C2 Microsoft Windows NT Administrator's and User's Security Guide

On This Page

	Welcome
	Chapter 1 - Security Policy Overview
	Chapter 2 - Levels of Security
	Chapter 3 - C2 Level Security
	Chapter 4 - Microsoft Report on C2 Evaluation of Networked Windows NT
	Appendix A - Software Security Rating Systems
	Appendix B - Discretionary Access Control Lists (DACLs)

Welcome

Welcome to the Microsoft® Windows NT® Administrator's and User's Security Guide. This book is designed to help you use Microsoft® Windows NT® Server or Microsoft® Windows NT® Workstation to set up a computer system that is eligible for C2-level security certification.

This book has the following chapters:

Chapter 1, "Security Policy Overview," discusses security issues that every Windows NT administrator should be aware of. It focuses on the special considerations for high security installations.

Chapter 2, "Levels of Security," describes the different requirements for minimal, standard, and high level security.

Chapter 3, "C2 Level Security," describes the general requirements for C2 compliance, the evaluation process, and the evaluation history of Windows NT.

Chapter 4, "Microsoft Report on C2 Evaluation of Networked Windows NT," gives the specifications of the networked configuration of Windows NT 4.0 that was submitted for evaluation at the C2 level. A checklist is provided for duplicating this configuration.

Appendix A, "Software Security Rating Systems," describes the various rating systems in use worldwide, including the new Common Criteria designed to be a universal standard.

Appendix B, "Discretionary Access Control Lists (DACLs)" describes the discretionary access control mechanism used by Windows NT.

To administer a computer or network running Windows NT, you should be familiar with the product documentation for the operating system or systems. In most cases, you will also want to use information in the Microsoft resource kit for the product. This book assumes that you have the product documentation for Microsoft® Windows NT® Server version 4.0 or Microsoft® Windows NT® Workstation version 4.0, and the Microsoft® Windows NT® Resource Kit, Version 4.0.

Top of page

Chapter 1 - Security Policy Overview

Computer security refers to the protection of all components—hardware, software, and stored data—of a computer or a group of computers from damage, theft, or unauthorized use. A computer security plan that is well thought out, implemented, and monitored makes authorized computer use easy and unauthorized use or accidental damage increasingly difficult.

This chapter is written primarily for Microsoft® Windows NT® system administrators. However, there are some issues that end users need to be aware of as well.

Some Definitions

C2 security is the highest government rating for business computing products; it requires the system to have discretionary resource protection and auditing capability.

Discretionary access control list (DACL) is the part of an object's security descriptor that provides for discretionary resource protection by allowing or denying permissions to specific users and groups.

An administrator is a person who sets up and manages domain controllers or local computers. By default, administrators are in the Administrators or Domain Admins account group.

A user is an end user, one who has no administrative rights or responsibilities on a computer. By default, users are in the Users account group.

A trusted user is a user who is allowed to run administrative utilities, replace files, install service packs, create printers, and install device drives.

Windows NT Security Model

In a multitasking operating system such as Windows NT, applications share a variety of system resources, including the computer's memory, I/O devices, files, and system processors. Windows NT includes a set of security components that ensure that applications cannot access these resources without authorization. Together, these components—the Security Reference Monitor, the Logon Process, the Security Account Manager (SAM), and the Local Security Authority—form the Windows NT security model.

The security model provides for discretionary access control so that the owner of a resource can specify which users or groups can access resources and what types of access they're allowed (such as read, write, and delete).

Tasks can access each others' resources, such as memory, only through specific sharing mechanisms. This feature helps enforce object hiding.

Windows NT also provides for auditing so that administrators can keep an audit trail of which users perform what actions.

By providing these features, the Windows NT security model prevents applications from gaining unauthorized access to the resources of other applications or the operating system either intentionally or unintentionally.

Components

The Security Reference Monitor enforces the access validation and audit generation policy defined by the Local Security Authority. It provides services to both of the system's operating modes—kernel mode and user mode—for validating access to objects, checking user privileges, and generating audit messages. The Security Reference Monitor runs in kernel mode, which protects it from interference by a rogue or failing application.

The Security Account Manager (SAM) maintains the user accounts database. This database contains information for all user and group accounts. SAM provides user validation services, which are used by the Local Security Authority. SAM is also known as the Directory database.

The Local Security Authority ensures that the user has permission to access the system. This component is the center of the Windows NT security subsystem. It generates access tokens, manages the local security policy, and provides interactive user authentication services. The Local Security Authority also controls audit policy and logs the audit messages generated by the Security Reference Monitor.

The Logon Process accepts logon requests from users. These include the initial interactive logon, which displays the initial logon dialog box to the user, and remote logon processes, which allow access by remote users to a Windows NT server process.

These last three components run in user mode, which makes them accessible to applications. However, because they are separate processes (subsystems), their memory is protected from other subsystems and applications.

The Windows NT Kernel and Executive are based on an object-oriented model that allows for a consistent and uniform view of security, right down to the fundamental entities that make up the base operating system. This means that Windows NT uses the same routines for access validation and audit checks for all protected objects. That is, whether someone is trying to access a file on the disk or a process in memory, there is one component in the system that is required to perform access checks, regardless of the object type.

Concepts

The concept of trust is basic in Windows NT 4.0 security. A user who is trusted on one domain in a network can potentially be trusted on other domains, depending on the trust relationships established between domains.

Trusting domains allow their resources to be used by accounts in other (trusted) domains. Trusted-domain users and global groups can hold user rights, resource permissions, and local group memberships on the trusting domain.

Domains

A domain is a networked set of Windows NT workstations and Windows NT servers that share a SAM database and can be administered as a group. A user with an account in a particular domain can log on to and access his or her account from any system in the domain.

User Manager for Domains is a system component that enables administrators to manage security for domains and computers. This includes creating and managing user accounts and groups, and managing the domain's security policies such as accounts (passwords), user rights, auditing, and trust relationships.

Trust Relationships

A trust relationship is a link between two Windows NT Server domains. Administrators can use trust relationships to add and remove trusting domains (resource domains) and trusted domains (account domains).

Trust relationships can allow a user to access resources on the entire network using a single user account and a single password. This moves the convenience of centralized administration from the domain level to the network level.

Although small organizations can store accounts and resources in a single domain, large organizations typically establish multiple domains. With multiple domains, accounts are usually stored in one domain and resources in another domain or domains.

Note: For C2 evaluation, it is assumed that the whole network is linked by mutual trust relationships. Thus, all trusted users are trusted throughout the network and, conversely, an untrusted user is not trusted on any machine in the network. Windows NT has no mechanism to enforce this universal trust, but organizational procedures can be used to ensure it. While each trusted user has the same set of rights everywhere, an administrator can still use discretionary access control lists (DACLs) to limit that user's ability to access and perhaps attack other machines and resources.

For detailed information about trust relationships, and strategies for planning trust relationships between the domains of a network, see "Planning Your Domain Design" in Chapter 2, "Network Security and Domain Planning," in the Microsoft®Windows NT®Networking Guide in the Microsoft® Windows NT® Server Resource Kit,version 4.0.

Subjects and Impersonation

One objective of the Windows NT security model is to ensure that the programs a user runs don't have greater access to objects than the user does.

A subject is the combination of the user's access token plus the program acting on the user's behalf. Windows NT uses subjects to track and manage permissions for the programs each user runs.

