16 Steps to Building a Secure Web Server

Take steps to increase security on your NT Web server

When IBM brought an AS/400 to the Windows NT Magazine Lab, it claimedthat the AS/400 was "the safest Web server on the planet" because professional security firms failed to break into it. Naturally, the Lab and I felt compelled to build a secure NT Web server. I spent approximately 3 hours completing the job. When the Lab turned the same professional security firms loose on my system, they were unable to break in.

An NT server is a great platform right out of the box; however, NT isn'tbulletproof. An NT Web server definitely needs strengthening against unwantedintrusion.

In most cases, large companies can survive losses resulting from securitybreaches; smaller businesses might not. I've seen more than one business vanishovernight as a result of the financial damage an intrusion causes.

In this article, I'll describe how I built my NT Web server and give tipson how you can build your own. I'll also describe steps to increase security on your server.

How I Did It
I made numerous changes to NT's original configuration to secure the system I built for the Lab, which the Lab used for Internet services only. I created a standalone server in its own private workgroup and installed only the necessary default services (plus Internet Information Server--IIS). I didn't add any optional services or use any third-party security add-ons.

If you're familiar with NT's administration tools and the basic concepts of granting and removing user rights and permissions, you know that these modifications involve editing the Registry. If you're considering building your own server, have an up-to-date Emergency Repair Disk (ERD) handy. Also, use caution when changing the Registry: Mistakes in editing the Registry can lead to an unbootable NT server.

Step 1: Install the Latest Service Pack and Applicable Hotfixes
After you install your operating system (OS), you can load the currentservice pack. I used Service Pack 3 (SP3).

Some network engineers claim that installing service packs isn't alwaysnecessary. However, sometimes service packs contain features that fix securityproblems. Because Microsoft doesn't always itemize service pack features, youwon't know which features are included unless you use the service pack. The sameis true for post-service pack hotfixes. On at least one occasion, I used anunrelated hotfix that contained the solution to an obscure security problem Ihad. However, the associated Microsoft Support Online article and README filedidn't mention this hotfix.

You can always test a hotfix or service pack on a nonproduction (or backup)server before you implement it on your live server. If you don't have a secondserver or don't feel comfortable loading fixes, you can seek a networkprofessional's assistance. This money will be well spent. To minimize the riskof a faulty service pack or hotfix breaking my NT server, I wait about a weekafter Microsoft releases a new one to see whether any major complaints arisefrom the user community.

If you don't know which service packs you need, you can load them all orseek a network professional's advice. The order in which you install hotfixes isimportant because later hotfixes sometimes supersede earlier ones. You need topay attention to the date and time stamps on the files listed on Microsoft's FTPsite and install the hotfixes in chronological order. The hotfixes are locatedat ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes. If youadd services or install new versions of NT components later, you'll need toreinstall the latest service pack and hotfix (so keep them available).

When I built my system, I loaded five mandatory post-SP3 hotfixes:getadmin-fix, teardrop2-fix, srv-fix, simptcp-fix, and pent-fix. If you want tolearn about what these hotfixes can do, read Microsoft Support Online articleslocated in the named subdirectories.

Step 2: Change NTFS File and Directory Permissions
NTFS provides more advanced security features than FAT file systems, so useNTFS whenever possible (e.g., if you install an additional hard drive or createnew partitions on existing drives). FAT offers no security at the file anddirectory levels. If you must use a FAT file system, consider securing the FATpartition by using the Secure System Partition command on the Partition menu ofthe Disk Administrator utility. You can use FAT for the boot partition of anARC-compliant RISC system (e.g., an Alpha), but don't put any files on thatpartition other than the Windows NT installation default boot files.

The files and directories that comprise the OS software on any partitionrequire protection. The standard set of permissions on these files anddirectories provide a reasonable degree of security without interfering with thecomputer's usability. However, you can modify the NTFS file and directorypermissions, if necessary. For high-level security installations, set directorypermissions for all subdirectories and existing files immediately after youinstall NT. Remember that you need to apply permissions to parent directoriesbefore you apply permissions to subdirectories. Table 1 provides a list of thepermissions you need to apply. You will also need to apply exceptions to thegeneral security permission settings within the /winnt directory. Table 2provides these exceptions. Because several critical OS files exist in the rootdirectory of the system partition on Intel-based systems, you might alsoconsider assigning the permissions listed in Table 3.

