IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
S 4.55 Secure installation of Windows NT
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Before installation of Windows NT, a number of observations should be made
which are briefly outlined below.
Secure system version
Even during the process of acquisition, a decision must be made as to whether
the English or German version of Windows is to be run. Furthermore, to be on
the safe side, Windows NT must be operated from at least version 3.51
onwards, together with the current version of Service Pack4 (also refer to S
4.xx02 Reliable system versions of Windows NT). If an older Windows NT
installation exists, this should, if possible, be updated to version 4 or at least to
version 3.51.
Partitions and file systems
Alongside its own file system NTFS, Windows NT also supports the DOS file
system FAT and the OS/2 file system HPFS. A large part of the settings
relevant to security are, however, only valid under NTFS. when installing
Windows NT, you should ensure that no HPFS or DOS partitions are created,
as no access protection applies to them, with the result that such partitions can
be misused to undermine the protection of Windows NT. Instead, all partitions
must be formatted using the NTFS file system or, if earlier data is to be kept,
they must be converted to this file system.
However, support of the FAT file system for floppy disks is necessary as, due
to its size, the NTFS file system cannot be accommodated on diskettes. For
this reason, access to disk drives should be limited (see S 4.52 Equipment
protection under Windows NT).
Configuration of the log-on procedure
At log-on, Windows NT usually displays the name of the last user who has
logged in on the computer concerned. This display should be prevented by
entering/changing the value "DontDisplayLastUserName" in the key
"SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon" of the
sector HKEY_LOCAL_MACHINE of the registry to the value REG_SZ = "1".
In order to warn unauthorised users against illegal access to the system, before
the actual log-on procedure a window containing an appropriate text should be
displayed. This is achieved by inputting suitable wording into the two entries
"LegalNoticeCaption" and "LegalNoticeText" in the key
"SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon" of the
sector HKEY_LOCAL_MACHINE of the registry.
The relevant changes can be made with the help of Registry Editor (of the
program REGEDT32.EXE in the Windows system directory
%SystemRoot%\SYSTEM32). When doing this particular caution should be
exercised, as incorrect settings in the registry can lead to a situation in which
the system is no longer able to run. From version 4.0 of Windows NT
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000