CERT
 
US-CERT Vulnerability Notes Database CERT Statistics Vulnerability Disclosure Policy CERT Knowledgebase Courses Link to US-CERT cylab
 

CERT® Coordination Center

Windows NT Security and Configuration Resources

This document is being published jointly by the CERT Coordination Center and AusCERT (Australian Computer Emergency Response Team). The CERT® Coordination Center and AusCERT® do not review, evaluate, or endorse the resources, tools, mailing lists, or contents of any web sites listed below. The decision to use any of these resources is the responsibility of each user or organization, and we encourage each organization to thoroughly evaluate any resources, any new tools or techniques before installing or using them. We are simply including this information here so that you may be aware of their existence and may evaluate them as appropriate for your site.

Contents

Document revision history

Microsoft Resources

NT Server 4.0 Resource Kit

The MICROSOFT WINDOWS NT SERVER 4.0 RESOURCE KIT is a three volume book set with a CD-ROM. The kit must be purchased separately from the operating system. The kit includes the Microsoft Windows NT Server Resource Guide, the Microsoft Windows NT Server Networking Guide, and the Microsoft Windows NT Server Internet Guide. The companion CD-ROM contains deployment strategies and tools and utilities for enhancing the functionality of NT 4.0.
http://mspress.microsoft.com/prod/books/580.htm

If you currently have the resource kit, review the various RK*.HLP files. These files explain all the tools and documents in the resource kit.

TechNet

TechNet is a technical resource that provides information about Microsoft products. Delivered to subscribers each month, TechNet provides several CDs containing the latest information from Microsoft, including Resource Kits, technical notes, knowledge base articles and the complete library of service packs, software updates and drivers. Further information on TechNet and how to subscribe can be read at
http://www.microsoft.com/technet/default.asp

Other Security Guides

SECURING WINDOWS NT INSTALLATION (Microsoft)

http://www.microsoft.com/ntserver/security/exec/overview/Secure_NTInstall.asp

This white paper is a very useful guide about changing permissions and registry settings to increase the level of security on your NT system.

INTERNET INFORMATION SERVER 4.0 SECURITY CHECKLIST (Microsoft)

http://www.microsoft.com/security/products/iis/CheckList.asp

This checklist helps Microsoft IIS administrators ensure that security aspects of running an IIS server have been considered.

WINDOWS NT SECURITY: STEP-BY-STEP (System Administration, Networking, and Security)

http://www.sans.org/newlook/publications/ntstep.htm

This book, a prescriptive guide to Windows NT security, gives step-by-step instructions on everything from installing a machine to monitoring security. Collaborating from more than 70 organizations, the experts describe problems to be solved, lay out the actions that will solve each problem, give tips on how to perform the required actions, and forewarn about times when those actions could create other problems. In order to explain Windows NT security in a chronological manner, they present 93 separate actions and organize those actions into 8 phases. This 36 page long book, written in February 1998, requires a fee. (Much of the same information can be found in the whitepaper from Microsoft called Securing your NT Installation, which is listed above).

WINDOWS NT SECURITY GUIDELINES -- NSA

http://www.trustedsystems.com/tss_nsa_guide.htm

"Windows NT Security Guidelines," gives administrative and operational guidelines for securely installing NT networks and benchmarks best commercial and military practices. This 110-page report is the product of a one-year project by the National Security Agency (NSA) Research Organization. Copies of the guidelines are available at no charge from the above URL or contact Trusted Systems Services at +1 217-344-0996.

Mailing Lists

NT BugTraq
http://www.ntbugtraq.com/
Select "subscribe" under the Quick Links.

BugTraq
http://www.securityfocus.com/
Select forums, bugtraq, faq for details on subscribing.

Microsoft Security Notification Service
http://www.microsoft.com/security/services/subscribe.asp

NT Security
http://www.ntsecurity.net/

Other incident response teams that redistribute Microsoft security bulletins include the following:

ISS Mailing List Web Page
http://www.iss.net/security_center/maillists/

ISS has a useful web interface to subscribe to 14 security related mailing lists:
-NSA
-NSA Digest
-NT Security
-NT Security Digest
-SecNews
-SecNews Digest
-SecTech
-SecTech Digest
-Alert
-IDS - Intrusion Detection Systems
-ProtoWorXTM
-RealSecureTM
-NT S3
-NT Scanner

NT System Admin Issues
http://lyris.sunbelt-software.com/scripts/lyris.pl
Select the NTSYSADMIN link.

Books

Okountsev, Nikolaio. Windows NT Security Programming, Easy to Use Security Options. R&D Books, September 1997
ISBN 0-87930-473-1

Rutstein, Charles B. Windows NT Security: A Practical Guide to Securing Windows NT Servers and Workstations. McGraw-Hill, January 1997.
ISBN 0-07057-833-8

Daniels, Tim. 1001 Secrets for Windows NT Registry 29th Street Pr, January 1998.
ISBN 1-882419-68-5

McMains, John. Windows NT 4 Backup and Recovery Guide Osborne McGraw-Hill, June 1997.
ISBN 0-078823-63-3

Solomon, David. Inside Windows NT Second Edition Microsoft Press, May 1998.
ISBN 1-572316-77-2

Edwards, Mark J. Internet Security with Windows NT 29th Street Press, 1997.
ISBN: 1-882419-62-6

Jumes, James G.; Coopers and Lybrand; Cooper, Neil F.; Feinman, Todd M. Microsoft Windows NT 4.0 Security, Audit, and Control Microsoft Press, December 1998.
ISBN: 1-572318-55-4

Web Resources

Microsoft Security Advisor Web Site
http://www.microsoft.com/security/

The SANS Institute
http://www.sans.org/

Internet Security Systems
http://www.iss.net/

X-Force Database of Computer Threats & Vulnerabilities
http://www.iss.net/security_center

Known NT Exploits List
http://www.ntsecurity.com/

Infilsec Vulnerability Engine
http://www.infilsec.com/vulnerabilities/

Windows NT Frequently Asked Questions
http://www.ntfaq.com/

Sunbelt Software
http://www.sunbelt-software.com/

  • knowledge base (another NT FAQ)
  • shop talk (glossary of technical jargon)
  • mailing lists

Registry Changes
http://www.jsiinc.com/reghack.htm

Tools

Microsoft Security Configuration Manager

ftp://ftp.microsoft.com/bussys/winnt/winnt-public/tools/SCM/

The Security Configuration Manager (SCE) provides a mechanism to consolidate various security settings into a single file. The configurations in this single file can then be installed to other Windows NT devices. The SCM does require Service Pack 4 to be installed. The SCM has a command line tool and a graphical interface.

NukeNabber v2.9b

http://www.dynamsol.com/puppet/nukenabber.html

NukeNabber is used to listen on TCP and UDP ports commonly attacked over the Internet. A total of 50 ports can be monitored simultaneously. ICMP dest_unreach attacks are also logged. This application gives you the information you need to trace an attacker and a way to find an attacker's nickname on IRC (mIRC, VIRC and PIRCH clients are supported).

L0phtCrack v2.52

http://www.l0pht.com/l0phtcrack/

"L0phtCrack is designed to recover passwords for Windows NT. NT does not store the actual passwords on an NT Domain Controller or Workstation. Instead, it stores a cryptographic hash of the passwords. L0phtCrack can take the hashes of passwords and generate the cleartext passwords from them." From the L0phtCrack web site.

Hotfix Control v1.1.3

http://www.jpl.nu/~magnus/hotfixcontrol/

This is a freeware application that allows you to list the hotfixes that are installed (Q numbers) on your system and obtain a description of the purpose and benefit of the fix. To do this, use the Hotfix Control application to select one of the fixes you have installed, then click on `Find KB document.' This will connect you to the Microsoft Support Web page and provide details about the selected hotfix.

This document is available from: http://www.cert.org/tech_tips/win-resources.html

CERT/CC Contact Information

Email: cert@cert.org
Phone: +1 412-268-7090 (24-hour hotline)
Fax: +1 412-268-6989
Postal address:
CERT Coordination Center
Software Engineering Institute
Carnegie Mellon University
Pittsburgh PA 15213-3890
U.S.A.

CERT/CC personnel answer the hotline 08:00-17:00 EST(GMT-5) / EDT(GMT-4) Monday through Friday; they are on call for emergencies during other hours, on U.S. holidays, and on weekends.

Using encryption

We strongly urge you to encrypt sensitive information sent by email. Our public PGP key is available from

If you prefer to use DES, please call the CERT hotline for more information.

Getting security information

CERT publications and other security information are available from our web site

* "CERT" and "CERT Coordination Center" are registered in the U.S. Patent and Trademark Office.

NO WARRANTY
Any material furnished by Carnegie Mellon University and the Software Engineering Institute is furnished on an "as is" basis. Carnegie Mellon University makes no warranties of any kind, either expressed or implied as to any matter including, but not limited to, warranty of fitness for a particular purpose or merchantability, exclusivity or results obtained from use of the material. Carnegie Mellon University does not make any warranty of any kind with respect to freedom from patent, trademark, or copyright infringement.

Conditions for use, disclaimers, and sponsorship information

Copyright 2000 Carnegie Mellon University.

Revision History
April 17, 2000
 Initial Release
March 20, 2003
 Updated links to X-Force
November 12, 2003
 Updated links
February 27, 2006
 Removed link to module that is no longer on the cert.org site.