To view these files in Explorer, you can choose the By File Type commandfrom the View menu, then select the Show Hidden/System Files check box in the ByFile Type dialog box. Be sure to review your changes on each partition to ensurethey have been properly secured. You can use Explorer or a specialized tool suchas CACLS from the Microsoft Windows NT Server 4.0 Resource Kit, orSomarsoft's DumpACL (available at www.somarsoft.com) to perform this audit.Also, review your file and directory permissions periodically to determinewhether sensitive files are exposed to unauthorized users or groups.

Step 3: Secure NT Services
Several NT-based services are vulnerable when exposed to an untrustednetwork like the Internet. Therefore, consider disconnecting (unbinding)these services from any publicly exposed network adapters, including serialcommunications (COM) ports (dialup adapters) if you use Remote Access Service(RAS) for Internet or inbound dial-up access. For example, unless you mustsupport telecommuters who need access to this service, don't make the serveravailable to remote users. If remote Internet users need to access thissensitive service, you can use a Virtual Private Network (VPN). Establishing aVPN with Point-to-Point Tunneling Protocol (PPTP) provides a more secure meansof supporting telecommuter connections.

If you aren't supporting telecommuters, you still need the server to workcorrectly on your private network. Disable the server bindings to any networkadapter cards connected to the Internet or other untrusted networks. Do notleave the following standard services bound to an exposed network card, exceptunder special circumstances: Alerter, Clipbook Server, Dynamic HostConfiguration Protocol (DHCP), Windows Internet Naming Service (WINS), DirectoryReplicator, Messenger, Network Dynamic Data Exchange (DDE), Network DDE DSDM,Schedule, Simple Network Management Protocol (SNMP), and simple TCP/IP services.In short, bind only the required services (e.g., Web or email) to a publicnetwork adapter.

In my secured system, I used only one network adapter card and loaded onlydefault services, which simplified the unbinding process. I disabled the WINSclient binding from the adapter, and rebooted the system. To unbind servicesfrom a network adapter, open the Network applet in Control Panel, click theBindings tab, select your exposed network adapters, and click Disable. You canthen close the dialog box and reboot the server.

I didn't install the FTP service portion of IIS and encourage you not toinstall it. FTP clients send passwords in clear text, and packet sniffers caneasily grab them. Also, minor oversights in setting your directory and filepermissions can lead to a system security breach. The only services running onmy system were the event logs, NT LAN Manager (NTLM) Security Support Provider,Remote Procedure Call (RPC) Service, and Web Service.

Step 4: Obscure the Administrator Account
Crippling the built-in Administrator account (i.e., removing its permissionsand rights) is a great idea. This powerful built-in account is dangerous toleave available because intruders can use it as a target for gaining access toyour network.

Some network professionals argue that renaming or disabling theAdministrator account is easier than crippling it. However, there are tworeasons why the easier way isn't necessarily the safest way to handle thisvulnerable account. First, before Microsoft released SP3, the RedButton utilityeasily revealed your newly renamed Administrator account. SP3 fixed thatproblem, but you're better off safe than sorry. Second, intruders can recognizea disabled account and start guessing account names and passwords until theyfind what works.

If you cripple the Administrator account, intruders might spend days,weeks, or even months trying to guess the account name and associated password.Even if the hackers eventually discover the name and password, they will alsofind that the account has no rights or permissions, and they've wasted theirtime. In the meantime, you can closely monitor your audit logs to detectbreak-in attempts and the would-be intruder, and take steps to make your networkmore secure.

On my installation, I used the built-in TCP/IP filtering security todisable all ports except port 80 so a tool like RedButton couldn't contact theNT system. I also used a shortcut to obscure the Administrator account. Thisshortcut can work for you if you're certain you won't expose non-Internetservice ports (e.g., port 137, port 138, and port 139 for NetBIOS) in thefuture.

First, I gave the Administrator account an obscure, hard-to-guess name.Then I created a new Administrator account and removed all default permissionsand rights, effectively creating a dummy target for would-be intruders. Iremoved the right to log on from the network, so users couldn't access thesystem across the network. That way, an intruder who learned the new accountname and associated password would still need to log on to the system using thelocal keyboard console. Administrators working remotely might require the rightto log on from the network to perform certain operations. It's always best torequire any remote user to use PPTP to access the corporate network from acrossthe Internet. If you don't use an encryption method such as PPTP, a hacker cansniff your network traffic more easily and possibly use the information in thenetwork traffic to penetrate the system.

