10.3 Security Tweaks

A surprising number of Windows 2000 and NT's security features are only accessible through Registry tweaks. For the most part, these adjustments add to your system's security; except as noted, you are not adding extra risk by not making the changes discussed here. You should carefully note the security suggestions included in Chapter 9. They reflect changes you should make to preserve system security, while the items in this section are optional.

10.3.1 Clear the System Pagefile at Shutdown

The U.S. Government (actually the National Computer Security Center) has established a rating system for configurations of computer operating systems. This rating system, set forth in a document called the Orange Book, rates how secure operating systems are. To earn a particular rating, there are certain features an OS must implement. One of these features is object reuse. Simply put, object reuse just means that objects (including disk blocks, memory, and other shared resources) are cleared out after use. This prevents any leakage of confidential data.

While Windows 2000 and NT can be made compliant, as shipped neither OS clears inactive pages in the virtual memory's pagefile. A couple of publicized attacks^[1] rely on the fact that the system's pagefile is left intact when the system shuts down; it can then be scanned for useful data. To prevent this, you can add the REG_DWORD value HKLM\System\CurrentControlSet\Control\Session Manager\Memory Management\ ClearPageFileAtShutdown value and set it to 1; this forces the system to zero out the contents of the pagefile at system shutdown. Be forewarned that making this change increases your system shutdown time in direct proportion to the size of your pagefile.

^[1] The attacks depend on application bugs; a well-written application won't leave any sensitive data in virtual memory, but a well-written OS won't expose it either.

10.3.2 Prevent Caching of Logon Credentials

By default, Windows 2000 and NT workstations cache the last 10 sets of logon credentials received from a domain controller. This reduces the number of times a workstation has to contact a domain controller for verification of a logon request, and it often makes it possible to log on to a domain even when the domain controller isn't available on the network. If you want to prevent these credentials from being cached, as you might if you're running a high-security network, add a REG_SZ value named CachedLogonsCount beneath the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogon key. Set its value to to prevent any caching or to the number of cached credential sets you're willing to allow.

10.3.3 Turn Off "Save Password" Option in Dial-Up Networking

The Dial-Up Networking (DUN) subsystem of Windows 2000 and NT lets you maintain a separate username and password for every entry in the Phonebook. You can also use the "Save this password" checkbox, which appears in the RAS Logon dialog; when you do, the system stores that account's password in the Registry. This is pretty insecure, especially when the machine using DUN is a laptop; if it's stolen, the thief has automatic access to your dial-up connection if the password's been saved.

You can force DUN not to store passwords by adding the REG_DWORD value DisableSavePassword value to HKLM\SYSTEM\CurrentControlSet\Services\RasMan\Parameters. If you set its value to 1, DUN won't display the "Save password" checkbox, and it forgets any passwords it has previously stored. This setting's a good candidate for inclusion in a policy template; that allows you to enforce the security setting you want applied.

10.3.4 Prevent Users from Changing Network Drive Mappings

Once you establish a set of drive mappings for your users (either as part of a logon script, a profile, or a persistent connection), you can protect them from changes by changing the permissions on HKCU\Network, and its subkeys, to remove the Delete and Create Subkey permissions. If you do this, users can still add or delete network connections, but the changes won't persist after they log out.

Do not remove the users' Set Value or Read access; if you do, connections won't be reestablished when that user logs on again.

10.3.5 Control Who Can See Performance Monitor Data

The Performance Monitor for Windows 2000/NT is a nice addition to the system's basic toolset; it allows you to quickly gather and analyze performance data for local and remote machines. If you're like most network administrators or managers, though, you'd probably prefer that your servers' performance data be kept away from other network users, since there's no good reason for ordinary users to be monitoring a server's performance.

The permissions on the HKLM\Software\Microsoft\Windows NT\CurrentVersion\Perflib key control who may read a machine's performance data. By default, an ordinary NT 4.0 installation has Everyone:Read permission on this key, though Windows 2000 defaults are less permissive. I suggest using RegEdt32 to tighten permissions on the Perflib key: let Administrators have Full Control and remove Everyone altogether. If you want any user who's actually logged into the machine to have access, you can add Interactive Users:Read; doing so keeps network users from seeing the performance data while still allowing interactive users to monitor the machine if they need to do so.

10.3.6 Control Which Drives Are Visible Throughout the System

If you need to, you can hide drives on a machine so they don't appear in My Computer, Explorer, or the open and save dialog boxes. You might do this (in conjunction with other access control measures like the "run only allowed applications" policy setting) to keep users from damaging their Windows 2000 or NT installations or installing unapproved software. Hide the drives you don't want users to tamper with and they won't see them. (Actually, hidden drives are accessible through the File Manager and the Windows 2000 and NT command prompts. Solution? Turn those off with a policy.) This hiding occurs on a per-user basis, too, so you have fairly fine control over which volumes users can see.

The value that controls drive hiding is actually a bit mask. HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer\NODRIVES is a REG_DWORD, which makes it 32 bits long. Since the system can map only26 drives (A: through Z:), this mapping works out nicely. The upper six bits of the value are ignored; the remaining 26 bits map to each drive letter, with A: in the right-most position and Z: in the left-most, like this:

0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0 0
Z Y X       ............                      C B A

To turn off drives A, B, C, and D, you end up with a mask value of "00000000000000000000001111"; to turn off all drives, just use all 1 bits in the mask. RegEdt32 makes it easy to add new DWORD values as bitmasks or to edit existing values as binary strings (see Chapter 5, if you need more details), so adding this restriction is easy to do. There's one caveat: if your drive letters change--perhaps because you've added a new disk or removed an old one--your NODRIVES values are shifted, and you may suddenly lose sight of a drive you wanted to keep visible.

