HOWTO Secure Windows NT

The way you install Windows NT it is not very secure. In fact it is quite easy to hack into your system with just a few informations. If NT is installed unattended the user ID is "Administrator" and the password is blank. Many NT users don't even bother to set a password which could be fatal.
If you are connected to the Internet your computer may be very vulnerable and unsecure. In the case you don't do anything about it someone could access your PC (your ID is known already: "Administrator"). Per default NT provides you with some hidden shares like "C$". Just try it yourself. You can access your NT system with the command "net use x: \\[ip address]\c$". Oh, and there are ways to find out your password and TCP/IP address, don't worry!
Here I will tell you how to secure your system from hackers in a network environment, in the Internet and Intranet.

==========================

WARNING: Using the Registry Editor incorrectly can cause serious, system-wide problems that may require you to reinstall Windows NT to correct them. I can not guarantee that any problems resulting from the use of the Registry Editor can be solved. Use this tool at your own risk.

  1. Make sure that guests stay guests and therefore get separate user IDs. You should not allow password changes for this account. Don't allow local shutdown (User Manager: Policies/User Rights). It is also required that all local drives are formatted in NTFS. Steps 11 and 12 also require the workstations to be member of a domain.
  2. Replace Explorer.exe as a shell with Internet Explorer (HKeyLocalMachine\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon : Shell). Be sure to place the full path to Iexplore.exe in this entry. For other applications, place the main executable file or a launcher application here.
  3. Change the permissions for %Systemroot%\System32\Taskmgr.exe so the guest account does not have any privileges for this file (no access). This prevents the user from running Task Manager off the security dialog.
  4. Rename the administrative account and specify a password so users have a hard time hacking it.
  5. Delete all hidden shares like C$ etc.
  6. Don't allow any blank passwords, if users log into a Domain disable the use of it by going into the Registry editor with regedt32 and go to the key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa add a value of type REG_MULTI_SZ and name it "Notification Packages". Double-click the "Notification Packages" key and add the following value:
    NOTE: If the value FPNWCLNT is already present, place the following entry beneath the FPNWCLNT entry:
    "PASSFILT"
  7. If you have the Value AutoAdminLogon under Winlogon in the Registry, change it to String "0"
  8. Also add string "1" at DontDisplayLastUserName so only experienced users know how to specify a different name for logon (hold shift while logging off). Even if they manage to get to the logon dialog box, they still have to know about an account.
  9. Disable ShutdownWithoutLogon by changing the string to "0". It's also located in the Winlogon key mentioned above.
  10. Create a Default System Policy that only allows Iexplore.exe to run and place it on the NETLOGON share of all DCs. It's in Default User Properties, System\Restrictions\Run only allowed Windows applications. Instead of Iexplore.exe, you can also specify the application(s) of your choice. The main executable file or launcher application does not need to be part of this set.
  11. Enable all policy restrictions in Shell\Restrictions so the user only sees the computer and files to be saved end up in the %Systemroot%\Profiles\\desktop directory.
  12. You can also restrict access to %Systemroot%\Profiles\\desktop so the user only can read files from there. This is the only folder the user will be able to see if you checked all items in step 8.
With Internet Explorer 3.0 you can prevent the user from seeing the Address Toolbar and thus prevent the user from manually entering URLs:
  1. You remove the address toolbar in Internet Explorer ("View\Option", "General" tab, bottom half of dialog box).
  2. Start Registry Editor (Regedt32.exe). In the HKEY_CURRENT_USER window, open the key

    Software\Microsoft\Internet Explorer\Toolbar

    for Netscape it would be

    Software\Netscape\Netscape Navigator\Users

  3. With the focus on Toolbar, select the menu item Security\Permissions. Make sure that the guest account is only allowed to read the key.
When you open the dialog box in Internet Explorer, you will be shown the wrong settings but changes will not take effect. It may be possible to do similar things with other registry keys of Internet Explorer, but only the key mentioned in Step 2 above was tested for this article.