When a program or process runs on the user's behalf, it is said to be running in the security context of that user. The security context controls what access the subject has to objects or system services. To accommodate the client-server model of Windows NT, two classes of subjects exist within the Windows NT security architecture:

In general, when a subject calls an object service through a protected subsystem, the subject's token is used within the service to determine who made the call and to decide whether the caller has sufficient access authority to perform the requested action.

Windows NT allows one process to take on the security attributes of another through a technique called impersonation. For example, a server process typically impersonates a client process to complete a task involving objects to which the server does not normally have access.

For more information on subjects and impersonation, see "Subjects and Impersonation" in Chapter 6, "Windows NT Security," of Microsoft® Windows NT® 4.0 Workstation Resource Kit.

User Accounts and Groups

The key to Windows NT security is the user accounts. An administrator can create as many accounts as are needed, and can include any user account in as many groups of accounts as are appropriate. The administrator can then permit or limit access to any computer resource to individual accounts or to groups.

A user account consists of all the information that defines a user to Windows NT. This includes such things as the user name and logon password, the groups in which the user account has membership, and the rights and permissions the user has for using the system and accessing its resources. For Windows NT Workstation, user accounts are managed with User Manager. For Windows NT Server, user accounts are managed with User Manager for Domains.

Administrators typically group users according to the types and degrees of network access their jobs require. For example, most accountants working at a certain level will probably need access to the same servers, directories, and files. By using group accounts, administrators can grant rights and permissions to multiple users at one time. Other users can be added to an existing group account at any time, instantly gaining the rights and permissions granted to the group account.

Global Versus Local Accounts

There are two types of group account, global and local accounts:

Administrative Versus General User Accounts

Use separate accounts for administrative activity and general user activity. Individuals who do administrative work on the computer should each have two user accounts on the system: one for administrative tasks, and one for general activity. To avoid accidental changes to protected resources, the account with the least privilege that can do the task at hand should be used. For example, viruses can do much more damage if activated from an account with Administrator privileges.

Guest Account

An administrator can permit limited access for casual users through the built-in Guest account. If the computer is for public use, the Guest account can be used for public logons. Prohibit Guest from writing or deleting any files, directories, or registry keys (with the possible exception of a directory where information can be left).

In a standard security configuration, a computer that allows Guest access can also be used by other users for files that they don't want to be accessible to the general public. These users can log on with their own usernames and access files in directories on which they have set the appropriate permissions. They will want to be especially careful to log off or lock the workstation before they leave it.

For more on user accounts and other user accounts, see Chapter 2, "Working with User and Group Accounts," of Microsoft® Windows NT® Server Version 4.0 Concepts and Planning.

Account Management

For discretionary access and control, Windows NT has features that enable a user or administrator to decide who can access files and how the files will be accessed.

Logon Process

The Windows NT Logon Process provides for mandatory logon to identify users. Each user must have an account and must supply a password to access that account.

Before users can access any resource on a Windows NT computer, they must log on through the Logon Process so that the Security subsystem can authenticate their username and password. After successful authentication, whenever a user tries to access a protected object, the Security Reference Monitor runs an access validation routine against the user's security information to ensure the user has permission to access the object.

Logging On and Off

All users should always press ctrl+alt+del before logging on. Trojan horse programs designed to collect account passwords can appear as a logon screen that is there waiting for you. By pressing ctrl+alt+del you can foil these programs and get the secure logon screen provided by Windows NT.

Users should either log off or lock the workstation if they will be away from the computer for any length of time. Logging off allows other users to log on (if they know the password to an account); locking the workstation does not.

Logon Passwords

Anyone who knows a user name and the associated password can log on as that user. Users should take care to keep their passwords secret. Here are a few tips:

Administrators can set password enforcement options, which include minimum password length, minimum and maximum password age, password "uniqueness" (how often a password can be reused), and controls over whether a user can— or must—change his or her password. For more on password enforcement options, see "Setting User Password (Account) Policy" in Chapter 1, "Managing Windows NT Server Domains," of Microsoft Windows NT Server Version 4.0 Concepts and Planning.

A feature that is invisible to the user is the system-level encryption of their password so that it is never passed over the wire. This encryption prevents unauthorized discovery of a user's password through wire "sniffing."

Security Identifier (SID)

Each computer is assigned a unique security identifier (SID) during Windows NT setup when the machine name is entered; this ensures that it can be identified on the network. Almost all of the network services have this security information encoded in their registry entries during setup or subsequent installation. Because the SID identifies the computer or domain as well as the user, it is critical that it be unique to maintain support for current and future applications.

For a Windows NT workstation, Windows NT server, or Windows NT primary domain controller (PDC), the SID is computed to contain a statistically unique 96-bit number. For a Windows NT backup domain controller (BDC), the SID is identical to the SID of the PDC. This primary or machine SID is the prefix of the SIDs for all the user accounts and group accounts created on the computer. The SID is concatenated with the RID of the account to create the account's unique identifier. For example, if you create several local accounts, using Regedit.exe to view the local user SIDs might show you these:

HKEY_USERS on Local Machine
S-1-5-21-191058668-193157475-1542849698-500  Administrator
S-1-5-21-191058668-193157475-1542849698-1000  User one
S-1-5-21-191058668-193157475-1542849698-1001  User two
S-1-5-21-191058668-193157475-1542849698-1002  User three

Note that only the last four digits are incremented as new accounts are added.

Note: Microsoft does not support systems that are installed by duplicating fully installed copies of Windows NT Workstation or Server. This gives both computers the same primary SID, making security impossible to maintain. The user accounts generated on both workstations will be numbered identically, and thus local users will have rights on other computers according to the order in which the account was created. File ownership for shared or removable media is also compromised, and security for these media becomes unmanageable.

The Microsoft Knowledge Base provides a variety of articles that outline specifications and how-to information for the proper deployment of Windows NT. Part I, "Windows NT Workstation Deployment," of the Windows NT 4.0 Workstation Resource Kit provide documentation on the deployment procedures for Windows NT 4.0 Workstation. Chapter 1, "Deploying Windows NT Server," of the Windows NT 4.0 Server Resource Kit provides deployment information for Windows NT 4.0 Server.

Control of Privileges

User accounts are managed centrally. The administrator can specify group memberships, logon hours, account expiration dates, and other user account parameters via easy-to-use graphical tools. The administrator can audit all security-related events, such as logon attempts and user access to files, directories, printers, and other resources.

Prevention of Abuses

The administrator can set procedures to prevent abuses. For example:

For information about how to disable and delete user accounts, see "Disabling and Enabling User Accounts" and "Deleting User Accounts" in User Manager for Domains Help.

Immediate Action

Even though the assignment of privileges is stored in a secure area of the registry, the operating system determines the level of a user's privileges by examining the user's access token. The access token is built at the time the user logs on to the local computer or connects to a remote computer. When you revoke a privilege, the registry is changed immediately, but the change is not reflected in the user's access token until the next time the user logs on (or connects).

To revoke a user's privilege immediately

Privileges have scope only for a single computer. Thus, to revoke a privilege immediately, the administrator must:

Discretionary Access Control Lists

An administrator uses discretionary access control lists (DACLs) to provide discretionary access control to specific objects. Each DACL is made up of access control entries(ACEs), which specify access or auditing permissions to that object for one user or group of users. There are three ACE types:

The following information on DACLs is digested from "Access Control Lists and Access Control Entries" in Chapter 6, "Windows NT Security," of Microsoft® Windows NT® 4.0 Workstation Resource Kit. For more detail on DACLs, and specific access rights for Windows NT objects, see Appendix B.

