IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Hardware & Software Remarks
____________________________________________________________________ .........................................
the subsequently created accounts possessing administrator rights, for
example, after these accounts have been blocked due to repeated attempts to
log in with an incorrect password.
It is also advisable to subsequently create a new account named
"Administrator", provide it with a password, deactivate it, and only include it
in the group titled "Guests". No special system rights should be assigned to
this account, as it is only meant to put potential intruders on the wrong track.
Furthermore, the security log should regularly be checked for login attempts
into accounts possessing administrator rights (refer to S 4.54 Logging under
Windows NT).
Special destructive software exists which allows a user who has logged in
locally to add any number of user accounts to the group titled
"Administrators". To prevent this, the hot fix "getadmin-fix" should be
installed on all computers running on Windows NT 4.0 with service pack 3.
This hot fix can be obtained free-of-charge from Microsoft. When service
pack 4 has been installed, it is no longer necessary to install the hot fix
mentioned above.
In addition, to prevent the administrator password from being extracted, the
rights to access the directories %SystemRoot%\SYSTEM32\Config and
%SystemRoot%\SYSTEM32\Repair should be set as recommended in S 4.53
Restrictive allocation of access rights to files and directories under Windows
NT. Start-up diskettes and any existing backup tapes should be stored under
lock and key.
Depending on the degree of protection required by the data processed on
Windows NT Workstations, a decision must be made as to whether the same
password should be used for all local administrator accounts. A general
recommendation cannot be made here. However, if the decision goes in favour
of using the same password for all workstations, it must be noted that an
intruder who is able to crack this password will gain administrative access to
all the corresponding workstations.
The following measures should also be implemented on Windows NT
Servers. The administrator accounts on the various servers should not all be
assigned the same password. Furthermore, remote administration via the
network should be avoided wherever possible. This is achieved by denying the
"Administrators" group the right designated "Access to this computer from the
network". If remote administration is indispensable, for example, due to the
given spatial environment, the resulting possibilities of intrusion should be
minimised. For this purpose, login via the network for user accounts with
administrative rights should only be allowed via Windows NT computers
specified in the account guidelines. If possible, these computers should be
installed in secure areas. It is vital that LAN-manager compatibility is
deactivated on these computers, in order to prevent the passwords of user
accounts with administrative rights from being transmitted through the
network in unencrypted or only poorly-encrypted form. For this purpose, it is
necessary to install the hot fix "lm-fix" if Windows NT 4.0 with service pack 3
is used. If service pack 4 has already been installed on the system, it is not
necessary to install the hot fix. In the registry, however, it is necessary to add
the key HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\Lsa by
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000