NT also creates a Guest user account (as seen in User Manager). However,leave this account disabled until a guest uses your network, and then create aspecific account for that person. (You will need to delete the account after theguest has finished using it).

Step 5: Activate Screen Savers
If you enforce a policy of using the NT screen-saver feature, enable thePassword-Protected option, and set the activation time to a low value (i.e., 1minute to 10 minutes). When a user walks away from a computer without loggingoff, the screen saver will automatically activate, thus protecting the systemfrom unwanted access. The effort users expend continually deactivating screensavers is worth the level of safety that you obtain from using them. However,heavily animated screen savers on a server unnecessarily use CPU cycles so ablank screen saver will serve you better.

Step 6: Protect the Registry
NT stores all initialization and configuration information in the Registry.Some processes modify their own keys, and you can modify other keys by using aRegistry editor. Because you can configure the NT Registry from a remotelocation, you need to restrict access to it. To restrict access, create theHKEY_LOCAL_MACHINESYSTEM CurrentControlSetControl SecurePipeServerswinreg Registry key. The security permissions set onthis key define which users or groups can access the Registry remotely. Bydefault, NT Workstation doesn't define this key or restrict remote access to theRegistry. The NT Server default setting permits only administrators to accessthe Registry remotely. However, you might consider not letting anyone access theRegistry remotely, including administrators.

Step 7: Secure the Event Logs
By default, NT lets guests and anonymous users view the System Log andApplication Log. By default, NT also protects the Security Log from guestaccess. However, users who have the Manage Audit Logs user right can view theSecurity Log. The event log service uses the RestrictGuestAccess entry (typeREG_DWORD) in the HKEY_LOCAL_MACHINE SYSTEMCurrentControlSetServices EventLogLog Name Registry key to restrict guest access tothese logs. To restrict anonymous and guest access, you can set the value foreach log to 1. The change will take effect the next time the system reboots. Youcan also change the user access permissions on the Registry key so that usersother than those who can access the Administrator and system accounts cannotaccess this key. Otherwise, an intruder can reset the Registry key value andpermit unwanted access to the logs.

Step 8: Hide the Name of the Last User
By default, NT leaves the name of the last user to log on in the Usernamefield of the logon dialog box, which makes it more convenient for a frequentuser to log on. However, this username also provides 50 percent of the puzzleneeded to break into a system locally. You can use a Registry editor to createthe Don't-DisplayLastUserName entry (type REG_SZ and data value of 1) inthe HKEY_LOCAL_MACHINE SOFTWAREMicrosoftWindowsNT CurrentVersionWinlogon Registry key so that the usernamedoesn't appear in the logon dialog box.

Step 9: Restrict Anonymous Network Access to the Registry
SP3 for NT 4.0 includes a security enhancement that restricts anonymous(null session) logons that connect to specific named pipes. SP3 provides the NullSessionPipes entry (type REG_MULTI_SZ) in the HKEY_LOCAL_MACHINESYSTEM CurrentControlSetServicesLanManServer Parameters Registrykey, which defines the list of named pipes that are exempt from thisrestriction. Microsoft's Support Online article "Can No Longer Access theRegistry With Null Sessions" (http://support.microsoft.com/support/kb/articles/q143/1/38.asp) provides complete detailsabout modifying this key.

Step 10: Restrict Anonymous Lookup
NT has a feature that lets anonymous users list domain usernames and countshare names. Users who want enhanced security have asked Microsoft for help inrestricting this feature. SP3 for NT 4.0 (and a hotfix for Windows NT 3.51) letsyou restrict this feature. To implement your restrictions, you can usethe RestrictAnonymous entry (type REG_DWORD and data value of 1) in theHKEY_LOCAL_MACHINE SYSTEM CurrentControlSet ControlLsa Registry key.

Step 11: Remove Default Administrator Shares
Windows and DOS don't display shares ending in a dollar sign ($). You canuse this method to hide any shares that you don't want users to see or makeadministrative shares invisible to network browsers. You can connect to hiddenshares only if you know the exact share name.

Default administrative shares can't be removed by unsharing them. Likewise,deleting a share will remove it only temporarily (the share will reappear thenext time you reboot the system). To permanently remove administrative shares,you can edit the appropriate Registry key. For NT Server, the Registry key isHKEY_LOCAL_MACHINESYSTEM CurrentControlSetServices LanManServer Parameters AutoShareServer. For NT Workstation, the Registry key isHKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanManServerParametersAutoShareWks. Change the value to 3D0 and reboot the system.