Object Types

The type of permissions that can be granted or denied for an object are dictated by the object's type. For example, you can specify permissions like Manage Documents and Print for a printer queue, and for a directory you can specify Read, Write, Execute, and so on.

Another quality that affects the permissions of an object is whether that object is a container object or a noncontainer object. A container object is one that logically contains other objects; noncontainer objects do not contain other objects. For example, a directory is a container object that logically contains files and other directories. Files are noncontainer objects.

This distinction between container and noncontainer objects is important because objects within a container object can inherit certain permissions from the parent container. By default, when you create new objects within a container object, the new objects inherit permissions from the parent.

In the case of files and directories, when you change permissions on a directory, those changes affect that directory and its files but do not automatically apply to existing subdirectories and their contents. They do, however, if you check the Replace Permissions On Existing Files checkbox as in the following illustration. You can apply the changed permissions to existing subdirectories and their files by selecting the Replace Permissions On Subdirectories check box.

See full-sized image.

Access Masks

Each ACE includes an access mask, which defines all possible actions for a particular object type. Permissions are granted or denied on the basis of this access mask. There are three types of access:

Access Validation

When a user tries to access an object, Windows NT compares security information in the user's access token with the security information in the object's security descriptor. A desired access mask for the subject is created based on what type of access the user is attempting. This desired access mask, usually created by a program that the user is running, is compared with the object's DACL. Each ACE in the DACL is evaluated in this way:

Other System Security Features

Other uses of Windows NT can be controlled, such as access to printers and network-server sharepoints. These features are discussed in detail in the product documentation for Windows NT and in the Windows NT resource kits.

File and Directory Protection

An administrator can set a range of file protections on a per-file or per-directory basis. The permissions can be on a per-user or per-group basis. Specific files to protect are discussed in Chapter 2 of this manual, in the "Protecting Files and Directories" section under "High-Level Security."

Registry Protection

Since the registry is the repository of all system configuration information, it is important to protect it from unauthorized changes. At the same time, individuals and programs that need to access or alter information in the registry must be allowed to do so. Protection of registry keys is discussed later in this manual, in the "Protecting the Registry" sections under "Standard Security" and "High-Level Security."

For more about protecting keys in the registry, see Appendix A, "Windows NT Registry," of Microsoft Windows NT Server Version 4.0 Concepts and Planning. For more about the registry and the Registry Editor, see Part V, "Windows NT Registry," of the Windows NT Workstation 4.0 Resource Kit.

Printer Protection

Central control of printing through a print server allows the print server administrator to specify which client computers, or which users, are allowed to print to which network printers. A domain may have many print servers, and each of those servers may serve many printers. The domain administrator may allow full discretion to each print server administrator or may set domain-wide printing policies that cannot be overridden at the print server level.

For more about printer access settings, see "Planning How Users Access Printers" in Chapter 5, "Setting Up Print Servers," of Windows NT Server 4.0 Concepts and Planning.

Secure Attention Sequence

Identification and authentication in Windows NT are achieved through the logon Secure Attention Sequence. All users must log on to start Windows NT. Before Windows NT users type their usernames and passwords to log on locally, they must first press CONTROL+ALT+DELETE. This key combination interrupts any program that may be running, including any Trojan horse program that may have been surreptitiously installed.(A Trojan horse is a program that can capture a user's logon information, thereby providing network access.) Because each user has a unique username, domain name, and password combination, Windows NT can assure a user's unique identity.

Object Reuse

One of the important issues in software security is object reuse. In a secure operating system, such as Windows NT, all allocation and deallocation of objects (such as files, directories, and memory) must be protected. Only users with proper access permissions should be allowed access. In Windows NT, administrators achieve this through a robust object manager that either initializes or zeroes out objects before presenting them to a user.

Performance Monitoring

The Windows NT Performance Monitor not only helps administrators fine-tune performance, it can also give warning of approaching problems before they are noticeable by the computer user. Performance Monitor can also help you spot the activity of a virus (by spotting performance degradation) or an attempted break-in (by tracking logon attempts). Performance Monitor can be set to send an alert to one or more administrators when certain events occur.

For more about Performance Monitor, see Chapter 8, "Monitoring Performance," in Windows NT Workstation 4.0 Concepts and Planning; and Part III, "Optimizing Windows NT Workstation," in the Windows NT Workstation 4.0 Resource Kit.

Note: Performance Monitor is an optional service that should not be enabled if a system is to be qualified at the C2 level. It was not included in the networked C2 evaluation.

Event Log

Windows NT Server includes software to write information to the security event log and to audit the log for possible attempts to breach security. You can log things like:

The Audit policy, set by the administrator, controls what types of events are recorded in the security log.

For more about the security log, see Chapter 9, "Monitoring Events," in Microsoft Windows NT Server Version 4.0 Concepts and Planning; and Chapter 6, "Windows NT Security," and Appendix B, "Security In a Software Development Environment," in the Windows NT Workstation 4.0 Resource Kit.

Physical Security

Windows NT enables you to manage what your users can and cannot do by creating profiles for each of your users and restricting their access to files and servers. But no amount of planning will cover all of the ways people can cause damage to data on your computers or to the computers themselves. Thus an important area to consider in your planning is minimizing the effects of human error or deliberate sabotage attempts. If anyone can walk up to your computer running Windows NT and restart it, no amount of security that you implement by using software can protect your computer. Not only can they damage information on the computer, but they can steal information from your computer.

Access to Hardware

Administrators and users can implement procedures that restrict people's physical access to a facility, or to only those areas to which they should need access:

Servers that have externally accessible devices (e.g., hot-swappable disks) should be locked in a secured area away from untrusted users.

Warning: Do not introduce unknown media to the configuration, such as floppy disks and tapes that may contain sensitive information. In addition, since access to tapes is not protected by Windows NT, tape devices should only be installed in server configurations that are physically protected and do not allow untrusted users to log on. Only removable media devices that do not support downloadable firmware should be installed; this protects against the possibility of attacking the system via insertion of media into such devices.

Backup and Storage

Consider security when you develop your backup and storage procedures. Specifically, you should consider the risk of inadvertent disclosure when moving media from one machine to another. The backup media need to be carefully controlled so that they are kept logically associated with the machine that generated them. This is because DACLs do not have the same meaning from one platform to another.

For more information on security considerations in doing backup, see the following references:

Access to the Network

When you put a computer on a network, you add an access route to the computer. The two risks from network connections are other users on the network and unauthorized taps on the network. If everyone on the network has the security clearance needed to access your secure computer, you will probably prefer to include the computer in the network, to make it easier for these people to access data on the computer.

Warning: The UDP and TCP do not directly support the ability to identify, authenticate, or restrict access to potential clients. As a result, each server should implement its own mechanisms (e.g., passwords, cryptographic scheme, alternate protected communication mechanisms) to control access to UDP and TCP ports. While TCP supports the ability to establish a guaranteed private connection between a server and client, UDP does not. Therefore, any implemented mechanisms should be at the granularity of connections for TCP and individual packets for UDP.

Auditing Security Events

Using Windows NT, an administrator can audit all security events and user actions. User Manager enables you to specify which events (such as logon or file access) will be monitored. All audited information is stored in the Event Log, which can be viewed in Event Viewer.

Auditing is built into Windows NT. This allows you to track which user account was used to attempt what kind of access to files or other objects. Auditing also can be used to track logon attempts, system shutdowns or restarts, and similar events.

Audit Features

Windows NT includes auditing features you can use to collect information about how your system is being used. These features also allow you to monitor events related to system security, to identify any security breaches, and to determine the extent and location of any damage. The level of audited events is adjustable to suit the needs of your organization. Some organizations need little auditing information, whereas others would be willing to trade some performance and disk space for detailed information they could use to analyze their system.

