UNCLASSIFIED
Report Number: C4-001R-00
Guide to Securing Microsoft Windows NT Networks
Network Security Evaluations and Tools Division of the Systems and Network Attack Center (SNAC)
Authors: Updated: September 18, 2001 Paul F. Bartock Version 4.2 Karl J. Brown Melanie R. Cook Julie M. Haney CTOC(AW) John Hollenbeck, USN Harley E. Parkes Capt. York W. Pasanen, USAF Nichole L. Scheibe Capt. Robin G. Stephens, USAF Capt. Martin L. White, USAF
National Security Agency 9800 Savage Rd. Suite 6704 Ft. Meade, MD 20755-6704
UNCLASSIFIED UNCLASSIFIED
This Page Intentionally Left Blank
ii UNCLASSIFIED UNCLASSIFIED
Change Control
Version Date Details 4.2 31 Aug 2001 Added notes on page iv and page 27 about implementing the operating system recommendations in this guide prior to installing and securing Microsoft Exchange. 4.2 31 Aug 2001 Added a warning on page 31 for the “Users must log on in order to change password” setting describing the problem with new user accounts that require the user to change their password at first logon. 4.2 31 Aug 2001 Modified the existing note and added a warning on page 36 for the “Log on as a Service” user right informing the user that the template file will remove all users/groups from this right. 4.2 31 Aug 2001 Added a note on page 39 for the “Audit access to internal system object” setting describing the event 560 errors. 4.2 31 Aug 2001 Corrected the registry key location for preventing users from installing print drivers on page 41. 4.2 31 Aug 2001 Corrected the registry key location for restricting management of shared resources on page 41. 4.2 31 Aug 2001 Added section for setting file permissions for the Dr. Watson crash dump file (user.dmp) on pages 65. 4.2 31 Aug 2001 Removed references to setting the RestrictGuestAccess value in the winreg registry key from Chapter 13 and Appendix D. The proper way to restrict remove registry access is through the ACL permissions on the winreg key. 4.2 31 Aug 2001 Corrected text under installation of the ENPASFLT.DLL on page 90 to read “via setup.exe” vice “via the Install_enpasflt.exe”. 4.2 31 Aug 2001 Added a warning on page 90 that requiring all users to change their password at next logon after installing the ENPASFLT.DLL can cause performance problems on larger networks. 4.2 31 Aug 2001 Added a note on page 107 (Appendix A) on the LMCompatibility level setting required for Windows 95/98 clients. 4.2 31 Aug 2001 Updated Appendix C with information on the Security Rollup Package (SRP) and removed all hotfixes that are included in the SRP. Added MS advisory MS 01-043.
iii UNCLASSIFIED UNCLASSIFIED
Warnings