While there are many excellent security texts devoted to the Unix family, I have not yet seen a good paper on how to button down a single NT box or workgroup. Microsoft's site is a tolerable starting point but it's treatment of file permissions is entirely insufficient. The Defense Information Systems Agency's Common Operating Environment group also puts out a series of operating system specific publications, but it 's coverage is not to my liking.
To my knowledge, only a half dozen or so books on NT security have been published. I have neither the budget to purchase them nor the time to study their contents (I get paid to write web applications not pursue system security), so perhaps they do a better job particularly in the aspect of tweaking the registry. If any readers have recommendations or short reviews they wish to share with me, I will be happy to include them in this text. Till then, Microsoft's list of NT securty books will get you started.
The purpose of my writing this paper is to provide a cookbook on taking practical steps to remedy the disasterous setup one finds out of the box. It is an amalgamation of information I've gathered from correspondance on forums like NTSecurity and NTBugTraq, the sources listed above, as well as my own research into the issue. I don't pretend that this is the definitive word on the subject nor that it fits your environment. It is highly recommended that all readers review it carefully and experiment on a test platform before rolling out to a production environment. For your reading pleasure I recommend Robert Malmgren's excellent FAQ on NT. To be quite honest, I'm rather overwhelmed at the sheer volumn of excellent NT and general computer security information scattered around the web. I just wish I had the time to look at it all.
Having recently gone through the pain of rebuilding a mixed NT4.0 and NT3.51 workgroup, I have decided to include my notes on how to build such an environment in a more secure fashion. Please forgive this departure from the paper's original intent, which was targeted at standalone boxes only. However, given the all to common lack of knowledge with respect to proper NT configuration among administrators and corporate helpdesk staff (even among so called certified individuals), I believe a wider audience is a Good Thing.
As always, I welcome comments and criticism. Without feedback I won't be able to update and fix any errata that creep in. If you have links to related sites, or find items missing attribution please send them along as well. This resource was put together on government time and therefore will be available to the public at no charge. Feel free to distribute worldwide as no ITAR export restrictions apply. All included material is copyrighted by their respective owners or copyright holders.