MICROSOFT WINDOWS NT 3.51/4.0 SECURITY CHECKLIST


Domain Name______________
Fileserver(s) Location(s)_________________________________________
Fileserver(s) Make/Model Number, Configuration and Peripherals Attached:
__________________________________________________

Ref.NT SECURITY  
1.0GENERAL CONFIGURATIONYESNO
1.1File server partitioned for NTFS only (not FAT)?  
1.2Console logon not assigned to normal users?  
1.3Group membership is consistent with Need-to-Know  
1.4Only authorized Trust Relationships exist  
1.5GUEST accounts are disabled or removed?  
1.6The "regedt32.exe" file has been removed/access restricted  
1.7Anonymous connections (FTP/TELNET/etc) prohibited?  
1.8Services for Macintosh requires the User Authentication Module?  
1.9Only Agency-authorized software is loaded on the server?  
1.10Current Microsoft Service Packs and Relevant Hotfixes installed?  
1.11Is the fileserver used as a Web Server?
If yes, what WWW Server Software?
__________________________
  
1.12Backups performed on a regular schedule?  
1.13Emergency Repair Disk exists and is up-to-date  
1.14Unnecessary Services are disabled  
1.15Only the Administrators group has rights to
Manage auditing and security logs.
  
1.16Only the Administrators group has rights to
Take ownership of files or other objects.
  
1.17Permit Blank Passwords in the Minimum
Password Length field is disabled.
  
  
2.0SYSTEM PHYSICAL SECURITY  
2.1Is the fileserver contained in a locked room / repository?  
2.2Is the fileserver protected against inadvertent/
advertent tampering by unauthorized personnel? 
  
2.3 Is the fileserver under visual access by staff?  
  
3.0WINDOWS NT ACCOUNT POLICIES  
3.1Maximum password age is 90 days?  
3.2Minimum password length is at least 6 characters?  
3.3Password uniqueness: remember 8 passwords?  
3.4Account Lockout after 3 bad logon attempts?  
3.5Reset count after 30 minutes?  
3.6Lock duration: duration 30 minutes  
3.7User must logon to change password?   
3.8"Everyone" removed from Logon Locally/Shutdown System?
(Found in the User Manager under "User Rights")
  
3.9Hide last login user name (See Registry Settings 6.2)  
3.10Install an Agency approved Warning Banner  
  
4.0ACCOUNT AUDITING  
4.1Auditing is Enabled For Logon and Logoff
(Success and Failure) 
  
4.2Auditing is Enabled For Security policy
changes (Success and Failure)
  
  
5.0REMOTE ACCESS CONFIGURATION  
5.1No servers are identified in
"Remote Access Services" (RAS)
  
5.2If running RAS, is "Require Microsoft encrypted
authentication" selected? Also, is
"Grant dial-in permissions to user"
checkbox selected only for users requiring remote
dial-in access?
  
5.3Default passwords for remote software removed/changed?  
  
6.0REGISTRY SETTINGS
6.1HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WindowsNT\CurrentVersion\Winlogon\Auto
AdminLogon
  
6.2HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\
WindowsNT\CurrentVersion\Winlogon\
DontDisplay\LastUserName
  
6.3HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\Lsa\FullPrivilegeAuditing
  
7.4HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet
\Control\SecurePipeServers\Winreg\Description Data Type:
REG_SZ: Registry Server *


* You must check Security/Permissions and ensure only authorized users are included in the ACL.
  
NOTE: Given the network-centric nature of Windows NT 4.0, the similarity of program code between the Server and Workstation products, and known default vulnerabilities in the "out of the box" configurations, it is advised that many of these checklist items be applied to office workstations. It is strongly suggested that the "Server" service be disabled from all NT Workstations in the office. Further, removing the "Everyone" group from the "Access this computer over the network" in the Workstation's User Manager will further secure the individual PCs in your office's NT environment.
Ref.JUSTIFICATION FOR DEVIATIONS
  
  
  
  
  
 System Administrator Signature:__________________________________Date:___________