1 / 28

NT4 SP4 Security

NT4 SP4 Security. Jack Schmidt - Fermilab schmidt@fnal.gov. New Features. 3 new Event Log Messages Security Log access locked down from Domain Admins NTLMv2- new version of NTLM Security Configuration Editor. 3 New Event Log Messages. Event 6006 - Clean Shutdown Event

hawa
Télécharger la présentation

NT4 SP4 Security

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. NT4 SP4 Security Jack Schmidt - Fermilab schmidt@fnal.gov

  2. New Features • 3 new Event Log Messages • Security Log access locked down from Domain Admins • NTLMv2- new version of NTLM • Security Configuration Editor

  3. 3 New Event Log Messages Event 6006 - Clean Shutdown Event “The Event log service was stopped.” Event 6008 - Dirty Shutdown Event “The previous system shutdown at 7:01 AM on 11/12/98 was unexpected.” Event 6009 - System Version Event “Microsoft (R) Windows NT (R) 4.0 1381 Service Pack 4 Uniprocessor Free.”

  4. Security Log Viewing • Fixed so Security Rights need to be enabled in order to view and manage the Security event log- • Default allowed members of the Administrator group to view log but Security Advisor not always a System Admin • Message- “Required Privilege not held by the client”

  5. NTLMv2 Security • Enhancements to the NTLM security protocols called NTLMv2 improves both authentication and session security. • Before SP4, NT Supported two kinds of challenge/response authentication: • LanManager (LM) challenge/response (WFW) • Windows NT challenge/response (also known as NTLM challenge/response) • To allow access to servers that only support LM authentication, Windows NT clients prior to SP4 always use both authentication methods, even to Windows NT servers that supported NTLM authentication.

  6. NTLMv2 Security (cont) • SP4 systems can be configured to make use of the new authentication options • Level 0 - Send LM response and NTLM response; never use NTLMv2 session security • Level 1 - Use NTLMv2 session security if negotiated • Level 2 - Send NTLM response only • Level 3 - Send NTLMv2 response only • Level 4 - DC refuses LM responses • Level 5 - DC refuses LM and NTLM responses (accepts only NTLMv2) • See http://support.microsoft.com/support/kb/articles /q147/7/06.asp

  7. Security Configuration Editor • Consolidates all security related settings into a single configuration file • User Manager, Server Manager, Resource Kit, Registry Settings, File Explorer • Settings can be applied to any number of NT machines (server and workstation) • Sample Configuration templates provided • Command line and GUI interface supported

  8. A Peak at the SCE

  9. Policies and Settings • Account Policies • Local Policies • Event Log • Restricted Groups • System Services • Registry • File System

  10. Account Policies • Password settings such as length, uniqueness, minimum and max age, complexity, must logon to change. • Account lockout settings including lockout count, length of lockout time, reset account lockout after so many minutes

  11. Local Policies • Audit Policy- audit settings (success/failure) of account management, logon events, object access, policy changes, privilege use, process tracking and system events • User Rights - such as add workstations to domain, change system time, take ownership of files • Security Options- such as rename Admin account, Logon messages, disconnect idle users, number of passwords to cache, restrict floppy and CDROM access

  12. Settings • Event Log settings - maximum size for logs, restrict guest access, retention method for log files, shutdown when security log is full • Restricted Groups - ability to add and remove members from Domain Admin defined `sensitive’ groups. Designed for Windows 2000

  13. Settings • System Services- In the future 3rd Party vendors can build in SCE attachments. Microsoft is planning attachments for services: spooler, TCP/IP, file sharing, etc… • Registry and File System - Provide ability to configure and analyze settings for object ownership, ACLs, and auditing information. Not fully implemented.

  14. Predefined Configuration Templates • Templates can be used to configure systems and to perform security analysis of systems. • Templates are text-based .inf files. Configuration information is broken down into sections which can be applied as a full policy or in part. • Ability to exclude items from an audit. (shows as Not Configured) • Designed to allow new sections to be added. • GUI Interface allows modification of templates to provide customization.

  15. Predefined Configuration Templates • Compatible Configuration • COMPDC4, COMPWS4 • Improvement over default security settings. Errs on the side of applications when making a tradeoff between functionality and security • Secure Configuration • SECURDC4, SECURWS4 • Improvement over compatible settings. Errs on the side of security when making a tradeoff between functionality and security

  16. Predefined Configuration Templates • High Secure Configuration • HISECDC4, HISECWS4 • Enforces ideal security settings without consideration for application functionality. Most applications won’t work under this setting. Designed to promote the development of future “security conscious” applications. • Basic Configuration • BASICDC4,BASICSV4,BASICWK4 • Provided as a means to “undo” the application of a more secure configuration. Does NOT “rollback” settings!

  17. SCE Adventures • `Out of the Box’ analysis based on Basic Configuration files. • Must apply a more secure configuration before attempting audit • Analysis results are easy to interpret • Remote Analysis not yet possible • Log files are useful for summarization but are not detailed.

  18. SCE Adventures (cont) • Command line tool can be used for applying only certain sections of the policy or the full policy • SCE must be applied to all systems. • New users not always able to log on locally after SCE installed. • New file permission box • Password complexity box has correct message...

  19. Security Analysis results

  20. Configuration

  21. New File Permissions View

  22. Advanced File Permissions

  23. Password Change Message

  24. Suggestions • Edit either the COMP or SECUR .inf files and make changes based on your security plan (you do have a security plan don’t you?) • Save the file with a new name such as COMP4DC-FNAL.inf • Apply the Configuration file to your system. Password configurations applied to PDC will affect entire domain. • Do a security analysis and make sure items were changed. • Check servers monthly. Run audit to see if system has changed and why.

  25. The command line tool (secedit.exe) is useful for applying predefined configuration files to many systems using distributed management tools (such as SMS). Command Line Tool

  26. WARNING! • Applying a secure configuration to an NT System may result in a loss of performance and functionality! • Many applications expect that all users have Change (Read, Write, Execute, Delete) permissions on root, systemroot, and systemroot\system32 directories

  27. http://www.microsoft.com/security/ntprod.htm (doesn’t work yet!) http://www-dcd.fnal.gov/hepnt-security Further Information

  28. Any Questions?

More Related