NT Security

Initial Security Tasks

Always use NTFS disk partitions instead of FAT. NTFS offers security features, and FAT doesn't. It's that simple. If you must use a FAT partition for any reason, do not place any system files on that partition, and be careful about putting sensitive information on that FAT partition as well - you won't be able to set any access permissions for files and directories on that drive.

Set the permissions on the entire drive to:

SYSTEM full control
Administrators full control
Everyone or Users read only

The builtin NT backup program requires write access the %SYSTEMROOT%\SYSTEM32 directory to store temporary files.

The system account and the administrator account (Administrators group) have the same file privileges, but they have different functions under Windows NT. The system account is used by the operating system and by services that run under Windows NT. There are many services and processes within NT that need the capability to logon internally (for example during a Windows NT installation). The system account was designed for that purpose; it is an internal account, does not show up in User Manager, cannot be added to any groups, and cannot have user rights assigned to it. On the other hand, the system account does show up on an NTFS volume in File Manager in the Permissions portion of the Security menu. By default, the system account is granted full control to all files on an NTFS volume. Here the system account has the same functional privileges as the administrator account.

Create a second Admin account

Enable auditing on all NT systems. Open the User Manager, and on the Policies | Audit menu, you'll find the account related events that may be audited. By using Explorer (or File Manager) to view properties, you'll be able to establish auditing on media related objects as well.

The Guest account is created by default with each NT installation. If you do not need to permit Guest users on your system, remove or disable the Guest account, and take the extra time to setup a unique user ID for each person who must access your system temporarily. If you don't want to delete the Guest account, preferring instead to disable it, make certain you check it routinely to ensure it remains disabled.

Install the Service Packs

Routine Security Tasks

Update Emergency Repair Disk

Periodically check your systems for unwanted user accounts. Delete or disable unused accounts. When establishing temporary accounts (for vendors, contractors, etc), be sure to set an expiration date for the account, and assign rights and permissions carefully.

Make certain you check the guest account routinely to ensure it remains disabled.

Check for new service packs and install them as needed

The NT backup program does not encrypt data on tape. So anyone who has a tape can read it on another machine on which the user has restore privileges, such as their personal NT workstation.

Emergency repair disk contains sentative data.