S 5.42 Secure configuration of TCP/IP network administration under Windows NT

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

When integrating Windows NT systems into a computer network, correct configuration of the installed network services is particularly important. Notes are given in the following paragraphs regarding the most widely-used services; these notes, however, do not replace a detailed examination of security requirements and the necessity for exact knowledge of the system documentation.

DHCP (Dynamic Host Configuration Protocol)

To reduce the effort involved in administration of IP address information, IP addresses, and the data belonging to them, can be dynamically configured under DHCP.

A Windows NT computer becomes a DHCP client if it has been configured for automatic DHCP-configuration when installing TCP/IP. After starting a DHCP client a connection to a DHCP server will be established in order to obtain the necessary TCP/IP configuration data. This configuration data contains at least one IP address, a subnetwork mask and the current validity length of the address.

Installation of a DHCP server is part of the installation of Microsoft TCP/IP and can only be carried out by a member of the "Administrators" group.

Note: To avoid a possible conflict, it must be ensured that other DHCP servers do not already exist in the network before installing a new DHCP server.

Automatic configuration of a new DHCP server cannot be carried out under DHCP as a computer cannot simultaneously act as a DHCP client and a DHCP server.

Note: All entries in the registry concerning the DHCP server can be found under the path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

DHCPserver\Parameters.

With the service programme DHCP-Manager the following fundamental tasks can be performed:

• Creating one or more DHCP areas, so that DHCP services are available.

• Defining the properties of an area including length of usage time and IP address pools which should be allocated by servers to possible DHCP clients.

• Determining standard values for options like Standard-Gateway, DNS server or WINS server, which should be allocated together with an IP address and the addition of personal options.

A DHCP area is a group of computers, which execute the DHCP client service in a subnet. The area is used to define parameters for every subnetwork. Every area has the following properties:

• A unique sub-network mask is used to establish a subnet which is in turn assigned to a particular IP address.

• An area name assigned by the administrator when the area was created.

• Values for the length of usage time of dynamic addresses which are allocated to DHCP clients.

Each subnetwork can only have one single area with a continuous IP address pool; these addresses must be valid for the subnet. If many address pools areto be created in one subnetwork, a continuous area should be created which encompasses all these address pools and the addresses between the desired pools can be excluded. If more addresses are needed, the area can be extended at a later stage.

Configuration parameters which a DHCP server assigns to a client will be defined as DHCP options under the DHCP-Manager. Most options are pre-defined on the basis of standard parameters which have been determined in the Internet standards RFC 1541 or RFC 1542. Such types of options can be assigned to a configured DHCP area which regulates all configuration parameters.

Additional to IP address information, further DHCP options which are to be passed on to DHCP clients must be configured for every area. These options can be globally defined for all areas, specifically defined for single areas or defined for single DHCP clients with reserved addresses. Active global options are valid as long as they are not deactivated by area options or DHCP client settings. Active types of options for one area are valid for all computers in this area as long as they are not deactivated for a single DHCP client.

Note: Any change to the preset values should only be made if the effects of this change are completely known. The values to be used have to be determined within the guidelines of a specific security analysis.

A particular IP address can be reserved for a client. As a rule, this is necessary in the following cases:

• for domain controllers, if the network also works with LMHOSTS -files which define IP addresses for domain controllers,

• for clients working with IP addresses which were assigned for TCP/IP configuration via a different procedure,

• for allocation by RAS servers to clients that do not use DHCP,

• for DNS servers.

If multiple DHCP servers distribute addresses in the same area, the client reservations must be identical on every DHCP server otherwise - depending upon the answering server - the reserved client will receive different IP addresses.

Note: The IP address and the static name entered in WINS take priority over the IP address allocated by the DHCP server. In this case a client reservation is generated for the client which will be established in the WINS database.

The following files are stored in the directory%SystemRoot%\SYSTEM32\DHCP, which is established when setting up a DHCP server:

• DHCP.MDB is the DHCP database file.

• DHCP.TMP is a temporary file, which DHCP installs for temporary database files.

• The files JET.LOG and JET*.LOG contain protocols with the complete transactions that have been executed with the database. With the help of these files, DHCP can reproduce possible lost data if required.

• SYSTEM.MDB is used by DHCP to save data regarding the structure of its database.

Note: The files DHCP.TMP, DHCP.MDB, JET.LOG and SYSTEM.MDB should neither be deleted nor changed in any way since this can lead to faulty DHCP functions. Access to these files may only be granted to administrators as, otherwise, unsupervised changes to DHCP configuration are possible.

WINS (Windows Internet Name Service)

Via WINS, NetBIOS-computer-names can be allocated to IP addresses. Installation of a WINS server takes place as part of the installation of TCP/IP on Windows NT servers. To achieve a better availability of servers and a balanced workload, several WINS servers should be set up. Each WINS server must be configured in such a way that it functions as a reproduction partner for at least one other WINS server.

