FireWall-1 FAQ: Securing Windows NT for a FireWall-1 Installation
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Windows NT, by default, runs many services that are potential security risks. The following subsections contain some tips for setting up your Windows NT box to make it more secure. Note that the system should be physically disconnected from your network until you have made all of these changes. This minimizes the possibility that your firewall system will be compromised before you even get started.
When setting up NT for FireWall-1, only TCP/IP is needed. Use a static IP address.
Machine Name, Domain
Pick a good machine name (firewall seems like a good choice) and pick a workgroup that is not reachable. We're going to disable Microsoft Networking services below as well.
By default, NT installs the following services:
- Computer Browser
- NetBIOS Interface
- RPC Configuration
None of these services are actually needed by FireWall-1. Remove NetBIOS, RPC, and Server. The others will be disabled below. You also need to install the SNMP service at this time (FireWall-1 uses this service). Install this before installing FireWall-1 or any service packs.
Some may wonder why Workstation is being left in. If you delete workstation, every time you go into the "Network" configuration in NT, you will be asked if you want to install Windows NT Networking. If you answer yes to this question, your NT installation will be damaged. By leaving the Workstation service installed, this question is never asked. If the workstation service is disabled (as shown below), it will not create a security risk.
The reason Computer Browser is being left in is because Workstation has a dependency on it. Again, it will be disabled.
In the Network Control Panel Applet, click on Protocols. Double-click on TCP/IP. Make sure that IP Routing is enabled in the TCP/IP Properties under the Routing tab. Also insure that only your external interface has a default route defined (the other interfaces should not).
In the Network Control Panel Applet, click on Bindings. From the pulldown menu next to "Show bindings for", pull down "all protocols." Select WINS TCP/IP and click on Disable.
If you are installing NT from scratch, you will not be able to disable WINS Client on install. After a reboot, you will experience a hang of up to 2 minutes. This is perfectly normal and should not occur after disabling the WINS Client.
Go to Devices in the Control Panel, scroll down and find WINS Client (TCP/IP). Click on "Startup" and change startup to "Manual."
Services to Disable After Installation
Go to Services in the Control Panel. For each of the following services, select the service, click on "Startup" and change startup to "Manual". When you reboot, these services will be disabled:
- Computer Browser
- TCP/IP NetBIOS Helper
- Net Logon
- Server (if present)
- Network DDE
- Network DDE NSDM
- Local Hosts File
While not necessarily a "security" recommendation, it is highly recommended that you make sure that your hostname is resolvable to an IP address. In fact, FireWall-1 4.1 will automatically add an appropriate entry. Go to the local host file (%SystemRoot%\System32\drivers\etc\hosts) and make sure your hostname (as specified above) has an entry in the hosts file (it probably won't). Make it resolve to your external IP address.
These registry hacks come from Rush Wilson and help protect against people physically coming up to the machine and logging into it. Her method for "securing" her NT systems is somewhat different as it allows for certain users to access the machine from the Network. Her document on this is here. I've picked out the more interesting of her registry hacks to show on this page, which assume you've followed my steps above.
To Disable display of last userid in the logon window
Set DontDisplayLastUsername to 1 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (REG_SZ)
To Display warning message when logon to server
Set LegalNoticeCaption to “Notice” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (REG_SZ) Set LegalNoticeText to “Authorized users only” HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (REG_SZ)
To Disable caching of logon credentials
Set CachedLogonsCount to 0 HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\Current Version\Winlogon (REG_SZ)