IT Baseline Protection Manual S 4.49 Safeguarding the boot-up procedure for a Windows NT system
S 4.49 Safeguarding the boot-up procedure for a Windows NT system
Initiation responsibility: Head of IT Section, IT Security Management
Implementation responsibility: Administrators
Windows NT can only be operated securely if there is a guarantee right from the start of the system that a closed security environment is constructed, i.e. that there are no ways around the security functions of the operating system. This requires that all resources which are capable of being protected by Windows NT are under the control of the operating system and also that there is no possibility of starting up outside systems or open system environments which can circumvent the protection offered by Windows NT. In addition, the following aspects should be taken into account:
All existing hard disk partitions must be formatted using the NTFS file system. Partitions formatted using the FAT, VFAT or HPFS file systems cannot be protected against accesses from users. On the one hand this means that the data filed on them is exposed to arbitrary accesses from any user, and on the other hand, that these partitions can be misused for the uncontrolled exchange of data between users.
Disk drives constitute a similar risk, as disks under Windows NT can only be formatted using the FAT or VFAT file systems. For this reason disk drives on all computers which are not under strict physical control must always be locked out by fitting disk locks (see S 4.4 Locking of disk drive slots). On Windows NT clients, the disk drives can also be deactivated for non-privileged users via the control panel option " Devices\Floppy ". This option should not be made use of on Windows NT servers (see S 4.52 Equipment protection under Windows NT).
If the computer has an open floppy disk drive or if it is possible to boot from a connected CD-ROM drive, there is a danger that the computer could be started up with an operating system other than Windows NT. The same danger can arise if other operating systems are installed on a local hard disk. In this case, the user can by-pass the security mechanisms of Windows NT with the aid of various programs. There are now several programs which can be used to read, and partially also modify, files protected under NTFS from a DOS or Linux environment. The security attributes set by the NTFS file system are ignored both under the MS-DOS and Linux operating systems. The user therefore has access to all the computer's files from MS-DOS or Linux. For this reason, no other operating systems may be installed on the hard disk besides Windows NT. Moreover, the boot procedure must be safeguarded by a BIOS setting protected with a BIOS password in such a way that the system cannot be started up by any connected disk drive or CD-ROM drive (see S 4.1 Password protection for IT-Systems).
In the context of a re-installation of Windows NT, there is an opportunity to update the current installation of the operating system or install a new version in parallel. In the case of parallel installation, the existing file structure is not changed, but the pre-defined administrator account is re-created with a new password. This "new" administrator then has full access to all the computer's resources and thus to all data and programs. In order to prevent this possibility of re-installation, users must not be in a position to change the file BOOT.INI in the root directory of the first disk (see S 4.53 Restrictive allocation of access rights to files and directories under Windows NT).
With the aid of the installation programs an emergency disk (see S 6.42 Creating start-up disks for Windows NT), can also be produced and used to carry out a system reconstruction. In the process, access protection of the NTFS partition of the operating system is cancelled. For this reason it is absolutely essential to safeguard the installation programs, an emergency disk which may already exist and the set-up disks in such a way that they are protected against unauthorised access. This specific threat can also be countered by protecting the disk drives with drive locks (see S 4.4 Locking of floppy disk drive slots) and safeguarding the boot procedure by means of the appropriate BIOS setting (see above).
Under Windows NT, logging-on to the server is only possible for users to whom the user right " Local log-on " has been given. These users are restricted to the rights and permissions assigned to them. To avoid misuse of the possibilities for logging-on to the server, provision must be made for the user rights, and the allocations to user groups, to be correspondingly restrictive (see safeguards S 2.93 Planning of the Windows NT network and S 4.50 Structured system administration under Windows NT).
Additional controls:
Is the safeguarding of any existing disk drives checked regularly?
Are there regular checks to ensure that no parallel installation of another operating system exists?
Are the BIOS settings which prevent booting from media other than the hard disk checked regularly?