start page | rating of books | rating of authors | reviews | copyrights
Book HomeBuilding Internet FirewallsSearch this book
PreviousNext

12.3. Securing Windows NT

Once you have chosen a machine, you need to make sure that it has a reasonably secure operating system installation. The first steps in this process are the same as for any other operating system and were discussed in Chapter 10, "Bastion Hosts". They are:

  1. Start with a minimal clean operating system installation. Install the operating system from scratch onto empty disks, selecting only the subsystems you need.

  2. Fix known bugs. Consult CERT-CC, Microsoft, your hardware vendor, and any other sources of security information you may have to make certain that you have all appropriate hot fixes and service packs installed. (Note that you may need to reapply hot fixes and service packs after you install software.)

  3. Use a checklist to configure the system. Microsoft's security web site, located at http://www.microsoft.com/security,provides links for checklists.

12.3.1. Setting Up System Logs Under Windows NT

 Under Windows NT, logging is done by the Event Logger, and logs are read with the Event Viewer. This poses a number of problems:

 By default, Windows NT keeps a log of a fixed size, and when the log is full, old events are deleted to make room for new ones. This is not a secure configuration; an attacker can create a lot of unimportant events to force crucial ones to be removed from the log. You'll notice that something's wrong, but you won't know what.

You can set up Windows NT so that it does not delete old items when the log fills. However, if you do so, it will simply stop logging items when the log fills, which is even worse for security. If you're really confident about your ability to keep the log small by hand, you can set the machine up so that if the log fills up, it will not only stop logging, it will also shut the machine down. This approach is very radical; it does not do a graceful shutdown but simply crashes, probably losing information in open files. On the other hand, as long as the machine isn't set to autoboot, it will make sure that you don't lose logging information.

If you are very careful, you can get an Event Logger set up that is relatively secure but that requires considerable maintenance. To do so, you'll need to configure the Event Logger for a large log that does not overwrite old events, have it shut down the machine if the log fills, turn off autobooting, and then regularly save the log to removable media and clear the logs. This still leaves you vulnerable to denial of service attacks and to attackers who modify the logs before you copy them. You can add some security by changing the location to which Event Logger writes and putting the log on write-once media.

To keep events from being overwritten, use the Event Viewer, go to the Log menu, select Log Settings, and select Do Not Overwrite Events (Clear Log Manually). To shut down the machine when the log fills up, set the registry key

\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Lsa\CrashOnAuditFail
to 1. To change the location where files are stored, look in:

\HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\EventLog
You will find an entry for each of the three Windows NT logs (application, system, and security), each of which has a key named "File". Change the value of this key to change the files used to store event logs.

You are better advised to use an add-on product to copy events out of the Event Logger as they are logged. You can then let old events be deleted, since you'll be working from the other copies. icrosoft sells a program that turns events into SNMP traps as they are logged as part of the System Management Service; you can also get programs that will make syslog entries for events (see Chapter 11, "Unix and Linux Bastion Hosts", for more information about syslog). The Windows NT Resource Kit provides a utility called dumpel that will dump the event log to a text file, which can also be handy for saving event log information. None of these systems are perfect; they have a significant risk of losing or duplicating events. You will therefore want to protect the original event logs as well.

Although Microsoft does not provide tools for rotating event logs, there is a programming interface to the event logger that would allow you to write your own. If you do this, you should still leave the machine set to crash when the log fills, so that you are protected in case of rotation problems.

You will also want to be careful about the amount of logging you do. Logging takes a significant amount of effort under Windows NT, and logging large numbers of events can noticeably slow down a server, particular if you are running add-on software that requires every event to be logged twice. The auditing system can log immense amounts of data if you are incautious about what you turn on.

PreviousHomeNext
12.2. Which Version of Windows NT?Book Index12.4. Disabling Nonrequired Services
Library Navigation Links

Copyright © 2002 O'Reilly & Associates. All rights reserved.