Home
Unix
MVS
AS/400
Win NT/2K
Security
   NT Tips >>
Publications
Internet Dev
Rants/Raves
Downloads
Links
About Site

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Windows NT Security Tips

The following are just a few of the registry keys that can be used to increase the security of Windows NT 4.0. Some of the modification files are hyper linked for your convenience. Please review the registry files provided on this page with a text editor, such as notepad. It is in your best interest to read over some of the literature on Microsoft's web site pertaining to windows security. Registering for security bulletins is recommended.

  • USE NTFS SECURITY
 Use the ACL powers of NTFS to your advantage.
  • Everyone NO ACCESS
 Never give the Everyone account NO ACCESS unless you are sure of what you are doing.
  • Legal Notice Popup before Login.
 legalnotice.reg (Registry file that will add a default legal notice)
  • Locking Out Admin Account
 Type "passprop /adminlockout" at a command prompt. admin will only be able to login at the console.
  • Restrict Anonymous Network Access
 restrictanon.reg (Restrict Anonymous Access to NT Local Security Authority Information)
  • Enable Shutdown on Full Audit Log
 Crashonauditfail.reg
  • Access this computer from Network
 This User Right should be set only to "Authenticated Users". Instructions on how to do this are here.
  • Review Password Restrictions under User Manager
 Verify that the password properties are to your liking.
  • Do not allow ports 135-139 on the firewall
 Speak to the Firewall Admin about disabling these ports.
  • Enable Challenge Response
 Enable Challenge Response with IE or Basic with SSL if using Netscape.
  • Passprop
 Enables the administrator account to lockout on unsuccessfull logins.
  • Local Floppy Access ONLY
 Create a key REG_DWORD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Winlogon\AllocateFloppies with a value of 1
  • Local CD-Rom Access ONLY
 Create a key REG_DWORD HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT \CurrentVersion\Winlogon\AllocateCDRoms with a value of 1
  • Disallow Access to Event Viewer
 Create a key REG_DWORD “RestrictGuestAccess” with a value of 1 in these two keys:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \EventLog\Application

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services \EventLog\System

 
  • SYSKEY
 SYSKEY: Securing the passwords.
  • Restrict Anonymous access to User & Share Names
 Create a REG_DWORD of “RestrictAnonymous” with a value of 1 to the key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Download Reg File.
  • C2CONFIG
 C2CONFIG
  • Hiding Administrative Shares
 Create a REG_DWORD Key called AutoShareServer for DC's or AutoShareWks set to value of 0 in Registry key: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\ LanManServer\Parameters 

Download reg file.
  • LANMAN Password Disable
 To prevent NT from using LANMAN hashing create a REG_DWORD key called LMCompatibilityLevel and set it to 2.

Click here for caveats. Download pre-made file. Click Here to understand what other numbers can be used.
  • Disable account caching
 In Ultra secure environments Disabling account caching is recommended. Create a REG_SZ key named CachedLogonsCount in the HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\Winlogon with a value of 1.

Download reg file.

Comments? Questions? Rants? Raves? Webmaster