Note: When you enable auditing, there is a small performance overhead for each audit check the system performs.

Windows NT can track events related to the operating system itself and to individual applications. Each application can define its own auditable events. Definitions of these events are added to the registry when the application is installed on your Windows NT computer.

Audit Record Format

Audit events are identified to the system by the event source module name (which corresponds to a specific event type in the registry) and an event ID. The domain administrator can receive audit logs from all machines in the network and compare them to track the actions of any user. However, there is no central network audit trail. Rather, audit records are maintained by individual machines, each of which enforces its own security policy.

Warning: Set the clock manually on each workstation in the network. Otherwise, clock drift between workstations can make events appear out of sequence. It could appear that a user logged out before they logged in if clock drift is not considered.

In addition to listing events by event ID, the security log in Event Viewer lists them by category. The following categories of events are displayed in the Security Log. (Those in parentheses are found in the Audit Policy dialog box of User Manager.)

Table 1.1 Security Log Event Categories

For a depiction of the audit record format and an explanation of its fields, see Chapter 9, "Monitoring Events," of Microsoft® Windows NT® Server Version 4.0 Concepts and Planning. For examples of audited security events, see "Security Event Examples" in Chapter 6, "Windows NT Security," in the Windows NT Workstation 4.0 Resource Kit.

Audit Record Loss Potential

The LSA and the Security Reference Monitor (SRM) each construct audit records. Such records can be lost from the LSA and SRM record queues if the correct value is not set for the CrashOnAuditFail entry in the registry key HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control \Lsa.

The SRM constructs audit events for all the categories except Logon/Logoff, Account Management, and Policy Change. The SRM generates an audit record when requested by a user-mode server with the audit privilege or by an executive subsystem. The SRM then places the record, as a message, in its audit record queue. Records in this queue are sent to the LSA, where they are queued for processing and formatting.

The SRM maintains high and low water marks for its queue. If the value for the registry key CrashOnAuditFail is set to zero and the high water mark is reached, the SRM discards the newest records until it reaches the low water mark, and it generates a nondiscardable audit event telling how many records were discarded. The following is the entry for this nondiscardable audit event in the security log.

Event ID: 516

Type: Success Audit

Description: Internal resources allocated for the queuing of audit messages have been exhausted, leading to the loss of some audits.

Number of audit messages discarded: N

Audit records can also be discarded if the capacity of the LSA queue is exceeded. The LSA generates a nondiscardable audit event indicating how many records were discarded. The format of the security log entry is the same as above.

If CrashOnAuditFail is set to 1, the system will shut down when either the SRM or LSA queue is full. When the computer is restarted, only members of the Administrators group can log on until the Security log is cleared. This gives an administrator the opportunity to save the log. The maximum number of audit events that could be lost in such a shutdown equals the combined capacities of the two queues:

SRM high water mark: ULONG = 12,288 event records

LSA queue capacity: 500 event records.

Halting the Computer When the Security Log is Full

If you have set the security log either to "Overwrite Events Older than n Days" or "Do Not Overwrite Events (Clear Log Manually)", you can prevent auditable activities while the log is full. No new audit records can be written. To do so, create or assign a registry value using the following procedure.

To have the system shut down when log capacity is reached

If Windows NT Server halts as a result of a full security log, the system must be restarted and reconfigured to prevent auditable activities from occurring again while the log is full. After the system is restarted, only administrators can log on until the security log is cleared. For more information on recovering after Windows NT halts, see the "Recovering After Windows NT Halts Because it Cannot Generate an Audit Event Record" in Event Viewer Help.

When a log is full (when no more events can be logged), you can free the log by clearing it. Reducing the amount of time you keep an event also frees the log if it allows the next record to be overwritten. For information on how to clear a log, see "Clearing All Events" in Event Viewer Help.

Additional Resources

Top of page

Chapter 2 - Levels of Security

Microsoft® Windows NT® allows administrators to establish a range of levels of security, from none at all to the discretionary access control that many government agencies require. This chapter describes three levels of security—"Minimal," "Standard," and "High"—and the options used to provide each level. These levels are arbitrary, and you will probably want to create your own "level" by blending characteristics of the levels presented here.

Discretionary access control at the C2 level is a form of "High" security but is not specifically discussed here; Chapter 3 gives step-by-step instructions for achieving C2 security.

Note: C2 is not "high" security by U.S. government standards: levels A and B provide greater security. However, C2 is a high rating for business computing products.

Why not have maximum security at all times? One reason is that the limits you set on access to computer resources make it a little harder for people to work with the protected resources. Another reason is that it is extra work to set up and maintain the protections you want. For example, if only users who are members of the Human Resources (HR) user group are allowed to access employee records, and a new person is hired to do that job, then someone needs to set up an account for the new hire and add that account to the HR group. If the new account is created but not added to HR, the new hire cannot access the employee records and therefore cannot perform his or her job.

If the security is too tight, users will try to circumvent security in order to get work done. For example, if you set the password policy so that passwords are hard to remember, users will write them down to avoid being locked out. If some users are blocked from files they need to use, their colleagues might share their own passwords in order to promote the flow of work.

The first step in establishing security is to make an accurate assessment of your needs. Then choose the elements of security that you want, and implement them. Make sure your users know what they need to do to maintain security, and why it is important. Finally, monitor your system and make adjustments as needed.

Minimal Security

You might not be concerned with security at all if the computer is not used to store or access sensitive data or if it is in a very secure location. For example, if the computer is in the home office of a sole proprietor of a business, or if it is used as a test machine in the locked lab of a software development company, then security precautions might be unnecessarily cumbersome. Windows NT allows you to make the system fully accessible, with no protections at all, if that is what your setup requires.

Nevertheless you should take the precautions you would with any piece of valuable equipment to protect against casual theft. This step can include locking the room the computer is in when no one is there to keep an eye on it, or using a locked cable to attach the unit to a wall. You might also want to establish procedures for moving or repairing the computer so that the computer or its components cannot be taken under false pretenses.

Use a surge protector or power conditioner to protect the computer and its peripherals from power spikes. Also, perform regular disk scans and defragmentation to isolate bad sectors and to maintain the highest possible disk performance.

By default, access is limited to certain files. For minimal security, give the Everyone group full access to all files.

You should still take precautions against viruses, since they can disable programs you want to use or use the minimally secure computer as a vector to infect other computer systems.

For a fuller discussion of minimal security, see Chapter 6, "Windows NT Security," in the Microsoft® Windows NT® Workstation Version 4.0 Resource Kit.

Standard Security

Most often, computers are used to store sensitive and/or valuable data. This data could be anything from financial data to personnel files to personal correspondence. Also, you might need to protect against accidental or deliberate changes to the way the computer is set up. But the computer's users need to be able to do their work, with minimal barriers to the resources they need.

General guidelines for standard security are as follows:

High-Level Security

The standard security precautions are sufficient for most installations. However, additional precautions are available for computers that contain very sensitive data, or that are at high risk for data theft or the accidental or malicious disruption of the system.

Securing the Network

To eliminate unauthorized access over the network, user validation and protections on files and other objects are sufficient for standard-level security. For high-level security, however, make sure the network itself is secure, or in some cases you might need to isolate the computer completely.

If the network is entirely contained in a secure building, the risk of unauthorized taps is minimized or eliminated. If the cabling must pass through unsecured areas, use optical fiber links rather than twisted-pair cable to foil attempts to tap the wire and collect transmitted data.