10.3.7 Change When the Password Expiration Warning Appears

A good password policy is one of the cornerstones of network security. You start by making users pick good passwords,^[2] then follow up by setting a password aging policy that forces users to change their passwords at reasonable intervals.^[3] Windows 2000 and NT helpfully warns users that their password is going to expire two weeks, or 14 days, in advance. Since most users won't change their passwords when the first warning appears (most, in fact, won't change until their password finally does expire), why torture them with two weeks' worth of warnings?

^[2] There's an excellent discussion of what makes a password good or bad in O'Reilly's Windows NT User Administration by Meggitt and Ritchey.

^[3] You do this with the User Manager under NT or with Active Directory Users and Computers under Windows 2000.

Instead, add a REG_DWORD value named PasswordExpiryWarning to HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon. Set its value to the number of days, up to 14, you want to start the expiration warnings at; I recommend between three and seven days.

10.3.8 Allow Members of the Printer Operators Group to Add Printers

Both Windows 2000 and NT 4.0 include a number of built-in groups that allow you to assign limited administration privileges to people who need them. The Server Operators, Print Operators, and Backup Operators groups allow a network administrator to grant greater-than-normal rights to these operators without making them members of the Administrators group.

Print Operators can stop and restart the print spooler, route print jobs, and perform other printer-related administrative functions. However, they cannot add or modify printer ports, meaning that you can't delegate that responsibility to the people who should most likely have it. You may reverse this unhappy state of affairs by changing the permissions on a single Registry key. Here's what to do:

Open RegEdt32 and select HKLM\SYSTEM\CurrentControlSet\Control\Print\Monitors.
Use the SecurityPermissions... command to display the Registry Key Permissions dialog.
Click the Add button; when the Add Users and Groups dialog appears, select the Print Operators group and give them Full Control access. Click OK; the Registry Key Permissions dialog reappears with the new permissions.
Stop and restart the Spooler service using the net stop spooler and net start spooler commands from a command window.

10.3.9 Set the Number of Authentication Retries for Dial-Up Connections

You may adjust the number of authentication attempts DUN allows before it decides the remote user is bogus and hangs up the phone. By default, DUN allows two unsuccessful retries; you can adjust this value from zero to 10 by editing the HKLM\System\CurrentControlSet\Services\RemoteAccess\Parameters\AuthenticateRetries value. A value of zero tells DUN to hang up at the first failure, which may be too restrictive for users who must type in passwords manually; I set the value to 1 so that users can make one mistake before they have to start over again.

10.3.10 Keep Users from Changing Video Resolutions

Being able to change screen resolution and color depth on the fly is a terrific Windows 2000 and NT feature, until your users start changing settings when you don't want them to. You can prevent this by changing the permissions on the settings key for the video card. The exact location of this key varies depending on the number and type of video cards installed in a particular computer; it also varies between machines that have different video card types.

The key to change permissions on is at HKLM\System\CurrentControlSet\Hardware Profiles\Current\System\CurrentControlSet\Services\devicename\DeviceX where devicename is the name of your video adapter driver (mine is "S3," but you should be able to deduce the right value for your computers depending on what type of card you have). The proper value for DeviceX varies too, but if you only have one video card it's always "Device0."

10.3.11 Set the Authentication Timeout for Dial-Up Connections

In addition to setting the number of authentication retries you'll allow, you can also specify how long each attempt takes before the system counts it as a failed attempt. By default, DUN allows connecting users 120 seconds to either authenticate successfully or have their attempt deemed a failure. Edit the value HKLM\System\CurrentControlSet\Services\RemoteAccess\Parameters\AuthenticateTime to adjust the timeout period; you can set any value you like from 20 seconds all the way up to 10 minutes (or 600 seconds; the value must be specified in seconds).

10.3.12 Keep Remote Users from Sharing a Mounted CD-ROM or Floppy

By default, the system automatically creates an administrative share for every disk or CD-ROM volume. This share, which is named by the drive letter plus a dollar sign, is invisible, so it doesn't appear in Network Neighborhood, but a savvy user can find it anyway. There may be times when you don't want anyone but the locally logged-in user to access a CD-ROM; for example, many reference CD-ROMs have strict licensing limits that promise big trouble if you share the CD-ROM across the network.

Remember the brief discussion about object reuse? It applies to other shared resources, too, including CD-ROMs and floppies. In its quest to gain C2 security certification for NT, Microsoft added two Registry keys that cause the CD-ROM and floppy drives to be allocated to the currently logged-in user. When this allocation occurs, other users can't access the drives or the media in them; when no one's logged in, the drives are unallocated and may be shared. These NT settings made it into the Windows 2000 Registry.

Two keys under HKLM\Software\Microsoft\WindowsNT\CurrentVersion\Winlogon implement these settings: AllocateFloppies and AllocateCDRoms. Both are of type REG_SZ. To force allocation of either device type during logon, set the appropriate key's value to 1; to turn allocation off, set the key's value to 0.

10.3.13 Keep Users from Customizing "My Computer"

There's no policy setting that prevents users from changing the name or icon of the My Computer icon on the desktop. If you've ever had to administer a lab full of computers, you've probably had at least one incidence of finding a machine's My Computer icon renamed to "Beavis & Butthead" or something even worse. To nip these changes in the bud, change the access permissions on HKLM\Software\Classes\CLSID\20D04FE0-3AEA-1069-08002B30309D.

Remove the Everyone group from this key and add the Users group with Read access.