This chapter discusses the details of configuring Windows NT for use in a firewall environment, building on the principles discussed in Chapter 10. You should be sure to read both chapters before attempting to build a bastion host. This chapter is not a complete introduction to Windows NT security, which is a complex subject. Instead, it attempts to cover those issues that are specific to bastion hosts, and that are not covered in most Windows NT security texts. As usual, we use the term "Windows NT" for both Windows NT and Windows 2000, except where we explicitly say otherwise.
Just as with Unix, it's impossible to give complete instructions on how to configure any given machine; the details vary greatly depending on what version of Windows NT you're running and exactly what you intend to do with the machine. This chapter is intended to give you an outline of what needs to be done, and how to figure out how to do it.
There are two major approaches to building bastion hosts under Windows NT. As usual, people hold very strong opinions about which one is correct.
One method of building Windows NT bastion hosts is to take the same approach that we recommend for Unix machines: you disable all normal administration tools, remove the machine from all forms of resource and information sharing, and run it as an island unto itself, where nothing is quite the same as it is on the mainland. This is a very secure approach, but it makes the machines quite difficult to administer.
The other method of building Windows NT bastion hosts is to use a split administrative network, as described in Chapter 6, and build the machines as relatively normal Windows machines that can participate in domains, use standard administrative tools, and otherwise behave pretty much the way everybody expects. In this configuration, the machine has two network interfaces, and services are disabled only for the externally visible interface. The machine is configured with higher security than normal but not with the extreme measures that make it impossible to administer normally.
Partisans describe the first configuration as "impossible to use" and the second as "impossible to secure". The truth is, of course, somewhere between the two. The first configuration can be used and administered, but it's difficult and peculiar. It's not appropriate for machines that need to change often and provide large numbers of services. The second configuration can be secured, but it's relatively fragile; small accidents can make services available on the external interface. It's not appropriate for the highest security environments, or environments where there are no other protections for the machines.
This chapter is primarily aimed at the first kind of configuration. This is the more extreme configuration, and the one which is not adequately covered by other sources of information. If you want to build the second kind of configuration, you will follow the same basic procedures we describe, but you will leave many more services enabled.