Information regarding the reproduction of database entries for the partner is part of a WINS server configuration. A Pull-Partner is a WINS server that obtains copies of database entries from its partner by first sending a request and then receiving the desired copies. A Push-Partner is a WINS server that sends its partner a renewal message, if something has changed in the WINS database. If its partner then replies with a request for reproduction, the Push-Partner sends a copy of the up-to-date WINS database to the reproduction partner. To ensure that the databases on the primary WINS server and the back-up server always correspond to one another, both servers must act as Push and Pull-Partners. It is always advisable for reproduction partners to take both roles, i.e. Push and Pull-Partner.

A particular point in time, length of time or number of data sets must be determined for every WINS server as a threshold value. If this value is reached, the reproduction of the databank will be performed. If a certain point in time is determined for the reproduction, this will be carried out once. On the other hand, if a certain length of time is established, reproduction will be repeated according to the appropriate intervals. Within a geographical region this could lie, for example, between 1/4 and 1/2 an hour, whilst over larger distances, intervals of a few hours can be selected.

Note: All registry entries concerned with the configuration of the WINS server can be found under the path

HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\WINS\Parameters

WINS servers communicate with one another in order to achieve a complete reproduction of their databases and to ensure that a name registered in one WINS server will eventually be reproduced in all other WINS servers within the combined network. All assignment changes will be collected for the complete WINS system within the so-called reproduction period (maximum length of time for transmission of changes to all WINS servers). All freed names will be passed on to all WINS servers as soon as they are obsolete according to the relevant intervals defined in the WINS-Manager.

Reproduction takes place under a reproduction partner and not between one server and the other servers. Finally, complete copies are requested from the other WINS servers within a combined network, but the WINS servers transmit start signals to draw attention to the fact that a reproduction should be initiated. For a reproduction to take place, every WINS server must act as the Push or Pull-Partner for at least one other WINS server.

Note:All registry entries concerned with the WINS reproduction can be found under the path

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\ Services\WINS\Partners.

Static assignments are fixed lists in which IP addresses are assigned to computer names. These classifications may not be questioned or deleted unless the administrator removes a particular assignment. Via the command " Static Assignments " in the WINS-Manager, static assignments can be added, edited, imported or deleted for clients in the network for whom the WINS service is not activated.

Note: If DHCP is also in operation on the network, a reserved (or static) IP address will deactivate all the settings of the WINS server. Static assignments should not be assigned to a computer if WINS is active on the computer.

The following files are stored in the directory%SystemRoot%\SYSTEM32\WINS. This directory is automatically created when configuring a WINS server.

• JET.LOG is the log file for all transactions carried out in the database. If required, WINS uses this file to recreate data.

• With the help of SYSTEM.MDB,WINS records information concerning the structure of the database.

• WINS.MDB is the WINS database file.

• WINSTMP.MDB is a temporary file created by WINS. It can remain in the directory \WINS following a system failure.

Note: The files JET.LOG, SYSTEM.MDB, WINS.MDB and WINSTMP.MDB should neither be deleted nor changed in any way since this can lead to faulty functions under WINS. Access to these files may only be granted to the administrator as, otherwise, unsupervised changes to the WINS configuration are possible.

SNMP (Simple Network Management Protocol)

SNMP is used for supervision and administration of a TCP/IP-based network. The SNMP service is installed if the appropriate options are selected when installing Windows NT TCP/IP. Following installation the SNMP service must be configured with valid information for SNMP to be operational.

Only members of the administrator group of the local computer may configure SNMP. During configuration, Communities and Trap-Targets will be defined:

• A Community is a group of hosts to which one server belongs which executes the SNMP service. The Windows NT system on which SNMP has been installed will send Traps to one or more entered Communities. The name of the community will be recorded in the SNMP packet when sending Traps. If the SNMP service receives a request which does not contain the correct Community name and does not correspond to any of the accepted hosts, the SNMP service can send a trap to the Trap-Target(s) drawing attention to the fact that the confirmation of authenticity failed.

• Trap-Targets are the names or IP addresses of hosts to whom the SNMP service will send traps, i.e. messages of pre-defined events, with the selected Community names.

Note: In principal, SNMP should be configured in such a way that it only accepts requests from the defined Communities (and if possible not the pre-defined Community public).

SNMP security allows Communities and Hosts to be defined from which a computer accepts requests. Furthermore, it can be defined whether a confirmation of authenticity Trap is sent if a Community or Host requests information without authority. These determinations must be carefully planned and the possibility to send Traps must be used. The resulting logs must be checked regularly.

Additional controls:

• Are only the minimal necessary network services installed / activated?