Step 12: Perform System Audits
Auditing can detect suspicious activity before it escalates into a majorproblem. Actions that are important to audit are failed logon attempts, failedattempts to access sensitive data, and changes to security settings. You canalso audit successful logons and find out whether a user is accessingunauthorized accounts after hours or while someone is on vacation. Depending onyour network usage and policies, you can monitor suspicious activity by auditingthe successful use of user rights, user and group management, security policychanges, and system restart and shutdown events. You can activate systemauditing by using the following steps:

Step 13: Audit Base Objects
Auditing base objects adds a level of protection because it logs sensitiveobject access to the event logs. However, you can't start generating audits justby setting this value; the administrator must turn on auditing for the ObjectAccess category in User Manager. This setting tells the Local Security Authority(LSA) that it must create base objects with a default system audit control list.To audit base system objects, use the AuditBaseObjects entry (type REG_DWORD anddata value of 1) in the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa Registry key.

Step 14: Audit Privileges
By default, the system includes certain privileges that you can't audit,even when you turn on privilege auditing. NT leaves these privileges disabled tocontrol audit log growth. However, you can audit these privileges if you want todetect account tampering. Table 5 lists these privileges and defaultassignments. Auditing the first item in Table 5 won't provide you with anyuseful information because it's a privilege granted to everyone. Regarding item2, only programmers can debug programs. Item 3, item 4, and item 5 are highlysensitive rights, and should not be granted to any user or group unlessabsolutely necessary. Item 6 and item 7 are used during normal systemoperations. To audit these privileges, you can use the FullPrivilegeAuditingentry (type REG_BINARY and data value of 1) in theHKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa Registry key.

Step 15: Disable Caching Logon Credentials
By default, NT caches the logon credentials for the last user. With thisfeature, a user can log on to the system even if the system is disconnected fromthe network and the domain controllers are unavailable. Because I installed mysystem as a standalone server in a separate workgroup, I didn't worry aboutdomain controllers and caching. However, to be on the safe side, I made anadjustment.

The credential cache is protected, but you can disable this cachecompletely if your environment requires a high level of security. To disablecredential caching, use the CachedLogonsCount entry (type REG_DWORD and datavalue of 0) in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWin-dowsNTCurrentVersionWinlogon Registry key.

Step 16: Enable TCP/IP Filtering Security
As a final step to secure my system, I employed the built-in TCP/IP filter.I shut down all ports except port 80 for the intrusion test, which made the taskquick and easy. If you're planning to use the TCP/IP filter and you haveFrontPage, PPTP, Simple Mail Transfer Protocol (SMTP), Post Office Protocol(POP) mail, or other Internet services, you'll need to open the associated portsso that those services can work correctly. To activate TCP/IP filtering, go toControl Panel and open the Network applet. Select the Protocols tab and view theTCP/IP protocol properties. Click Advanced on the IP Address tab, and select theEnable Security check box. Click Configure, and select all three Permit Onlyoptions (i.e., TCP ports, Internet Control Message Protocol--ICMP ports, andUser Datagram Protocol--UDP ports). This selection will activate filtering forall three packet types. Click Add under TCP ports, and add port 80 for the Webserver. Open any other ports you need to open.

When you enable ICMP and UDP ports (by selecting the Permit Only options)without adding ports, NT will not accept any of these packet types, effectivelyblocking almost all system traffic. (The system will still respond to pingpackets.)

Some Sound Advice
Most of the modifications I made to my system addressed network access.However, you can modify your system further to strengthen overall security. Forinstance, you can employ system keys that are part of SP3, or use two or morenetwork cards (one for internal private use and one for Internet public use) andbind only certain services to the internal private cards to ease administration.Most important, you must consistently monitor event logs and clear or save them.Thus, you need to set an acceptable log size and keep sufficient log records sothat no logs roll off before you inspect them.

To adjust your log properties, open Event Viewer and select Log Settingsfrom the Log menu. A dialog box in which you can make your adjustments will pop up.

If you want to examine the list of security issues that have surfaced with NT and other BackOffice products over the last year or so, or learn more about NT security, visit my Web sites at http://www.ntsecurity.net and http://www.ntshop.net.

This article is adapted from Mark's book, Internet Security with Windows NT (Duke Press at http://www.dukepress.com).