularly changed. The appropriate settings should be made beforehand via the functions of access control (see also S 4.53 Restrictive allocation of access rights to files and directories under Windows NT). With this safeguard all files stored on the server will have sufficient protection; DOS-PCs cannot by-pass this protection.

If Windows for Workgroups or Windows 95 is installed on the PC, the threats that can be posed by the use of Peer-to-Peer functions must also be considered (see chapter 6.3 Peer-to-Peer Network). The particular problem of stored passwords must be emphasised. Passwords are stored in files with the name [ log-on name]. pwl. They are stored encrypted but can still be read with various programmes. It is absolutely necessary that a user logging on to a Windows NT system from WfW or Windows 95, observes the notes in safeguard S 4.46 Use of the log-on password under WfW and Windows 95. In any case, administrators must ensure that a list of passwords is not created.

Additional controls:

• Have shared directories been provided with too many permissions?

• Are network access points sufficiently protected (organisationally or technically)?