Windows NT has the capability of being a very secure operating system, but it's default configuration (as it is installed), has relatively weak security. This is by design, as Microsoft wants to make sure that Windows NT works "out of the box" in as many environments as possible. Also, there are several levels of security and which one is best will vary from environment to environment. Below are some general guidelines that are applicable in almost all environments. These tips are helpful even if your system is not connected to the Internet - the vast majority of computer break-ins originate from an internal source.
Rename the Administrator account
In order to compromise your system, a hacker needs two pieces of information - a username and the matching password. When NT is installed, an account named "Administrator" is created which has all administrative privileges on the system. Because of this, a hacker already has half of the information he needs to break in to your system. If you rename the account to something different, you add an extra level of obscurity and it is more difficult to break in to your system.
Disable the Guest account
When NT is installed, it also creates an account called "Guest". While it has very limited access to your system and its resources, it is best to disable this account unless you have a specific need for it. In almost all environments, it is much better to create an account for each user.
Install the latest Service Pack and any relevant Hotfixes
The latest Windows NT Service Packs and Hotfixes are available from ftp://ftp.microsoft.com/bussys/winnt/winnt-public/fixes/. It is important to make sure that your system has the latest Service Pack Installed along with any security related Hotfixes. When Microsoft finds, or is informed of, a security concern in Windows NT, they create a patch for it and release it in this fashion.
Enforce physical security
At a minimum, your systems should be treated as any valuable item and be kept in a safe location. In a highly relaxed environment, this means at least keeping your systems out of the way of the general public. In most cases, it is best to keep your systems in a locked server room, where only specifically authorized users have access to them.
Always remember to logout or lock the workstation
When you leave the system you are working on, you should be sure to either logout from the system, or lock it. If you do not do this, any person passing by will have full access to the system using your account. It is also a good idea to use a password-protected screensaver on your system in case you forget to logout or lock the system.
Implement a password policy
Accounts in all but the most relaxed environment should always have a password. But simply having a password is not always enough - it is important to use strong passwords. For example, if you work for Acme Manufacturing, "acme" would be a very poor password choice. It is also a bad idea to write down your passwords.
Windows NT has several features to allow you to enforce secure passwords. At the basic level, you can require passwords to be a minimum length and set them to expire periodically. If you require higher security, Windows NT 4.0 Service Pack 2, and later, includes a password filter (passflt.dll) that enforces stronger password requirements.
What else can you do?
While we have outlined a few basic security guidelines, it is best to perform a complete security audit on your systems. Because an audit must be specifically tailored to your environment, we could never outline it here. NetInterface Consultings staff is fully trained in Windows NT and in computer security and can discuss this with you further. Contact us to arrange a free consultation and a complete security audit of your systems.