IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
Emergency repair disk
At the time of installation, Windows NT offers to produce an emergency
repair disk containing the most important configuration information. Use
should be made of this capability and when changes are made to the system
each disk should be updated (see S 6.42 Creation of emergency repair disks
for Windows NT). It is advisable to carry out the updating of each emergency
repair disk after the next system start-up, if there is a guarantee that the
changed system can still be started.
Pre-defined user accounts
The pre-defined administrator account is a member of the pre-defined
"Administrators" group. It receives the rights and permissions which were
granted to this group. The administrator account is used by the person who
administrates the overall configuration of the workstation or the server. The
administrator has more supervisory capabilities over the Windows NT
computer than any other user. This is why this account especially has to be
protected (see S 4.77 Protection of administrator accounts under Windows
NT). The pre-defined guest user account is a member of the “Guests“ group. It
receives the rights and permissions which were granted to this group. For
example, a user can log on to the guest account, create files and delete them
again and read files for which an administrator grants read permission to
guests. The guest account is set up as a service for users who use the computer
occasionally or only once, so that they can log on and work with a restricted
range of functions. When Windows NT 4.0 is installed, the guest account is
initially locked out, and it is installed using a blank password. The guest
account should, in any event, be given a secure password, and the lockout
should not be cancelled if there are no serious grounds for its use. The predefined
guest account can be renamed but not deleted. It should be renamed
immediately after installation.
The first user account is set up for the first user of a workstation. As it is a
member of the "Administrators" group, the workstation can be administrated
in its entirety with the first user account. The first user account is created
when Windows NT is installed, if the workstation is added to a workgroup or
if it was not configured for network operation. The system invites the input of
a user name and a password. If the computer is added to a domain when
Windows NT is installed, the first user account is not created, because it is
expected that the user will log on using an account from the domain.
Note: If Windows NT sets up a first user account on installation, this should
be used as the account for system management.
Installation in the network
Furthermore, it should be noted that when their network software is
configured, all clients are configured as members of one of the previously
defined domains (and not as members of workgroups). If user accounts are
needed on them, they must always be defined as domain-wide accounts and
not as local accounts, in order to avoid the formation of unclear rights
structures.
To simplify the installation of a relatively large number of clients, scripts
should be defined beforehand enabling the automatic installation and
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000