If your installation needs access to the Internet, you should be aware of the security issues involved in providing access to—and from—the Internet community. Chapter 3, "Server Security on the Internet," in the Microsoft® Windows NT® Server Version 4.0 Internet Guide contains information on using network topology to provide security.

Limiting the Ability to Power On the Computer

You might choose to keep unauthorized users away from the power or reset switches on the computer, particularly if your computer's rights policy denies them the right to shut down the computer. The most secure computers (other than those in locked and guarded rooms) expose only the computer's keyboard, monitor, mouse, and (when appropriate) printer to users. The CPU and removable media drives can be locked away where only specifically authorized personnel can access them.

On many hardware platforms, the system can be protected using a power-on password. A power-on password prevents unauthorized personnel from starting an operating system other than Windows NT, which would compromise system security. Power-on passwords are a function of the computer hardware, not the operating system software. Therefore the procedure for setting up the power-on password depends on the type of computer, and is available in the vendor's documentation supplied with the system.

Restricting the Boot Process

Most personal computers support the ability to start a number of different operating systems. For example, even if your users normally start Windows NT from drive C, someone could boot another operating system from removable media on another drive, such as a floppy disk drive or a CD-ROM drive. If this happens, any security precautions you have taken within your version of Windows NT might be circumvented.

In general, you should install only those operating systems that you want to be used on the computer you are setting up. For a highly secure system, this will probably mean installing only Windows NT and only one version of it. However, you still need to protect the CPU physically to ensure that no other operating system is loaded. Depending on your circumstances, you might choose to remove the floppy disk drive or drives. In some computers you can disable booting from the floppy disk drive by setting switches or jumpers inside the CPU. If you use hardware settings to disable booting from the floppy drive, you might want to lock the computer case (if that is an option with the computer you have) or lock the machine in a cabinet with a hole in the front to provide access to the floppy disk drive. If the CPU is in a locked area away from the keyboard and monitor, drives cannot be added or hardware settings changed for the purpose of starting from another operating system.

Controlling Access to Removable Media

By default, Windows NT allows any program to access files on floppy disks and CDs. In a highly secure, multi-user environment, you might want to allow only the person interactively logged on to access those devices. This allows the interactive user to write sensitive information to these drives, confident that no other user or program can see or modify that data.

When operating in this mode, the floppy disks and CDs on your system are allocated to a user as part of the interactive logon process. These devices are automatically freed for general use or for reallocation when that user logs off. Because of this, it is important to remove sensitive data from the floppy disk or CD-ROM drives before logging off.

Hiding the Last User Name

By default, Windows NT places the user name of the last user to log on the computer in the User name text box of the Logon dialog box. This makes it more convenient for the most frequent user to log on. To help keep user names secret, you can prevent Windows NT from displaying the user name from the last logon. This is especially important if a computer that is generally accessible is being used for the (renamed) built-in Administrator account.

Disabling Shutdown Without Logon

Normally, when running Windows NT Workstation, you can click Shutdown in the Logon dialog box to shut down the computer without logging on. This is appropriate where users can access the computer's operational switches; otherwise they might turn off the computer's power or reset it improperly. Where this feature is inappropriate--for example, if the CPU is locked away so users cannot access the switches--you can remove it. This step is not required for Windows NT Server, which is configured this way by default.

Limiting User Rights

There are several user rights that administrators of high-security installations should be aware of and possibly audit. Of these, you might want to change the default permissions on two rights, as follows:

Shut down the system (ShutdownPrivilege)

Protecting Files and Directories

Among the files and directories to be protected are those that comprise the operating system (OS) itself. These are stored in the System32 directory. The standard permissions on system files and directories provide reasonable security without interfering with the computer's usability. For high level security installations, however, you might want to set permissions to allow a maximum of read-only access to untrusted users on most OS directories, subdirectories and existing files immediately after installing Windows NT. Be sure to apply permissions to parent directories before applying permissions to subdirectories.

You can protect the folder and its contents by giving full control to Administrators and LocalSystem, READ & EXECUTE to Everyone.

To view the System32 files in Windows NT Explorer

Protecting the Registry

In addition to the considerations for standard security, the administrator of a high-security installation might want to set protections on certain keys in the registry.

By default, protections are set on the various components of the registry that allow work to be done while providing standard-level security. For high-level security, you might want to assign access rights to specific registry keys. This should be done with caution because programs that the users require to do their jobs often need to access certain keys on the users' behalf.

Disabling the Schedule Service (AT Command)

The Schedule service (also known as the AT command) is used by administrators to schedule tasks to run automatically at a preset time. Because the scheduled task is run in the context run by the Schedule service (typically the operating system's context), this service should not be used in a highly secure environment. Therefore it is not available in the C2-evaluated configuration.

For more on the AT command, see "Backup Utilities" in Chapter 22, "Disk, File System, and Backup Utilities," in the Windows NT Workstation 4.0 Resource Kit.

Top of page

Chapter 3 - C2 Level Security

The C2 level of security is a government rating for business software; it corresponds to high-level security, discussed in Chapter 1. C2 is a good commercial security level target, and a configuration that is rated C2 serves as an excellent building block in an overall system security plan. That building block can be modified, and the risks in so doing can be measured and accepted by various hosting organizations.

The C2 evaluation ensures that Microsoft® Windows NT® can properly enforce your security policy, but does not dictate what that policy should be. To set policy, you need to choose the combination of security features that fits your combination of resources, personnel, work flow, and perceived risks. A certification and accreditation process results in approval of your policy for government work.

Meaning and Value of the C2 Rating

U.S. government security levels for computing systems range from A (the highest) to D. The C level designates a system that has controls capable of enforcing access limitations on an individual basis. This level has two sublevels, C1 and C2.

C2 is the higher level, with more finely grained access control. A C2 system has the following capabilities:

Requirements for C2 Compliance

The U.S. government standard for evaluating computer system security is the National Computer Security Center (NCSC) publication Department of Defense Trusted Computer System Evaluation Criteria (TCSEC), commonly called the Orange Book for the color of its cover. The TCSEC sets out criteria used to rate software on the basis of functional categories such as access control, authentication, object reuse, and auditing.

As outlined by the TCSEC, a C2 operating system must be able to:

Microsoft has worked closely with the U.S. government to ensure that the features of Windows NT meet the criteria for C2 compliance. Table 3.1 compares the C2 criteria with Windows NT features that are designed to comply with them.

Table 3.1 C2 Criteria and Windows NT Equivalents

Certification and Accreditation

To use your C2-compliant configuration for government work, you may need to have it certified and accredited. The NCSC describes "certification" as a plan to use computer systems in a specific environment, and "accreditation" as the evaluation of that plan by administrative authorities. It is this certification plan, and the subsequent accreditation procedure, that balances the sensitivity of the data being protected against the environmental risks present in the way the computing systems are used.

Considerations

Many features of Windows NT need to be considered when determining how to use the computer within your specific environment. What level of auditing will you require? How should your files be protected to ensure that only appropriate users can access them? What applications should you allow people to run? Should you use a network? If so, what level of physical isolation of the actual network cable is needed?

For example, a certification plan for a university computing lab might require that startup from a floppy disk be disabled, thus minimizing the risk of infection by viruses or Trojan horses. However, in a top-secret Defense Department development lab, it might be necessary to go much further and have a fiber-optic LAN to prevent generation of electronic emissions. A good certification plan covers all aspects of security, from backup and recovery mechanisms to the use of locked rooms and security guards.

