I thought the purpose of this particular thread was to discuss the pro's and
the con's of installing a firewall onto a PC running NT4? It has since
mushroomed to include topics of conversation where it's being discussed as
an insecure solution as a desktop op/sys. Of which I'm not going to contest
that an out of the box NT4 install is insecure. But in an effort to get the
thread back to discussing the implementation of a firewall solution on NT4.
What is the opinion with regards to doing the following?
1. Install NT4 as a "stand-alone" server using NTFS. Do not install IIS, no
add-on optional applications.
2. Install a 2nd NIC and insure that "IP forwarding" is not enabled.
3. Apply SP3 (at a min). Reboot
4. Apply the appropriate registry tweaks to tighten it further.
5. Go to Network Properties | Protocols and remove all but the TCP/IP
protocol.
6. Click TCP/IP protocol, don't use WINs, don't use LMHOSTS, don't use DNS.
7. Go to Bindings and completely "unbind" the 2nd NIC. Reboot.
8. Go back to Network Properties | Services, remove all of them. This
includes Workstation, Server, everything... Reboot
9. Then go to Control Panel | Services and set the Startup option for
everything 'cept Event Log, Plug and Play, and RPC to "disabled". Reboot
10. Install a firewall, one that binds it's *own* IP stack to the external
NIC.
Optional step for those who are concerned about "services being turned back
on" (although such would require local access) . Open NT Explorer and delete
everything possible from the WinNT, WinNT\System and WinNT\System32
directory and subdirectory structures. There's quite a bit that can be
deleted without any ill effect. I'm talking about EXEs, HLPs, DLLs, etc.
Experience was my teacher...
After the firewall's security plan has appropriately been configured. Shut
the system down. Afterwards, and if this hasn't already been done, open the
box and unplug the fdd cable from the sysboard. Reboot the box, go to the
CMOS setup and kill APM, serial and parallel communications, disable fdd and
the CD-ROM. Insure that the CMOS setup is pword protected. Reboot and leave
the system at the NT login prompt.
Personally, I think this is a damn secure system. Would anyone care to
disagree and point out any insecurities in the above?
Best Regards, Donald Kelloway
http://www.commodon.com
-----Original Message-----
From: [EMAIL PROTECTED] <[EMAIL PROTECTED]>
To: John Wiltshire <[EMAIL PROTECTED]>; [EMAIL PROTECTED]
<[EMAIL PROTECTED]>
Date: Saturday, June 19, 1999 1:43 PM
Subject: Re: Why not NT?
>] "John Wiltshire" <[EMAIL PROTECTED]>
>] > From: Paul D. Robertson <[EMAIL PROTECTED]>
>] > Second: Baggage/Design. You can't pare that sucker down to essential
>] > services and code. Worse yet, most of what you'd worry about isn't
>] > documented well enough to help in an attempt. There's also a great
deal
>] > of non-IP networking baggage, and perhaps some IP networking baggage
>] > that
>] > doesn't seem to have an off button. In fact, lack of off buttons is a
>] > big thing overall. Sometimes the off buttons are undocumented registry
>] > settings - what a joy that is to replicate!
>]
>] Such as? I can pare down my NT machines to exactly the processes and
services I want running. Why not run the network
>] control panel and remove everything you don't want? Look at the services
control panel and the "Stop" button. Looks
>] like a great big off switch to me.
>
>There is a very big difference between turning a service OFF, and removing
>the service from the system. Which is the point Paul was making. If the
>service can be turned off, then it can be turned on again easily. If it is
>removed completely from the system, then it has to be installed (to be
[ab]used).
>
>-
>[To unsubscribe, send mail to [EMAIL PROTECTED] with
>"unsubscribe firewalls" in the body of the message.]
>
-
[To unsubscribe, send mail to [EMAIL PROTECTED] with
"unsubscribe firewalls" in the body of the message.]
