[ Pobierz całość w formacie PDF ]
.3.5] Enhanced Protection for Security Accounts Manager DatabaseCompleted Not implemented Not applicableSTATUSThe Windows NT Server 4.0 System Key hotfix (included in Service Pack 3)provides the capability to use strong encryption techniques to increaseprotection of account password information stored in the registry by theSecurity Account Manager (SAM).Windows NT Server stores user accountinformation, including a derivative of the user account password, in a secureportion of the Registry protected by access control and an obfuscationfunction.The account information in the Registry is only accessible to membersof the Administrators group.Windows NT Server, like other operating systems,allows privileged users who are administrators access to all resources in thesystem.For installations that want enhanced security, strong encryption ofaccount password derivative information provides an additional level ofsecurity to prevent Administrators from intentionally or unintentionallyaccessing password derivatives using Registry programming interfaces.Please refer to Knowledge Base article Q143475 for more details on SysKeyfeature and how it can be implemented on a Windows NT installation.[6.3.6] Disable Caching of Logon Credentials during interactive logon.Completed Not implemented Not applicableSTATUSThe default configuration of Windows NT caches the last logon credentials for auser who logged on interactively to a system.This feature is provided forsystem availability reasons such as the user's machine is disconnected or noneof the domain controllers are online.Even though the credential cache is well protected, in a highly secureenvironments, customers may want to disable this feature.This can be done bysetting the following registry key:Hive: HKEY_LOCAL_MACHINEKey: Software\Microsoft\Windows NT\CurrentVersion\WinlogonName: CachedLogonsCountType: REG_DWORDValue: 0[6.3.7] How to secure the %systemroot%\repair\sam._ fileCompleted Not implemented Not applicableSTATUSBy default, the SAM._ file and \repair directory has the followingpermissions;Administrators: Full ControlEveryone: ReadSYSTEM: Full ControlPower Users: Change1.From within Explorer, highlight the SAM._ file, right click, chooseproperties, security, permissions.Remove all privilege from this file.2.From a DOS prompt, execute the following;cacls %systemroot%\repair\sam._ /D EveryoneThis will deny the group Everyone permission to the file, ensuring that noother permission (i.e.inherited permissions from a share) can override thefile permission.3.Whenever you need to update your ERD, first execute the following from a DOSprompt;cacls %systemroot%\repair\sam._ /T /G Administrators:CThis will grant Administrators change permission to update it during the ERDupdate.4.Once the ERD has been updated, execute the following from a DOS prompt;cacls %systemroot%\repair\sam._ /E /R AdministratorsThis will once again remove the permissions for AdministratorHow to enable auditing on password registry keys1.First you have to make sure auditing is enabled.Start User Manager,Policies, Audit, and click "Audit These Events".2.By default, Windows NT does not identify any users or groups to audit on anyobjects within the system.Auditing can add performance overhead to your systemdepending on the available resources, so care should be taken in determiningwhat and whom to audit.For a full description of auditing in Windows NT, Irecommend the Microsoft Press book "Windows NT 3.5 - Guidelines for Security,Audit, and Control", ISBN 1-55615-814-9.Despite its title it is still the mostcomprehensive coverage of auditing that I have read.For the sake of thisexample, we will simply check every Success and Failure checkbox.3.Close the dialog.4.Now for a little known trick.While logged on as Administrator, ensure thatthe Schedule service is set to start up as the System account.Once set, startthe Schedule service.5.Check the time, and then open a DOS prompt.At the DOS prompt, type in thefollowing; at 22:48 /interactive "regedt32.exe" where 22:48 gets replaced withthe current time plus 1 minute (or 2 or whatever amount of time you think itwill take you to type in the command).6.At the designated time, regedt32.exe will fire up and appear on your desktop.This incarnation of regedt32.exe will be running in the security context of theuser SYSTEM.As such, you will be able to see the entire registry, every keywithin the SAM or Security trees.BE VERY CAREFUL HERE.It is important to notethat when running an application as SYSTEM, it does so attempting to use nullsession for credentials.Null session support has been disabled by default inall versions of Windows NT after 3.1, therefore any attempt to connect tonon-local resources as this security context will fail.An Administrator couldenable null session support through the registry, but such a configuration isstrongly discouraged.7.All we want to do is enable auditing on the designated keys, nothing else.Tothis end, we highlight the HKEY_LOCAL_MACHINE windows within regedt32.Nexthighlight the SAM tree.Choose the Security menu item, then Auditing.8.Click on the Add button and choose Show Users.9.I'm going to recommend that you add the SYSTEM user, the group Domain Admins,and the user Administrator
[ Pobierz całość w formacie PDF ]