IT Baseline Protection Manual - The Information Warfare Site

Safeguard Catalogue - Communications Remarks
____________________________________________________________________ .........................................
S 5.40 Secure integration of DOS-PCs to a Windows
NT network
Initiation responsibility: Head of IT section, IT security management,
Administrator
Implementation responsibility: Administrator, IT users
DOS-PCs can be integrated into Windows NT networks in different ways, for
example via TCP/IP or the Peer-to-Peer functions of Windows for
Workgroups. In contrast to Windows NT systems, DOS-PCs contain less
security mechanisms. Everyone with access to a PC can administrate it, thus
being able, for example, to change settings or install software.
By installing the appropriate software, a networked PC can be used to
eavesdrop the network. Therefore only authorised users may have access to a
PC (see also S 1.23 Locked doors and S 2.6 Granting of site access
authorisations). Furthermore, it must be ensured that software is not installed
without supervision; this should regularly be checked. (see also S 2.9 Ban on
using non-approved software and S 2.10 Survey of the software held).
In addition, it is easily possible by changing the configuration of a PC, to fake
any computer ID and thus carry out a masquerade.
Computer viruses occur mainly on DOS PC’s. When PC’s are networked with
Windows NT systems, viruses can spread by infected programmes passing
from PC to PC. Therefore, the same safeguards must be implemeted here as
for the exchange of programmes via data-media or Remote Data Transfer (see
also S 4.3 Periodic runs of a virus-detection programme). File-viruses only
pose a threat if they are in a position to change executable files under
Windows NT in such a way that they can still be executed. However, under
certain conditions computer-viruses that threaten to change the boot sector of
Intel-based systems such as PCs, can also pose a threat to Windows NT
systems on an Intel platform by leaving them in a non-bootable state. This can
be avoided by changing the boot sequence (see S 4.3 Periodic runs of a virusdetection
programme).
The largest threat that computer-viruses pose for Windows NT systems are on
PCs that have access to shared directories on the Windows NT system.
Computer-Viruses that change or delete files or directories on a PC can also
access shared directories of a Windows NT system and destroy them.
Therefore, access rights for directories shared for network access should be
restrictively provided. In particular, only read access should be provided for
shared directories wherever possible.
Generally, users under Windows NT should restrict the attributes of their files
as much as possible so that, for example, other users cannot gain access to
them or so that no write-access is possible to files that are not regularly
changed. The appropriate settings should be made beforehand via the
functions of access control (see also S 4.53 Restrictive allocation of access
rights to files and directories under Windows NT). With this safeguard all files
stored on the server will have sufficient protection; DOS-PCs cannot by-pass
this protection.
____________________________________________________________________ .........................................
IT-Baseline Protection Manual: Oktober 2000