Due Diligence

Commercial work may not require accreditation, but to minimize liability it may be advisable to provide evidence of due diligence in configuring a system that is C2 compliant to the extent feasible. An organization shows due diligence if it employs a reasonable standard of care to guard data consistent with the sensitivity of the data and the technology available. In business, due diligence is particularly important in network transfers of money, credit information, medical records, and other sensitive information.

Needless to say, due diligence needs to be documented. This requires a plan similar to a certification plan, explaining the tradeoffs that were made in selecting system components and features.

C2 and C2-Equivalent Evaluations of Windows NT

Microsoft has been committed to the product evaluation process since issuing the first version of Windows NT. The process is lengthy and detailed, such that it is almost impossible to keep every version of a product evaluated on a timely basis. However, Windows NT has completed such evaluation under two rating systems:

A new international rating system, the Common Criteria, has been agreed upon by several countries and will be used in the future. The various rating systems are discussed in the Appendix, "Software Security Rating Systems."

Currently, Windows NT has the following status in regard to C2 security and its equivalents.

Windows NT 3.5

Microsoft® Windows NT® version 3.5 with U.S. Service Pack 3 has been evaluated and rated at the C2 level by the U.S. government for stand-alone Compaq ProLiant 2000 and 4000 and Digital Alpha DECpc AXP/150 hardware platforms.

In 1991, Microsoft submitted Windows NT for platform evaluation by the U.S. National Computer Security Center (NCSC), the federal agency charged with evaluating software product security. In July 1995, Windows NT met its first milestone: C2 recognition for the base operating system.

The NCSC also recognized two features of the operating system as meeting requirements of the B2 level. The B2 class is characterized by strengthened authentication mechanisms, trusted facility management in the form of support for system administrator and operator functions, and stringent configuration management controls. The two B2-level features are Trusted Path and Trusted Facility Management:

Windows NT 3.51

Microsoft® Windows NT® version 3.51 has met the E3/F-C2 criteria of the United Kingdom for networking, trusted relationships, and stand-alone configurations. The U.K. evaluation used newer Compaq systems and no Alphas. F-C2 is comparable to the U.S. C2 rating. For more information about E3, see "ITSEC Assurance Level" in the Appendix.

The evaluation of Windows NT 3.51 to the E3/F-C2 security level included user account policies, workstation locking, user roles, access control lists and privileges, and a trusted path for logon. The extension of these facilities to the network was also evaluated, including centralized security management, multiple logical domains of workstations and servers, domain-wide user account and accountability policy, domain-wide global groups, restriction on logon hours, and trust relationships between domains.

Domain-based security functionality was included up to the transport driver interface; underlying network protocols and architectures were excluded.

The U.K. evaluation of Windows NT 3.51 resulted in a certification report, which is available over the Internet at the ITSEC Website, http://www.itsec.gov.uk .

Windows NT 4.0

Windows NT 4.0 with U.S. Service Pack 6a was evaluated in the U.S. for a C2 rating in a networked environment. The evaluation used Compaq ProLiant5100, 6500, 7000, and 8000 hardware in both single-processor and multiprocessor configurations. The TCP/IP protocol was used to interconnect the tested network.

For a report on the results of this evaluation, see the Microsoft Security Web site, http://www.microsoft.com/security .

Windows 2000

Microsoft® Windows® 2000 and later versions will be submitted for evaluation under the new international Common Criteria. This evaluation methodology was designed to allow a successful security evaluation in one country to be accepted in other countries without the need for repeated testing.

For more information on the Common Criteria, see "Common Criteria: A New International Standard" in Appendix A.

Note: Windows NT 3.5 and Windows NT 3.51 are no longer available on Microsoft CDs, although 3.5 can still be ordered through Microsoft Inside Sales. Purchase of a Windows NT 4.0 license allows the owner to run these earlier versions, and Microsoft will supply the Windows NT 3.5 or Windows NT 3.51 software upon application.

Additional Resources

If you need to set up a C2-certifiable system, see Chapter 4, "Microsoft Report on C2 Evaluation of Networked Windows NT." That chapter lists the hardware configurations in which Windows NT has been evaluated. Chapter 4 also specifies the feature configurations that were implemented for C2 evaluation, so that you can duplicate them if necessary for your own C2-certifiable system.

You might also study Appendix B, "Security In a Software Development Environment," in the Microsoft® Windows NT® Workstation Version 4.0 Resource Kit, especially if you are using custom or in-house software. This appendix provides information on managing and interpreting the security log, and technical details on special-case auditing (for example, auditing base objects). The Windows NT product documentation and the Microsoft® Windows NT® Resource Kit also provide information on features that may fit your particular combination of resources, personnel, work flow, and perceived risks.

Top of page

Chapter 4 - Microsoft Report on C2 Evaluation of Networked Windows NT

Today, computer networks are becoming increasingly important to most businesses. Networks are used to share key information and resources among many users throughout organizations of various sizes. Frequently, the information stored on network servers, such as the Microsoft® Windows NT® Server operating system, is secure information that is intended for use only by specific individuals. Therefore, the ability of these networks to prevent unauthorized access to information is paramount to the security and competitiveness of an organization.

Characteristics of a Secure System—C2 and Beyond

One measure of a secure operating system is the U.S. Department of Defense's criteria for a C2-level secure system. While C2 security is a requirement of many U.S. government installations, its substantial value extends to any organization concerned about the security of its information.

Some of the most important requirements of C2-level security are:

In addition to meeting the U.S. government's C2 requirements, there are certain "real world" security problems that a fully secure system must also solve. These real world security issues tend to fall into two categories: managing security and using security. Microsoft® Windows NT® Workstation and Windows NT Server are designed to meet the requirements for a C2-secure system while also providing excellent tools for both managing and using these comprehensive security features.

Windows NT products provide comprehensive tools to help administrators manage and maintain security in their environments. For example, an administrator can specifically control which users have access rights to which network resources. These resources include files, directories, servers, printers, and applications. Rights are defined on a per resource basis and can be managed centrally from any single location.

From the user's perspective, Windows NT security is complete, yet easy to use. A simple password-based logon procedure gives users access to the appropriate network resources. Users are also able to define access rights for any resource they own. For example, if a user needs to share a specific document with other users, he or she can specify exactly who has read and write access to that document. These rights are easily assigned through Windows NT Explorer. Of course, access to organizational resources is fully managed only by authorized administrators.

Another example of Windows NT security capabilities is its protection of data, even while that data is in a machine's physical memory. Windows NT allows only authorized programs to access data. When such a program accesses data, that data is placed in physical memory. Despite the fact that the data is no longer only on the disk, Windows NT still protects it from unauthorized access. No unauthorized program will be able to access that data while it is in memory. Therefore, it is impossible for a rogue application to take advantage of another application's use of data while that data is in the physical memory of a machine.

Evaluation Approach

Windows NT Workstation and Windows NT Server are large, modern operating systems with built-in networking capabilities. When the National Computer Security Center (NCSC) began evaluation of these products in early 1992, it soon became apparent to everyone involved that this evaluation would be considerably more complex than any the NCSC had performed in many years. The NCSC had become proficient at evaluating UNIX® clones, but Windows NT is significantly different from the technologies they had evaluated before.

