Lock down WinNT
Scott Lowe
Published: 27 Feb 2003 10:27 GMT
Upon further inspection and drilling down into the data, it becomes apparent that the testing system in my lab is not well locked down at all. In fact, even a simple precaution such as a password policy is not in place for this system (Figure C).
| Figure C |
 |
| The password policy for the NT system in my lab |
An easy way to fix this mess
Since this testing system running NT is a new installation, it makes sense that many of the security options that are in place on my production systems are not yet mimicked here. What I need is a quick, easy way to set this information so that I don't have to try to find every single parameter and set it to a reasonable value.
Luckily, the SCM comes with a number of preconfigured security templates. As an example, let's say that I want to tightly secure this system by setting a strict password policy, auditing login successes and failures, and setting AutoDisconnect parameters -- while keeping in mind that this system is also a domain controller. One of the stock security templates, hisecdc4, can take care of this.
Looking through the parameters, you can see that hisecdc4 sets a password policy requiring a minimum of eight characters with a password age of 42 days and prohibiting duplication of the six most recent passwords. In addition, hisecdc4 audits all login failures and sets an AutoDisconnect time of 15 minutes for idle sessions. One parameter it does not include but that I would like to add is the auditing of logon successes.
This can be easily rectified by browsing to the hisecdc4 security template and choosing Local Policies | Audit Policy. This will bring up all of the policies related to system auditing. One of these policies is named Audit Logon Events. Opening this policy shows that only failures are audited. To enable auditing of logon successes, all I have to do is select the appropriate check box (Figure D) and click OK.
| Figure D |
 |
| Enabling logon success auditing |
Before I can apply this policy to the current system, I have to save it. Since I've made changes to a default template, I'll save it as hisecdc4-lowe by right-clicking on the modified template, choosing Save As, and entering the new name.
Next, I just right-click on the Database item at the top of the window and choose Configure System Now. After a couple of minutes, I choose to analyze the system again. As Figure E shows, the security parameters set in this example are enabled now.
| Figure E |
 |
| The logon audit parameter is now set on this system. |
Summary
If you haven't had the opportunity to make use of this tool, there's no better time than the present. If you need to configure multiple similar NT servers, you can even reuse your custom security templates to make hardening your servers a breeze. While it's not a new utility, the SCM is invaluable for helping you secure and protect your Windows NT infrastructure.
For a weekly round-up of the enterprise IT news, sign up for the
Enterpise newsletter.
Find out what's where in the new Tech Update with our
Guided Tour.
Tell us what you think in the
Enterprise Mailroom.
Previous
Did you find this article useful?
46 out of 78 people found this useful
- Share this article:
