Build a Bastion Host


This server will help keep even the best intruders at bay

Do you think that your Windows NT server is safe? Before you answer, if you're the administrator of an NT server that connects to the Internet, consider the following:

  • At the time of this writing, Netcraft's Web Server Survey ( reports that about 30 percent of the computers in active Internet sites are Microsoft servers and that the vast majority of those are NT servers. Although Microsoft servers constitute less than a third of the market, they have been the favorite targets of intruders. The Attrition Defacement Statistics Web site (http:// os.html#all) reports that from August 1999 through May 2001, almost 55 percent of all defacements were against NT and almost 7 percent of all defacements were against Windows 2000.

  • During a Black Hat Windows Security convention, three intruders easily infiltrated one of the most popular firewalls, Check Point Software Technology's FireWall-1. This demonstration brought home that a firewall is only as secure as the underlying OS. (For more information, see "Hackers Breach FireWall-1," http://www 0,4586,2610719,00.html?chkpt=zdhp news01, and "A Stateful Inspection of FireWall-1," http://www.dataprotect .com/bh2000/blackhat-fw1.html.)

To provide the highest level of security for your NT network, you can build a bastion host. A bastion host is typically an Internet-connected server that has no devices (e.g., filtering routers) to protect against Internet attacks. Instead, the bastion host's defense is a stripped down, highly secure OS.

You can configure a bastion host for a variety of server roles on the Internet. For example, you can use the bastion host as an FTP, Microsoft IIS, SMTP, POP3, Network News Transfer Protocol (NNTP), or firewall server. First, let's look at three good practices to keep in mind as you're building a bastion host; then, we'll discuss how to configure an NT server as a bastion host.

Good Practices
When building a bastion host, you should follow three good practices. First, you should build it in stages so that you're applying the security measures in layers. That way, if problems occur later, you can peel back and check each layer until you find the root of the problem. Second, you should install only programs that are absolutely necessary to achieve the desired functionality. This practice is often referred to as the minimalist approach. Finally, you should document every action you perform on the bastion host. I keep a separate notebook for each bastion host for the entire life of that server. If more than one administrator manages a Web site, keep the notebook in a central location. That way, the notebook becomes a communications tool.

In the notebook, document events and measurements, including hardware and software installations, upgrades, and removals; services running; server reboots; and server statistics (e.g., memory, disk-space utilization). By keeping track of how the server usually behaves, you'll be better able to tell when it's behaving abnormally. Unusual behavior can be a symptom of defacement or another problem.

Keeping these three good practices in mind, let's build a bastion host. Building a host is a six-stage process:

  1. Install NT and the application.
  2. Remove unnecessary network services.
  3. Disable unnecessary local services.
  4. Change the network configuration.
  5. Run setup.cmd.
  6. Test the application.

Install NT and the Application
The first step to building a bastion host is to install NT 4.0 on the server. You're likely experienced in installing NT, so I won't detail that process here. When you install the OS, though, make sure that you

  • configure all volumes as NTFS. If you have enough space, make a separate partition for user data and logs. Separating the OS from user data and logs makes assigning permissions much easier and eliminates the risk of crashing the system should the user data and logs fill up the root partition.

  • select TCP/IP as the only protocol.

  • configure the bastion host as a standalone server.

  • don't install IIS, even if the bastion host will be an IIS server. If you plan to install IIS, you should do so after you finish working with the OS.

The next step is to install the latest service pack. When you install NT 4.0 from a CD-ROM, the CD-ROM typically includes Service Pack 1 (SP1). To avoid any hardware and software problems, I always install the latest service pack and update all my drivers with OEM drivers that I know are solid and stable.

Now you can install your application (e.g., IIS, firewall software). Install updates and hotfixes that the application might need. In following the minimalist approach, you probably won't need to install Microsoft Internet Explorer (IE). However, if you need to install IE, don't install the Shell Update Release (SUR) add-on component (aka Active Desktop). This component isn't necessary and consumes a lot of memory.

With the OS and the application installed, you can tweak your bastion host. Specifically, you need to remove unnecessary network services, disable unnecessary local services, and change the network configuration.

Remove Unnecessary Network Services
NT doesn't require any network services to be running. However, your application might require a particular network service. For example, FireWall-1 doesn't need any network services, but IIS requires the RPC Configuration service. Thus, you need to check your application's documentation. After determining whether your application needs any network services, open the Control Panel Network applet and select the Services tab, as Figure 1 shows. Remove the network services you don't need.

Running the server with only the application's necessary network services will cause your system to complain. For example, you'll receive the Network Configuration error message Windows NT Networking is not installed. Do you want to install it now? You can simply click No when you receive this error message. Running the server with only the application's necessary network services will also cause several problems. You'll find that the User Manager for Domains doesn't work. You can fix this problem by replacing the User Manager for Domains with NT Workstation's User Manager. You might also have problems installing software because some installation packages make special calls to the OS that require information from network services. If such a problem occurs, you can reinstall the network services, install the new software, then remove the network services. The last problem you'll run into is that you won't be able to configure certain parts of the OS through the GUI. I describe how to work around this problem in the "Change the Network Configuration" section.

Disable Unnecessary Local Services
Instead of listing the many services that you need to disable, let's just mention the few services you need to leave enabled: the Event Log, NT LM Security Support Provider, and Protected Storage services. You also need to leave enabled any local services that your application might need. For example, for IIS, you need to leave the remote procedure call (RPC) service enabled in addition to the three services just mentioned. After determining whether your application needs any local services, open the Control Panel Services applet and disable the unnecessary services.

If you open Task Manager when only the Event Log, NT LM Security Support Provider, Protected Storage, and RPC services are running, you'll see only these processes: csrss.exe, explorer.exe, loadwc.exe, lsass.exe, nddeagnt.exe, pstores.exe, rpcss.exe, services.exe, smss .exe, and winlogon .exe. Under this configuration, NT is a lean operation, consuming only about 18MB of memory.

Change the Network Configuration
You change the network configuration through the GUI and the registry. The changes you make through the GUI are fairly simple. Just follow these steps:

  1. Remove the NetBIOS functionality from the TCP/IP stack. Open the Network applet and click the Bindings tab. In the Show Bindings for drop-down list, select all adapters. Select WINS Client(TCP/IP) and click Disable, as Figure 2 shows. Disabling the WINS client stops the server from listening on NetBIOS ports (i.e., 137 TCP and UDP; 138 UDP; and 139 TCP) for traffic.

  2. Disable the driver. Open the Control Panel Devices applet, select WINS Client(TCP/IP), and click Disable.

  3. Set up inbound TCP/IP filters if the bastion host isn't serving as a firewall. (You don't need inbound filters if you've installed a firewall application because the firewall application performs the filtering function.) The inbound TCP/IP filters modify the ports on which the server listens for inbound traffic. To set up inbound TCP/IP filters, you need to know the IP protocols and the ports you want to use. You can find examples of supported protocols in the \winnt\system 32\drivers\etc\protocol file. You can find examples of supported ports in the \winnt\system32\drivers\etc\services file. After you've determined the IP protocols and the ports, open the Network applet and select Protocols, TCP/IP Protocol, Properties. Select your adapter, then click Advanced. Select the enable security check box and click Configure. In the TCP/IP Security dialog box that appears, specify the protocols and ports. For example, Figure 3 shows the ports required for a Web server that provides connectivity for the HTTP (port 80) and Secure Sockets Layer (SSL—port 443) protocols.

The network-configuration changes that you make through the registry are a bit trickier than the changes you make through the GUI. When you work with the registry, you need to be extremely careful. Incorrectly editing the registry can permanently corrupt your system. Here are the steps to change the necessary registry settings:

  1. Configure the Server service. Because you disabled this network service, you can't use the GUI to set the Minimize Memory Used, Balance, Maximize Throughput for File Sharing, or Maximize Throughput for Network Applications option. Instead, you need to change the configuration in the registry.

    If the bastion host will run an application, you need to set the Maximize Throughput for Network Applications option for the Server service. To do so, open regedit and go to the HKEY_LOCAL_MACHINE\SYSTEM \CurrentControlSet\Services\Lanman Server\ Parameters\Size subkey. As the Microsoft article "How to Optimize Windows NT Server Using the Registry" ( directory/article.asp?id=kb;en-us; q232271) explains, the possible values for this entry are 1 (Minimize Memory Used), 2 (Balance), and 3 (Maximize Throughput for File Sharing and Maximize Throughput for Network Applications). Set the Size entry to the value of 3.

    Because the Size entry specifies both the Maximize Throughput for File Sharing and Maximize Throughput for Network Applications options, you need to set the HKEY_LOCAL_ MACHINE\SYSTEM\CurrentControl Set\Control\Session Manager\Memory Management\LargeSystemCache entry. The possible values for this entry are 0 (Maximize Throughput for Network Applications) and 1 (Maximize Throughput for File Sharing). Set the LargeSystemCache entry to the value of 0.

  2. Configure the TCP/IP stack to protect against SYN attacks. SYN attacks target the TCP protocol, so you need to protect your bastion host's TCP/IP stack. In regedit, go to the HKEY_ LOCAL_MACHINE\SYSTEM\Current ControlSet\Services\Tcpip\Parameters subkey. Create an entry with the name SynAttackProtect, set the value type to REG_DWORD, and set the entry to the value of 2. The Microsoft article "Internet Server Unavailable Because of Malicious SYN Attacks" (;en-us;q142641) provides a complete explanation of the SYN attack and how adding this registry entry protects against it. For background information about TCP/IP configuration parameters in the registry, see the Microsoft article "TCP/IP & NBT Configuration Parameters for Windows NT and Windows 2000" (;en-us;q120642).

Run Setup.cmd
Now that you've installed NT and the application, removed the unnecessary network services, disabled unnecessary local services, and changed the network configuration, you're ready to use setup.cmd. Setup.cmd, which I wrote for use on NT 4.0 servers, performs the following tasks:

  • Deletes the NT Virtual DOS Machine (VDM).

  • Deletes the POSIX subsystem.

  • Deletes the OS/2 subsystem.

  • Deletes the, debug .exe, edlin.exe, rcp.exe, rexec.exe, rsh.exe, and sysedit.exe files, which are typically security risks.

  • Uses the Microsoft Management Console (MMC) Security Configuration Manager snap-in to apply the bastionhost.inf file to your system. This snap-in reads bastionhost.inf as a configuration file and configures the system accordingly.

Before you run setup.cmd, you need to make several preparations. First, you need to download and install the Security Configuration Manager snap-in. You can download this snap-in from nts/downloads/recommended/scm/default.asp. If you're unfamiliar with installing and using this tool, see the Microsoft article "Downloading and Using the Security Configuration Manager Tool" (

Next, you need to download bastion-host.inf and setup.cmd from the Code Library on the Security Administrator Web site ( Make sure that bastionhost.inf and setup.cmd are in the same location as the Security Configuration Manager snap-in's executable (secedit.exe) and DLLs (esent.dll and scedll.dll). All these files will easily fit on a disk if you prefer to execute them from a removable medium.

After you have all the files in place, you need to review and customize the bastionhost.inf and setup.cmd files. Bastionhost.inf contains configuration settings, such as settings for system access parameters, the RestrictAnonymous parameter, Security logs, and privilege rights. Review the settings to make sure they fit your needs, and make any necessary changes. At a minimum, you need to rename the Administrator account and guest account in the system access section, which Listing 1, page 15, shows. Callout A in Listing 1 highlights the lines you need to change.

In addition to reviewing bastionhost.inf, you need to review setup.cmd to make sure that the script isn't deleting any file or component that your application might need. For example, if you're running a 16-bit application, you need to keep the VDM on your bastion host. To keep the script from deleting specific files or components, you can simply add the Rem command at the beginning of each applicable line. For example, Listing 2, page 15, shows how you can stop the script from deleting the VDM. You must reapply setup.cmd every time you add a hotfix or install a service pack.

Test the Application
Now that you've built the bastion host, you need to test your application. If the application fails, you have two options: Peel back the security layers by troubleshooting each stage in reverse order or start over and test your application after each stage. After you have the application working, you need to test your application and update your configuration regularly.

A Smart Countermeasure
Building a bastion host is a crucial step in preparing a server for functioning on the Internet. Because NT is a favorite target of intruders, having an NT server with a highly secure OS is a smart countermeasure.

Hide comments


  • Allowed HTML tags: <em> <strong> <blockquote> <br> <p>

Plain text

  • No HTML tags allowed.
  • Web page addresses and e-mail addresses turn into links automatically.
  • Lines and paragraphs break automatically.