HostedDB - Dedicated UNIX Servers
hpntbast101_7 - 7 - File system and Registry Access Control Lists The ACLs applied to the file system and the registry are identical to what Microsoft ships as the ”Highly secure workstation” template in SCE. For details check the bastion.inf file with the SCE snap-in in MMC. Administrator account The bastion.inf policy renames the Administrator account to ”root”. This should be changed to something unique for your environment. Make sure to have a strong password on the Administrator account as well. Remove unused and potentially dangerous components If an attacker gains access to the bastion host it is crucial that the attacker doesn’t get extra help to establish a back door or gain access to other systems. Therefore it’s good practice to remove unused binaries from the bastion host. The downside of doing this is that it may slow down the administrators as well. Use your judgement here. To remove DOS, Win16, OS/2 and Posix sub systems KEY Type Value MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Optional REG_BINARY 00 00 MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Os2 N/A REMOVE THIS KEY MACHINE\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Posix N/A REMOVE THIS KEY MACHINE\SYSTEM\CurrentControlSet\Control\WOW N/A REMOVE THIS KEY Delete the following files: %SystemRoot%\system32\ntvdm.exe %SystemRoot%\system32\krnl386.exe %SystemRoot%\system32\psxdll.dll %SystemRoot%\system32\psxss.exe %SystemRoot%\system32\posix.exe %SystemRoot%\system32\os2.exe %SystemRoot%\system32\os2ss.exe %SystemRoot%\system32\os2srv.exe %SystemRoot%\system32\os2 (directory) Other potential dangerous tools %SystemRoot%\system32\nbtstat.exe %SystemRoot%\system32\tracert.exe %SystemRoot%\system32\telnet.exe %SystemRoot%\system32\tftp.exe %SystemRoot%\system32\rsh.exe %SystemRoot%\system32\rcp.exe %SystemRoot%\system32\rexec.exe %SystemRoot%\system32\finger.exe %SystemRoot%\system32\ftp.exe %SystemRoot%\system32\lpq.exe %SystemRoot%\system32\lpr.exe Open Ports It’s not possible to make Windows NT stop listening on some ports and have a supported environment. For example it’s not supported to stop the RPC end-point mapper service (RpcSs.exe on TCP and UDP port 135). Even more annoying is the fact that the RpsSs fires up an undocumented TCP-listener on a high port (usually port tcp/1027). Another port that shows in netstat is tcp/1028, but it does not seem to respond on connection attempts. Output of netstat on my test system: C:\>netstat -an Active Connections