Most systems are not set up to be inherently secure when networked. You are, therefore, strongly advised to follow the recommendations shown in the checklist relevant to your system. This should help to ensure the system is appropriately and securely set up before it is put on the network. You are also advised to consult the CERT notifications.

Installation

Install the latest version of Windows NT from your media and during the installation, to make your system more secure, specify that you want to install to a NTFS partition.

If the system has been pre-installed by the manufacturer, you can convert any partitions, including the system partition by using the command

convert c: /fs:ntfs

to convert, for example, the c: partition to ntfs, from fat. On the system partition a reboot will be required for the conversion to take effect.

With the NTFS file system, you can then go about setting file and directory permissions.

Please note that you should install the latest service pack before converting your partitions to NTFS. If you wish to install to a NTFS partition on an IDE disk bigger than 8GB, you may need to read Knowledge Base article Q197667 on TechNet or www.microsoft.com for more information.

You should apply the latest service for the version on NT that you have installed. Service packs can either be found at the Microsoft web sitewww.microsoft.com, or on the ICT file server \\icfs1\patches.

Similarly, you should regularly check the Microsoft and other web sites to see if you require any hot fixes, which are not part of the latest service pack. Some of these will again be on the Centre's file server in the above location.

You should install virus protection on your NT system. The College has a site license for Norton's Anti-Virus software. You can obtain this from the ICT server \\ccnts1\norton\disksets\ntwks\disk1.

When setting up your system, you should convert and format your partitions as NTFS. This allows you to set file permissions on your folders and files, so that only authorised users can modify and read them.

To set file permissions, in the file explorer, right click the mouse on a folder or file and select properties from the menu. Then select security and then permissions. You can now set who can access the object, and what access rights they should have. You can also remove those who should not have access to the object.

When you set up shares, you should set the share permission to work in conjunction with the underlying file permissions. Only give the required level of access to users.

In general you should add your PC to a domain which trusts the College's IC domain. This will enable you to set up file and access permissions based on IC accounts, and allow you to login with your IC account.

You should run "user manager" from the administrative tools menu, and only add the accounts and groups to your local users group that you need to, for users to access your PC.

Select policies and user rights from "user manager". Look at "access this computer from the network" and "log on locally", you may want to remove everyone and guest from these rights, just leaving the local users group, through which you can control access to your system.

If you set up any local computer accounts, you can set policies under the account section of policies, such as when these accounts must change passwords, and how many characters must be in the password.

In general you should not enable the guest account.

If you wish to have a record of who is accessing your system, you should go to the policies audit menu under "user manager".

Check the "logon logoff" success and failure boxes as a minimum. [Be careful about some of the other audit options such as process and object access, these can slow down your machine and make your logs very large].

In conjunction with the auditing above, you should start the "event viewer" from the administrative tools menu and select the security log from the log menu to view who has been successfully and unsuccessfully accessing your system.

You will also need to enlarge the log by selecting the "log settings" item from the log menu. Select the security log and resize the log to several megabytes if you have the disk space and set the option to overwrite events as needed, unless you want to clear the log when it fills up periodically. You may also want to look at resizing the system and application log settings.

You should keep abreast of security related matters for NT by looking at the following websites amongst others: