S 5.43 Secure configuration of TCP/IP network services under Windows NT

Initiation responsibility: Head of IT Section, IT Security Management

Implementation responsibility: Administrators

TCP/IP

When installing the TCP/IP protocol, properties can be set with the control panel option " Network ". Given that the computer concerned has more than one network card and/or remote access via RAS is installed (Remote Access Server, see S 5.41 Secure configuration of remote access under Windows NT), attention must be paid here, that routing between these cards, i.e. between the remote access interface and the network card, can be switched on via the " Enable IP-Forwarding " option under the register card " Routing ". As a rule, this option should not be activated on computers which have a connection to an external network such as the Internet, since this will allow external computers transparent access to the local network.

In version 4.0 filtering of data traffic via TCP/IP can be achieved to a certain extent. This can be done by choosing the " Advanced " option under the register card " IP address " and selecting the " Enable Security " option in the opened window. By choosing the " Configure " option the permitted or, as the case may be, locked TCP and UDP ports and IP protocols for single network cards can be selected. The values to be entered here should be selected according to the necessary function and the given security requirements. A security concept for the use of Internet services should exist for computers with external connections. Considerations to be taken here should be similar to those taken when installing a firewall (see Baseline Protection module 7.3 Firewall, in particular S 2.76 Selection and Implementation of suitable filter rules).

FTP (File Transfer Protocol)

An FTP server will be set up during installation of TCP/IP under version 3.51; in version 4.0 the FTP server can be installed as part of the installation of Peer-Web-services. If the FTP server service is executed on a Windows NT system, other IT systems can create a connection with this Windows NT system as clients via the FTP service programme and thus transfer files. Users who create a connection with the FTP server are authenticated under Windows NT via their user account and are granted access dependent upon their user profile. For this reason, it is necessary to install the FTP server on a NTFS partition so that files and directories made accessible by FTP can be protected.

Following installation the FTP server must be configured before it can be operated. The configuration settings can lead to one of the following situations:

• No anonymous FTP connections are permitted. In this case, each user must enter a username and password valid under Windows NT.

• Anonymous users as well as users under Windows NT can make a connection. In this case a user can choose between an anonymous port and a connection via username and password under Windows NT.

• Only anonymous FTP connections are permitted. In this case a user cannot create a connection by entering a username and password under Windows NT.

Note: As standard, FTP transmits user passwords across the network unencrypted. Therefore, with the help of a network analysis programme, a user can find out user passwords for remote accounts during the FTP authentication procedure.

Whether anonymous FTP connections should be permitted is dependent upon various factors:

• In a pure NT network there are more secure forms of data transmission, therefore FTP should not be permitted.

• In a heterogeneous LAN with NT computers, FTP can be necessary for data transmission between different systems. To prevent tapping of NT user names including passwords, for example with Sniffers, only anonymous FTP should be permitted on NT computers.

• When installing FTP in WANs the local network must also be protected with a firewall. Anonymous connections should only be allowed on systems specially designed for this purpose; information other than that offered by FTP may not be stored on these systems.

The username "Anonymous" must be entered for anonymous connections. A password is not required although the user will be asked to supply his E-mail address. A local user account must be set up for anonymous connections under Windows NT. As standard, this account is called "guest". As soon as data transmission occurs via an anonymous connection, Windows NT examines the username supplied in the dialogue field and, based on this username, determines which accesses are permitted.

The user deployed for anonymous connections should be a member of the " guests " group. It should, under no circumstances, be a member of the " users " group, since extensive access possibilities may then exist.

When first installing the FTP server, access rights for this service must also be configured. Drives and partitions for which access rights should be configured must be selected. Depending upon the security required for the partition, read or write-access or both may be activated. Permissions granted are valid for FAT and HPFS partitions for all files on the complete partition. With the help of this setting, read or write-protection (or both) for NTFS partitions can be locked for the complete partition.

All restrictions defined in this way are additional to the security safeguards which are a part of the file system. This means that an administrator can remove permissions for certain data-media using this dialogue field, but cannot grant any permissions beyond those contained in the file system. If, for example, only read access has been provided for a partition, nobody can write to this partition via FTP, no matter which permissions have been defined for this partition.

Under version 3.51 of Windows NT, it is possible to record incoming FTP connections in the system-event log by setting the values for LogAnonymous and LogNonAnonymous in the registry code HKEY_LOCAL_MACHINE\SYSTEM\ CurrentControlSet\Services\ftpsvc\Parameters to 1. These values are not provided in the registry as standard. To log incoming connections, these values must be entered anew. It can be stated whether entries in the event-log should be made, be it for anonymous or non-anonymous users creating a connection to the FTP server.

In version 4.0 of Windows NT, the appropriate settings for security of the FTP server can be carried out with the help of the Internet service Manager; direct changes to the registry are no longer necessary.

Telnet

Windows NT does not provide a Telnet-server; this system can only act as a Telnet client. The Telnet client is installed together with TCP/IP. If a Telnet server is required, the one provided as a part of the Windows NT Resource Kit version 4.0, or the product of another manufacturer, or shareware can be used.

Note: Since Telnet transmits the user password in plain-text when logging on, the installation and use of Telnet should only be allowed if the computer network is protected against eavesdroping. Therefore, the use of Telnet should be completely avoided if possible.

NFS (Network File System)

Windows NT itself provides neither an NFS client nor an NFS server. Given that NFS should be used, products provided by third parties must be installed.

Regarding the configuration of these products, no general entries can be made. Given that this is supported, the appropriate entries for NFS configuration under the Unix operating system should be implemented.

Additional controls:

• Are only the minimal necessary network services installed / activated?