6.4 Windows NT network

Description

This chapter concerns a Windows NT network functioning as a client-server system under the Windows NT operating system (version 3.51 or 4.0). The security aspects of a Windows NT server are dealt with.

The client-specific safeguards are covered in chapter 5. There are only marginal references to aspects of Windows NT applications specific to security, for example in relation to Mail, Schedule+, Direct-Data-Exchange (DDE) or Remote Access Service (RAS). In addition to the dangers and protection safeguards detailed here, the safeguards specified in Section 6.1 for a general server-supported network still apply. If the Peer-to-Peer functionality of Windows NT is used in the Windows NT network, the contents of Section 6.3 should also be taken into account.

Threat Scenario

The following typical threats are assumed for IT baseline protection of a server-supported network under the Windows NT operating system:

Organisational Shortcomings:

Technical Failure:

Deliberate Acts:

Recommended Countermeasures (S)

For the implementation of IT baseline protection, selection of the required packages of safeguards ("modules") as described in chapters 2.3 and 2.4, is recommended.

When processing the specific Windows NT safeguards, a safety strategy should first be drawn up using safeguard S 2.91 Determining a security strategy for the Windows NT client-server network. In addition, given that Peer-to-Peer functionality is used, safeguard S 2.67 Determining a security strategy for the Peer-to-Peer network, as this is the basis for the further safeguards.

The actual planning of the Windows NT network should then be carried out as described in safeguard S 2.93 Planning of the Windows NT network. In accordance with the specifications drawn up during this process, a server should first be installed and tested out with a small number of clients in order to be able to optimise and adapt the fixed structures, before they are deployed in detail.

For the systems networked under Windows NT the safeguards specified here must be implemented in addition to the safeguards outlined in Chapter 6.1. It seems sensible to install the file server in a separate server room. The appropriate measures are described in Chapter 4.3.2. As an alternative, server cabinets can be used (c.f. Chapter 4.4).

For any clients connected, the safeguards outlined in chapter 5 must be implemented. Given that the Peer-to-Peer functionality of Windows NT is also being used, the safeguards specified in Section 6.3 must also be implemented.

Safeguards marked with the suffix "optional" exceed, at least partially, the requirements of IT baseline protection, or they refer to special usage environments. They should be implemented if the usage conditions concerned exist and/or specific threats warded off by these safeguards can be expected.

The safeguard measures regarding a "Windows NT network" are presented in the following:

Organisation:

Hardware/Software:

Communications:

Contingency Planning:


© Copyright by Bundesamt für Sicherheit in der Informationstechnik 2000

Last Update on 6 April 2000