BSP 930 WINDOWS NT SECURITY CHECKLIST

MICROSOFT WINDOWS NT 3.51/4.0 SECURITY CHECKLIST

Domain Name______________

Fileserver(s) Location(s)_________________________________________

Fileserver(s) Make/Model Number, Configuration and Peripherals Attached:

__________________________________________________

Ref.	NT SECURITY
1.0	GENERAL CONFIGURATION	YES	NO
1.1	File server partitioned for NTFS only (not FAT)?
1.2	Console logon not assigned to normal users?
1.3	Group membership is consistent with Need-to-Know
1.4	Only authorized Trust Relationships exist
1.5	GUEST accounts are disabled or removed?
1.6	The "regedt32.exe" file has been removed/access restricted
1.7	Anonymous connections (FTP/TELNET/etc) prohibited?
1.8	Services for Macintosh requires the User Authentication Module?
1.9	Only Agency-authorized software is loaded on the server?
1.10	Current Microsoft Service Packs and Relevant Hotfixes installed?
1.11	Is the fileserver used as a Web Server? If yes, what WWW Server Software? __________________________
1.12	Backups performed on a regular schedule?
1.13	Emergency Repair Disk exists and is up-to-date
1.14	Unnecessary Services are disabled
1.15	Only the Administrators group has rights to Manage auditing and security logs.
1.16	Only the Administrators group has rights to Take ownership of files or other objects.
1.17	Permit Blank Passwords in the Minimum Password Length field is disabled.

2.0	SYSTEM PHYSICAL SECURITY
2.1	Is the fileserver contained in a locked room / repository?
2.2	Is the fileserver protected against inadvertent/ advertent tampering by unauthorized personnel?
2.3	Is the fileserver under visual access by staff?

3.0	WINDOWS NT ACCOUNT POLICIES
3.1	Maximum password age is 90 days?
3.2	Minimum password length is at least 6 characters?
3.3	Password uniqueness: remember 8 passwords?
3.4	Account Lockout after 3 bad logon attempts?
3.5	Reset count after 30 minutes?
3.6	Lock duration: duration 30 minutes
3.7	User must logon to change password?
3.8	"Everyone" removed from Logon Locally/Shutdown System? (Found in the User Manager under "User Rights")
3.9	Hide last login user name (See Registry Settings 6.2)
3.10	Install an Agency approved Warning Banner

4.0	ACCOUNT AUDITING
4.1	Auditing is Enabled For Logon and Logoff (Success and Failure)
4.2	Auditing is Enabled For Security policy changes (Success and Failure)

5.0	REMOTE ACCESS CONFIGURATION
5.1	No servers are identified in "Remote Access Services" (RAS)
5.2	If running RAS, is "Require Microsoft encrypted authentication" selected? Also, is "Grant dial-in permissions to user" checkbox selected only for users requiring remote dial-in access?
5.3	Default passwords for remote software removed/changed?

6.0	REGISTRY SETTINGS
6.1	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ WindowsNT\CurrentVersion\Winlogon\Auto AdminLogon
6.2	HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\ WindowsNT\CurrentVersion\Winlogon\ DontDisplay\LastUserName
6.3	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\Lsa\FullPrivilegeAuditing
7.4	HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet \Control\SecurePipeServers\Winreg\Description Data Type: REG_SZ: Registry Server * * You must check Security/Permissions and ensure only authorized users are included in the ACL.
NOTE: Given the network-centric nature of Windows NT 4.0, the similarity of program code between the Server and Workstation products, and known default vulnerabilities in the "out of the box" configurations, it is advised that many of these checklist items be applied to office workstations. It is strongly suggested that the "Server" service be disabled from all NT Workstations in the office. Further, removing the "Everyone" group from the "Access this computer over the network" in the Workstation's User Manager will further secure the individual PCs in your office's NT environment.
Ref.	JUSTIFICATION FOR DEVIATIONS





	System Administrator Signature:__________________________________	Date:	___________