From the beginning of the evaluation, Microsoft and the NCSC worked together closely to ensure C2 compliance of the Windows NT Workstation and Windows NT Server platforms. One of the first actions of this joint effort was a decision to bring some fruits of the evaluation process to market as quickly as possible, without waiting for all components to be fully evaluated. The result was a phased approach that allowed the core components of Windows NT Workstation and Windows NT Server, on a handful of hardware platforms, to be added to the Evaluated Products List first. Additional hardware platforms, protected subsystems, and networking components will be added to the Evaluated Products List as their evaluations are completed.

The core components of Windows NT Workstation and Windows NT Server attained their first listing as an evaluated product in mid-1995. In 1999, Windows NT was successfully evaluated in a networked environment. This means that the NCSC has found Windows NT Workstation and Windows NT Server to be C2 compliant, and that government customers who are required to purchase C2-compliant systems can consider using Windows NT Workstation and Windows NT Server either as stand-alone components or in an entire C2-certifiable network.

In addition to C2 evaluation by the NCSC, Microsoft® Windows NT® 4.0 Workstation and Microsoft® Windows NT® 4.0 Server are also being evaluated in Europe for the similar E3/F-C2 rating. This will allow customers in both the U.S. and Europe to operate certifiably secure networks.

Initial Evaluation Results

This section describes the hardware and software configuration used in evaluating Windows NT for C2-level security clearance. This configuration constitutes the trusted computing base (TCB). The TCB is the security-relevant, or trusted, part of the operating system. In terms of architecture, it consists of those components that run in the protected kernel mode, as opposed to user mode.

Evaluated Hardware Components

The following hardware configuration was used in evaluating networked Windows NT for C2 compliance.

Platforms Included

The evaluated hardware configuration includes Compaq Professional Workstation 5100, Compaq Professional Workstation 8000, Compaq Proliant 6500 Server, and Compaq Proliant 7000 Server. No other model may be substituted if the setup is to conform to the evaluated C2 configuration. Each evaluated machine can be configured as defined below.

Peripherals Included

In addition to the base system components, each system may include any of the following devices:

Peripherals Excluded

Peripherals that can invalidate the evaluated configuration are to be avoided. Be particularly careful about using hardware with removable media because some of these devices can reconfigure themselves when special media are inserted. The known examples are all tape drives that overwrite their firmware when a special firmware load tape is inserted. This happens regardless of the other hardware components or OS installed.

In the evaluated configuration, the tape drive is to be used only by the administrator, with procedures established to keep it away from physical access by untrusted users (e.g., by putting it in a locked server room). Other devices, such as CD-ROM drives and floppy disk drives, should be installed only after confirming (e.g., by asking the vendor) that the device does not have this feature. Otherwise you are accepting a risk.

Evaluated Software Configuration

The evaluated configuration of Windows NT includes any number of the Windows NT Server and Windows NT Workstation products, acting in any one of the following roles, either stand-alone or connected via a physically protected network:

This configuration can include multiple Windows NT domains (and their PDC and BDCs), as well as networked non-member workstations and servers attached to the same local network.

Components Included

The actual components evaluated were the following:

Components Excluded

There are a few available system components that are not included in the evaluated configuration. Those product elements specifically not included in the Windows NT 4.0–evaluated configuration include:

Administrator Tools Included

The Administrator tools listed in this section are the applications an administrator uses to manage the TCB. All of the tools run in user mode; however, unlike protected servers, these tools execute in the security context of the user. Some tools require the user to possess one or more privileges (which are enforced by the underlying TCB server or Executive subsystem, and not the tool itself). Since privileges are associated with users and their tokens, and not with executable programs, the Administrator tools are only in the TCB because a privileged administrator must use them to manage the TCB.

The set of administrative tools included in the evaluated configuration are: Control Panel, Event Viewer, User Manager and User Manager for Domains, Server Manager, Print Manager, Backup, Registry Editor, Disk Administrator, DNS Manager, WINS Manager, DCOM Configuration Utility, and Windows NT Explorer.

Warning: Only the tools listed in this section have been evaluated for administrator use. Do not use other tools if an installation is to conform to the evaluated C2 configuration because unlisted tools have not been evaluated for correct security administrator behavior.

Control Panel

Users can customize and administer Windows NT with the Control Panel functions. The following list includes those Control Panel functions that are security relevant. Their use requires special privileges:

For user documentation about Control Panel, see the Microsoft® Windows NT® Workstation Version 4.0 Resource Kit (several chapters).

Event Viewer

Event Viewer is used to view and manage event logs, including the security log. It allows for viewing, sorting, filtering, and searching the event logs. The user must have access to the event log file in order to successfully view it. To view the contents of the security log, the user must be logged on as a member of the Administrators group. No special privilege is required to use Event Viewer itself. Security is enforced by the ACL on the log and certain registry settings.

Event Viewer provides two sorting options: newest events first or the oldest events first. To filter events, there is a predefined set of options available. Some of the filter options are: from date, through date, warnings, errors, success or failure audit, source of logging events, user, and event category (e.g., policy changes). Event Viewer also provides for the saving of audit data in a number of formats, including comma-delimited ASCII.

For user documentation about Event Viewer, see "Using Event Viewer" in Chapter 9, "Monitoring Events," of Microsoft® Windows NT® Server Version 4.0 Concepts and Planning.

User Manager and User Manager for Domains

There are two flavors of User Manager: User Manager and User Manager for Domains. User Manager is installed on systems running Windows NT Workstation. It is used to manage users of the local system. User Manager for Domains is used on systems running Windows NT Server. It is used to manage users of the local system and of the domain. Both flavors are used to create and manage user accounts and groups and to implement the security audit policy. User Manager for Domains also is used to create interdomain trust relationships.

The actions a user can perform with the tools are determined by the group memberships of the user's account. If the user does not have sufficient authority to perform an action, that user will be denied access to that function. In particular, a user who is a member of the Administrators group can perform all functions of User Manager and some functions of User Manager for Domains. A user who is a member of the Users group can create local groups, modify and delete those groups, and give any user membership in those groups. Members of the Domain Admins group can perform all functions of User Manager for Domains.

User Manager and User Manager for Domains provide functions for implementing security policy. They include: controlling the way passwords might be used by all user accounts; controlling the privileges assigned to groups and user accounts; and controlling the audit policy by defining the security events that will be logged. These functions are restricted to members of the Administrators and Domain Admins groups.

For user documentation about User Manager for Domains, see Windows NT Server Help and Chapter 2, "Working with User and Group Accounts," in Windows NT Server 4.0 Concepts and Planning. For more about User Manager, see Windows NT Server Help.

Server Manager

The Server Manager is available on Windows NT Server. It provides functions for viewing information about workstations and servers in a domain. The major functions it provides are: manually synchronizing the LSA and SAM databases between the PDC and each BDC, promoting a BDC to a PDC, and viewing the properties of systems in the domain in which the user is a member of the Administrators group. The functions that are domain controller related functions are restricted to members of the Domain Admins group. The individual server and workstation viewing is restricted to members of the Administrators group per system.

For user documentation about Server Manager, see "Assessing and Managing Resource Use" in Chapter 4, "Managing Shared Resources and Resource Security," of Windows NT Server 4.0 Concepts and Planning.

Print Manager

The Print Manager provides functions to manage printing, printers, and print jobs. The major functions it provides are installing printers, changing a printer's properties, and setting event types for auditing. Some functions, such as creating a printer or changing the printer properties, are restricted to members of the Administrators or Print Operators group. A user can also change printer properties if he or she is granted Full Control access to the printer. Printing properties include hours available to print, sharing the printer, configuring printer security, printer priority, the separator page option, and the spooling option.

