Allgemeine Hinweise für Windows-Systeme

Die folgenden Hinweise stammen aus Punkt 3.1 der (englischen) Intrusion Detection FAQ von Robert Graham. Die technischen Details sind für Windows NT formuliert, die Hinweise gelten aber analog auch für alle neueren Windows-Systeme.

• Install the latest service packs and "hot fixes".
   
• INSTALLATION: Use NTFS instead of FAT. NTFS allows permissions to be set on a per-file/per-directory basis. NTFS also allows auditing on a per-file/per-directory basis. Note that many people recommend using FAT as the boot drive and NTFS for all other drives (due to the ease-of-use in using DOS to fix things on a FAT drive). However, using NTFS for all drives is definitely more secure.
   
• USRMGR: Rename the "administrator" account. A common attack is to use a Dictionary or brute force attack on the "administrator" account. Normal accounts can be configured to automatically (and temporarily) "lock out" after a few failed password attempts. However, this feature isn't possible for the administrator account because this allows a denial of service attack (i.e. prevent administration of the machine by locking out the administrator account).
   
• USRMGR: Create a new account named "administrator" for detecting intrusion attempts.
   
• USRMGR: Disable the "guest" account. You may also want to rename this account as (much like "administrator"). Once you've renamed the "guest" account, you may want to create a new account named "guest" for detecting hacking attempts.
   
• NTFS: Disable "write" access for "Everyone" on the <tt>%systemroot%/system32</tt> directory.
   
• REGEDT32: Turn on auditing for "HKEY_LOCAL_MACHINE\Security" in order to detect remote registry browsing.
   
• INSTALLATION: Do not install in "C:\WINNT" directory. Sometimes intruders will be able to access files if they know the filename; installing in some other directory prevents a priori knowledge. Better yet, install in C:\WINNT, then reinstall in some other directory, then turn auditing on within that directory to alert you to people accessing those older files.
   
• INSTALLATION: Use the boot partition only for booting and for system files. Put data and applications on a separate partition. It is also a good idea to separate applications from data.
   
• CONTROLPANEL: Enable "Password Protected" on the screensaver. The best screensaver is "Blank Screen". You would think that screensavers run at idle priority, but this isn't always the case, so you can increase the performance of your server by using "Blank Screen". Also, this will reduce power consumption in monitors, especially those that can detect a blank screen and turn themselves off. Finally, some screensavers (i.e. PointCast) are probably hackable.
   
• REGEDT32: Turn off automatic sharing of ADMIN$, C$, D$, etc. via the "AutoShare" parameter in the registry. This parameter is under "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters", and is "AutoShareServer" for WinNT Server or "AutoShareWks" for WinNT Workstation. This is a DWORD, with a value of '1' for enabled (default), or a value of '0' for disabled. You will have to add the value yourself because it doesn't already exist in the registry.
   
• REGEDT32: Turn of account/share information via anonymous access. Add "RestrictAnonymous" DWORD with a value of "1" to the registry key "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA" Note that if you see an error "Could not find domain controller for this domain." while setting domain trust relationships, you may have to change it back.
   
• USRMGR: If you are using Domains (rather than Workgroups), change the user right "Access this computer from the network" to "Authenticated Users" rather than "Everyone". This disables remote access via local accounts on your machine, and allows only access through domain accounts.
   
• PASSPROP: Enable lockout of the "administrator" account for remote access. This enables the situation where the remote intruder fails to guess the correct password after three tries. After lock-out, the administrator can only log in locally at the system console. You can also disable remote administrator access completely in USRMGR by removing the right "Access this computer from the network" from "Administrators", but this disables all remote administration, which make administration too difficult in a large WinNT environment.
   
• Also consider physical intrusion prevention network wide.
   
• John Kozubik suggests using login scripts to force the built-in password protected screen-saver.
  REGEDIT4
  [HKEY_CURRENT_USER\Control Panel\Desktop]
  "ScreenSaveTimeOut"="1800"
  "ScreenSaveActive"="1"
  "SCRNSAVE.EXE"="c:\winnt\system32\logon.scr"
  "ScreenSaverIsSecure"="1"
  This will trigger the password prompt to appear 30-minutes after a user is away from the desktop (it doesn't log them out; just forces them to re-enter the password before they have access again).