Microsoft KB Archive/257685

= Proxy Server 2.0 Security Checklist =

Article ID: 257685

Article Last Modified on 11/8/2002

-

APPLIES TO


 * Microsoft Proxy Server 2.0 Standard Edition

-



This article was previously published under Q257685



IMPORTANT: This article contains information about modifying the registry. Before you modify the registry, make sure to back it up and make sure that you understand how to restore the registry if a problem occurs. For information about how to back up, restore, and edit the registry, click the following article number to view the article in the Microsoft Knowledge Base:

256986 Description of the Microsoft Windows Registry



SUMMARY
This article describes some basic ways to reduce your network security risks.



MORE INFORMATION
WARNING: If you use Registry Editor incorrectly, you may cause serious problems that may require you to reinstall your operating system. Microsoft cannot guarantee that you can solve problems that result from using Registry Editor incorrectly. Use Registry Editor at your own risk.

Review and implement the following checklist to reduce your network security risks:

Disable IP forwarding. To prevent unauthorized IP packets from entering your network, in the Network tool in Control Panel, you can clear the Enable IP Forwarding check box. If Microsoft Windows NT Remote Access Services (RAS) is installed after Proxy Server is installed, IP forwarding is enabled. Disable IP forwarding after installing RAS. To disable IP forwarding:
 * 1) Click Start, point to Settings, and then click Control Panel.
 * 2) Double-click Network.
 * 3) On the Protocols tab, click TCP/IP Protocol, and then click Properties.
 * 4) On the Routing tab, click to clear the Enable IP Forwarding check box, and then click OK.

Enable access control. Running the Web Proxy or WinSock Proxy service without access control enabled is considered a non-secure operating condition. Without access control enabled, you cannot set any password authentication settings.

Never add external IP addresses to the local address table (LAT). Adding external IP addresses to the LAT exposes your entire internal network to Internet servers and clients. This can severely jeopardize your internal network security.

Implement and enforce a secure password policy. Although this might seem obvious, a stolen or easily guessed password is the best opportunity for someone to gain access to your system. Make sure that all passwords that are used on the system, especially those with administrative rights, have difficult-to-guess passwords. In particular, make sure to select a good administrator password (long, mixed-case, and alphanumeric) and set the appropriate account policies. You can set passwords by using the Windows NT User Manager for Domains tool.

Limit the membership of the Administrators group and limit user rights. By limiting the members of the Administrators group, you limit the number of users who might choose bad passwords. In addition, you should limit the assigning of user rights.

Enforce strict account policies. The User Manager for Domains tool includes configuration options called security policies. One security policy allows a system administrator to specify how quickly account passwords expire (forcing users to regularly change passwords). Another policy determines how many unsuccessful logon attempts are tolerated before a user is locked out. Use the User Manager for Domains security policies to configure the server against exhaustive or random password attacks.

Disable the Server service and check the permissions set on network shares. If you are running the Server service on your Internet adapters, be sure to double-check the permissions set on the shares you have created on the system. Also, double-check the permissions set on the files contained in the shares' subfolders to ensure that you have set them appropriately. Set default access to shared volumes and directories to Read-Only access.

Do not use network drive mappings. Network drive mappings to other remote servers on your internal network should not be used. This is critically important if you use the same computer for Proxy Server and for Web publishing with Microsoft Internet Information Server (IIS).

Use only NTFS file system volumes. The NTFS file system enables you to implement security and access control for your data files. By using NTFS, you can limit access to portions of your file system for specific users and services.

Run only the services and programs that you need. The fewer services and programs you are running on your system, the less likely it is that a mistake in administration can be exploited. You can use the Services tool in Control Panel to disable any services not absolutely necessary on your system. Also, if the FTP or Gopher services are not needed or used, turn them off by using Internet Service Manager.

Unbind unnecessary services from your Internet adapters. You can use the Bindings feature in the Network tool in Control Panel to unbind any unnecessary services from any network adapters connected to the Internet. For example, you might use the Server service to upload new images and documents from computers in your internal network, but you might not want users to have direct access to the Server service from the Internet. If you need to use the Server service on your internal network, disable the Server service binding to any network adapters connected to the Internet. You should not run the Windows NT Server service--that is, the Server Message Block (SMB) protocol--over the Internet. Also, you should unbind the WINS client.

Remove DNS and gateway references on your client configurations. This prevents clients from bypassing Proxy Server to access the Internet. If you are using DHCP, remove the same references to prevent your DHCP servers from accessing addresses outside of your internal network.

Disable ports used for remote procedure call (RPC) listening on the Internet adapter. Ports 1024 through 1029 are used by Windows NT TCP/IP services for RPC listening. You can disable all ports used for RPC listening on the external network adapter. After you do so, the ports are no longer visible to the Internet, and RPC listening only occurs on the internal network adapter. Before you editing the registry, create a backup of your configuration file. If you introduce an error in the registry and your computer becomes nonfunctional, you may be able to use the backup configuration file to restore your computer settings. To disable external ports used for RPC listening:  Start Registry Editor (Regedit.exe) Open the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services

 Click the entry underneath that represents your internal network adapter. You can use Control Panel to verify that the entry you selected is the internal network adapter you are using. Write down the name of the entry. Click the Services key, point to New on the Edit menu, and then click Key. Type RPC as the name of the new key. Click the RPC key, point to New on the Edit menu, and then click Key.</li> Type Linkage as the name of the new key.</li> Click the Linkage key, point to New on the Edit menu, and then click Key.</li> Type Bind as the name of the new key.</li> Click the Bind key, point to New on the Edit menu, and then click String Value.</li> Type the name you wrote down in step 3 for the name of the new value. You do not need to enter a data value.</li> Quit Registry Editor.</li></ol>

Keywords: kbinfo KB257685

-

[mailto:TECHNET@MICROSOFT.COM Send feedback to Microsoft]

© Microsoft Corporation. All rights reserved.