Securing Windows NT for a VPN-1/FireWall-1 Installation

[roadrunner]

Securing Windows NT for a VPN-1/FireWall-1 Installation
Windows NT, by default, runs many services that are potential security risks. The following subsections contain some tips for setting up your Windows NT box to make it more secure. Note that the system should be physically disconnected from your network until you have made all of these changes. This minimizes the possibility that your firewall system will be compromised before you even get started.

You might wonder why I am bothering to include this despite the fact that Microsoft no longer supports Windows NT. The fact is that Windows NT is well understood by many organizations and will likely still be in use long after Microsoft stops supporting it. Almost all security issues that may be present in Windows NT can be mitigated by proper configuration of the platform.


Network Protocols
When setting up NT for FireWall-1, only TCP/IP is needed. Use a static IP address.


Machine Name, Domain
Pick a good machine name (firewall seems like a good choice) and pick a workgroup that is not reachable. We're going to disable Microsoft Networking services below as well.


Services
By default, NT installs the following services:


Computer Browser
NetBIOS Interface
RPC Configuration
Server
Workstation
None of these services are actually needed by FireWall-1. Remove NetBIOS, RPC, and Server. The others will be disabled below. You also need to install the SNMP service at this time (FireWall-1 uses this service). Install this before installing FireWall-1 or any service packs.

Some may wonder why Workstation is being left in. If you delete workstation, every time you go into the "Network" configuration in NT, you will be asked if you want to install Windows NT Networking. If you answer yes to this question, your NT installation will be damaged. By leaving the Workstation service installed, this question is never asked. If the workstation service is disabled (as shown below), it will not create a security risk.

The reason Computer Browser is being left in is because Workstation has a dependency on it. Again, it will be disabled.


IP Routing
In the Network Control Panel Applet, click on Protocols. Double-click on TCP/IP. Make sure that IP Routing is enabled in the TCP/IP Properties under the Routing tab. Also insure that only your external interface has a default route defined (the other interfaces should not).


WINS TCP/IP
In the Network Control Panel Applet, click on Bindings. From the pulldown menu next to "Show bindings for", pull down "all protocols." Select WINS TCP/IP and click on Disable.


WINS Client
If you are installing NT from scratch, you will not be able to disable WINS Client on install. After a reboot, you will experience a hang of up to 2 minutes. This is perfectly normal and should not occur after disabling the WINS Client.

Go to Devices in the Control Panel, scroll down and find WINS Client (TCP/IP). Click on "Startup" and change startup to "Manual."


Services to Disable After Installation
Go to Services in the Control Panel. For each of the following services, select the service, click on "Startup" and change startup to "Manual". When you reboot, these services will be disabled:


Computer Browser
TCP/IP NetBIOS Helper
Net Logon
Workstation
Server (if present)
Network DDE
Network DDE NSDM
Messenger

Local Hosts File
While not necessarily a "security" recommendation, it is highly recommended that you make sure that your hostname is resolvable to an IP address. In fact, FireWall-1 4.1 will automatically add an appropriate entry. Go to the local host file (%SystemRoot%\System32\drivers\etc\hosts) and make sure your hostname (as specified above) has an entry in the hosts file (it probably won't). Make it resolve to your external IP address.


Registry Hacks
These registry hacks help protect against people physically coming up to the machine and logging into it. Her method for "securing" her NT systems is somewhat different as it allows for certain users to access the machine from the Network. I've picked out the more interesting of her registry hacks to show on this page, which assume you've followed my steps above.

To Disable display of last userid in the logon window

Set DontDisplayLastUsername to 1
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (REG_SZ)
To Display warning message when logon to server
Set LegalNoticeCaption to “Notice”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (REG_SZ)
Set LegalNoticeText to “Authorized users only”
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (REG_SZ)
To Disable caching of logon credentials
Set CachedLogonsCount to 0
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (REG_SZ)
-- PhoneBoy - 11 Jan 2004

FAQForm
FAQs.Class:
FAQs.OS: OsWindows
FAQs.Version: