Skip navigation

NT Gatekeeper: Removing C2-Compliant Security Settings

The Microsoft Windows NT Server 4.0 Resource Kit includes a tool called c2config.exe that can configure your system according to the National Computer Security Center's (NCSC's) C2 security requirements. I installed this tool on some of our crucial file servers and configured the systems accordingly. Can I now remove the C2 security settings? If so, is uninstalling the resource kit sufficient to do so? After uninstallation, are the permissions automatically restored to their original values?

The C2config tool is installed as part of the resource kit. When you've installed the resource kit, you can apply the C2 security configuration settings to your system. C2config.exe doesn't come with a special uninstall feature. However, the tool provides a way to reset the security settings that are registry related. Table 2 provides an overview of the C2 security settings that are registry related and those that aren't. For a complete overview of the C2 security settings and their effects, see the c2config.exe Help file.

Resetting the C2 security settings that aren't registry related (e.g., the OS/2 and POSIX subsystems, the file-system upgrade, the file-system and registry access-control settings) isn't easy. Before you enable the settings, c2config.exe warns you that the settings are irreversible. For example, you obviously can't reverse the file-system upgrade: When you've upgraded your FAT file system to NTFS, you can't turn back the clock. Although which files or registry settings c2config.exe deletes when removing the OS/2 and POSIX subsystems isn't entirely clear, Microsoft has marked these settings as irreversible. The easiest way to reset file-system and registry access-control settings to their pre-c2config.exe settings is to use the Security Configuration Manager (SCM) with the compws4.inf (for NT Workstation 4.0) and the compdc4.inf (for NT Server 4.0) security templates. Microsoft ships SCM as part of Service Pack 4 (SP4). You can also use the SCM to reset some of the registry-related C2 security settings.

Hide comments

Comments

  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.
Publish