> http://www.microsoft.com/security/downloads/ITSEC_NT4.0_Installation.EXE
from said document:
"What the user does not see are internal workings, such as the
system-level encryption of their password so that it is never passed over
the wire in clear text."
What they would see is the LanMan hash, the entire Keyspace of which can
be brute forced on an UltraSparc in a few hours with l0pht Crack. (see
http://www.l0pht.com )
"The evaluated configuration for Windows NT 4.0 includes any number of the
Windows NT Server and/or the Windows NT Workstation products, acting in
any one of the following roles, either stand-alone or connected via a
physically protected network:"
hmm is the Internet a "physically protected network" ?
"Install the Microsoft Windows NT 4.0 Workstation and Server Service
Pack 3."
sp3... hmmm ok. Here's an example of an install of sp3 quoted from
http://129.105.116.5/fravia/project9.htm :
"What slays me about Microsoft is how badly their software can coexist
with other products, *including their own*. A classic example is
their aforementioned Proxy Server. When you set up NT with the Option
Pack and Service Pack 3, it installs Internet Information Server 4.0
by default. Which is fine, except for one small detail: it *breaks*
Proxy Server. We had to back IIS 4.0 out of the system and install
IIS 3.0, which has no trouble working with Proxy Server. AFAIK, there
is still no fix to get Proxy Server working properly with IIS 4.0."
back to the M$ doc:
"Set to configure the system to shutdown when the security log gets full"
???? what?!?!?!? go figure, thats an interesting interpretation of
mission critical.
"Protect access to the boot partition... This is needed for architectures
that require a non NTFS boot partition. Setting this key ensures that only
Administrators may change data on this partition. Adding this value for
other architectures has no side effects. Note that none of the
architectures in the current evaluated configuration [ST] require the use
of this key and therefore its effectiveness has not been assessed as part
of the evaluation"
Yet earlier in the .doc it is stated " All hard-disk partitions must be
formatted with NTFS" as a precondition of ITSEC FC2-E3 certification. That
said, I can empathize with them, it is SO frustrating to install NTFS as
the boot sector on those pesky scsi drives, after all it starts out its
life as FAT and is automagically transformed in one of the many reboots of
the install process to NTFS. Though more times than not ntldr just
dies after this operation and one has to start all over again.
"(Optional) Install applications (such as Microsoft Office 97) as
required."
Yes don't forget to install the GUID stuff, as well as other sys level
stuff that will, most probably, un-do many of the carefully implimented
registry settings you have just made. Back to start, do not pass go...
"Warning:
The installation of any program or application which is in addition to
Microsoft Windows NT 4.0 is not covered by the ITSEC evaluation
configuration as stated in the security target for Microsoft Windows NT
4.0. The installation of any applications is entirely optional and at your
own risk."
Ok, so you have a secure NT sysyem that has no apps. Now go back to the
computers that actually run your buisness, with the apps that you use to
run your buisness and rest assured no one will break into your NT server,
there's nothing there!
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
