hpntbast101_7
- 7 -
File system and Registry Access Control Lists
The ACLs applied to the file system and the registry are identical to what Microsoft ships as the Highly secure
workstation template in SCE. For details check the bastion.inf file with the SCE snap-in in MMC.
Administrator account
The bastion.inf policy renames the Administrator account to root. This should be changed to something unique
for your environment. Make sure to have a strong password on the Administrator account as well.
Remove unused and potentially dangerous components
If an attacker gains access to the bastion host it is crucial that the attacker doesnt get extra help to establish a
back door or gain access to other systems. Therefore its good practice to remove unused binaries from the
bastion host. The downside of doing this is that it may slow down the administrators as well. Use your judgement
here.
To remove DOS, Win16, OS/2 and Posix sub systems
KEY
Type
Value
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Optional
REG_BINARY
00 00
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Os2
N/A
REMOVE THIS KEY
MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Posix
N/A
REMOVE THIS KEY
MACHINE\SYSTEM\CurrentControlSet\Control\WOW
N/A
REMOVE THIS KEY
Delete the following files:
%SystemRoot%\system32\ntvdm.exe
%SystemRoot%\system32\krnl386.exe
%SystemRoot%\system32\psxdll.dll
%SystemRoot%\system32\psxss.exe
%SystemRoot%\system32\posix.exe
%SystemRoot%\system32\os2.exe
%SystemRoot%\system32\os2ss.exe
%SystemRoot%\system32\os2srv.exe
%SystemRoot%\system32\os2 (directory)
Other potential dangerous tools
%SystemRoot%\system32\nbtstat.exe
%SystemRoot%\system32\tracert.exe
%SystemRoot%\system32\telnet.exe
%SystemRoot%\system32\tftp.exe
%SystemRoot%\system32\rsh.exe
%SystemRoot%\system32\rcp.exe
%SystemRoot%\system32\rexec.exe
%SystemRoot%\system32\finger.exe
%SystemRoot%\system32\ftp.exe
%SystemRoot%\system32\lpq.exe
%SystemRoot%\system32\lpr.exe
Open Ports
Its not possible to make Windows NT stop listening on some ports and have a supported environment. For
example its not supported to stop the RPC end-point mapper service (RpcSs.exe on TCP and UDP port 135).
Even more annoying is the fact that the RpsSs fires up an undocumented TCP-listener on a high port (usually
port tcp/1027). Another port that shows in netstat is tcp/1028, but it does not seem to respond on connection
attempts.
Output of netstat on my test system:
C:\>netstat -an
Active Connections