A printer is secured by a DACL. To change the DACL on a printer object, the user must be the owner of the printer, have been granted Full Control access, or have the TakeOwnership privilege. A user can always control printing of the user's own documents. However, members of the Administrators and Print Operators group can control the printing of other users' documents. Manage Documents or Full Control access to the printer also allows the control of printing other users' documents.

For user documentation about management of printing, see Chapter 5, "Setting Up Print Servers," in Windows NT Server 4.0 Concepts and Planning.

Backup

The Windows NT Backup utility is a tool used to backup information to a local tape drive. It is used to protect data from accidental loss or hardware and media failures. It provides functions to back up disk files to tape, restore tape files to disk, and manage tapes. Members in the Administrators or Backup Operators groups have Backup and Restore privileges allowing them to bypass the protection provided by ACLs.

File permission information is stored on tape with backup files by default. The Backup operator has the option to restore the original file access permissions. If this option is not selected, the files inherit the permission of the directory into which they are restored.

For user documentation about NT Backup, see "Using Windows NT Backup" in Chapter 6, "Backing Up and Restoring Network Files," in Windows NT Server 4.0 Concepts and Planning.

Registry Editors

There are two registry editors, Regedt32.exe and Regedit.exe. These tools can be used to view and edit the configuration database of a Windows NT system. They do not appear in any default program groups, although they are installed automatically when Windows NT is installed. Most often, changes to the configuration database are accomplished through one of the other tools, but certain changes can only be accomplished through the Registry Editor.

The Registry Editor is invoked by executing the file Regedt32.exe or Regedit.exe. Keys modified by the Registry Editor are protected by ACLs; to change a key, a user must have the TakeOwnership privilege or be the owner of the key. To change auditing of keys, non-owners must have the Security Privilege.

For user documentation about registry editors, see "Using Registry Editor" in Appendix A, "Windows NT Registry," in Windows NT Server 4.0 Concepts and Planning.

Disk Administrator

The Disk Administrator provides functions to partition disks, create and delete volume sets, extend volume sets, create and delete stripe sets, establish and break mirror sets, and recover data. Volume sets and stripe sets are mechanisms whereby free space from multiple disk partitions is combined into a new partition. A user must be a member of the Administrators group to start this tool.

For user documentation about Disk Administrator, see "Disk Administrator Overview" in Chapter 7, "Protecting Data," in the Microsoft® Windows NT® Server Version 4.0 Concepts and Planning.

DNS Manager

The DNS Manager provides functions to configure and manage Microsoft DNS servers. The major functions it provides are: viewing and adding records, viewing and adding hosts, creating and maintaining zones, and creating and maintaining subdomains. Most functions, such as creating a zone, are restricted to members of the Administrators group.

For user documentation about DNS Manager, see "Domain Name System Name Resolution" in Chapter 32, "Networking Name Resolution and Registration," in the Windows NT Workstation 4.0 Resource Kit.

WINS Manager

The WINS Manager provides functions to configure and manage Microsoft WINS servers. The major functions it provides are: viewing the WINS server statistics; adding and managing static entries; logging database activity; and scavenging the database. Some functions, such as adding static entries, are restricted to members of the Administrators group.

For user documentation about WINS Manager, see "NetBIOS over TCP/IP (NetBT) Name Resolution" in Chapter 32, "Networking Name Resolution and Registration," in the Windows NT Workstation 4.0 Resource Kit.

DCOM Configuration Utility

The DCOM Configuration Utility is invoked by executing the file Dcomcnfg.exe. It is a utility used to secure administrator-created DCOM objects. It provides functions such as: viewing the DCOM configuration interfaces; managing options, managing default settings; configuring applications; and configuring default security. Functions are restricted to members of the Administrators group.

For user documentation about DCOM Configuration Utility, see "Configuring DCOM" in Chapter 4, "Managing Shared Resources and Resource Security," in the Windows NT Server 4.0 Concepts and Planning.

Windows NT Explorer

Windows NT Explorer provides file and directory manipulation and organization functions. It provides functions such as: creating and removing directories; moving, copying, and deleting files; securing files and directories; and performing other disk, directory, and file management tasks. Some functions are restricted to certain groups. Manipulation of directory and file objects is controlled by their ACLs, which are set by using Windows NT Explorer.

Windows NT Explorer provides functions to audit operations on files and directories. To enable auditing of files or directories, membership in the Administrators group or possession of the security privilege is necessary. Using Windows NT Explorer, an administrator can enable different types of auditable events on the files and directories when these events are generated by specified users and groups. To change permission on a file not owned by the user, the TakeOwnership privilege is required.

For user documentation about Windows NT Explorer, see "Windows NT Explorer" in online help.

Installing and Configuring a C2-Compliant System

The following checklist and procedures describe the configuration of the hardware platforms referred to in the preceding sections. The checklist and procedures are written to enable you to duplicate the configuration used in the C2-level networking security evaluation.

All settings are for workstations, domain controllers, and non-domain controller servers unless otherwise specified.

Note: The configuration must be exactly as described here to qualify as an evaluated C2 configuration.

Cautionary Notes

In installing the configuration, there are some general cautions to be observed or else C2 compliance might be compromised.

DCOM Warning

The COM Service Control Manager (SCM) supports the ability to activate (launch) COM servers in processes using different security contexts. The identity of the COM server is determined by the RunAs attribute of the AppID as configured using the Dcomcnfg.exe tool. If there is no RunAs value, the COM SCM will activate the server process "as activator." That is, the server process will have the same security context (token) as the activating client. This is the preferred method in the evaluated configuration.

If present, the RunAs value tells the COM SCM the name of the account under which the server is to be activated. In addition to the account name, the COM SCM must also have the password of the account. The result of a successful logon is a security context (token) for the named account that is used as the primary token for the new COM server process. Administrators should not use this method in the evaluated configuration if accountability is required, since accountability cannot be enforced.

Instead of a specific user, the RunAs value can have the special string "Interactive User." In this case, the COM SCM starts the new server using the security context of the current interactively logged on user (and if there is not a current interactive user, the activation request will fail). No logon occurs; the interactive user's token is used for the new COM server. Running COM servers as "Interactive Users" can have detrimental security impacts, especially for distributed COM since potentially any user can start a remote process for any user who happens to be logged onto a workstation. For the C2-evaluated configuration, the administrator must not configure any AppID to run as the interactive user.

User/GDI Warning

Administrators should not open the desktops of untrusted users. This is because of the possible presence of "window hooks," which are processes in a program that allow it to execute in the context of another user's process. Such hooks can be installed by any user process that has appropriate access to a desktop. The hook can then be triggered by opening and setting the desktop. This is a concern only for those, like administrators, who have permission to open other users' desktops.

Removable Media Warning

All users should be careful with removable media. In addition, administrators should take precautions with tape drives.

All Users

When a user finishes an interactive logon session, all removable media (e.g., diskettes) should be removed from the drive and physically protected, unless the machine is in a physically secure location (e.g., locked room or office). Users should be aware that files on diskettes are not protected resources and that deleting files or erasing data from a diskette does not necessarily remove the data from the physical media. Users should always physically protect all removable media.

Administrators

Administrators use tape drives, which are not protected like floppy disk drives and CD-ROM drives inasmuch as they are not limited to the current interactive user. As such, tape drives should only be installed on systems that will not support interactive, untrusted users so that the online tape media can be appropriately controlled by limiting access to the system itself. Furthermore, some tape drives implement a feature whereby a special tape, when inserted, would cause the tape firmware to be updated automatically. Hence it is important to control tape media and to ensure that new tapes do not represent a threat to the system (that is, they are not from a