\[Editor's Note: Do you have a security-related question about Windows NT? Send it to [email protected], and you might see the answer in this column!\]
When a Windows NT Server 4.0 system crashes, the machine displays the infamous blue screen of death, then waits for someone to reboot it. Can I modify an NT 4.0 system's crash behavior, and would doing so have any security implications?
NT Server 4.0 includes a set of recovery options that let the server take automatic actions when a crash occurs. You can configure the recovery options from the System Properties Startup/Shutdown tab, as Figure 1 shows. You can access System Properties from the Control Panel System applet or by right-clicking My Computer on the desktop and selecting Properties. The following recovery options are available:
- Write an event to the System log.
- Send an administrative alert. You can send an alert to one or several machines, but to enable this option, the Alerter Service must be running. You can check and change the Alerter Service's status from the NT Server Manager. You can configure which machines to send the alert to from the Alerts dialog box under Machine Properties in the NT Server Manager.
- Write debugging information to a file. You can collect crash information that can help Microsoft Product Support Services (PSS) diagnose the problem. When you set this option, you must specify the name of the memory dump file. You can also choose to overwrite the existing memory dump file when a new crash occurs.
- Automatically reboot the system.
You can also set recovery options by modifying the registry settings that Table 1 lists. The settings are in the HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\CrashControl registry subkey. You can also write a custom system policy template file and use this template and the System Policy Editor (SPE) to enforce the settings on your NT servers.
The recovery options can often reduce a system's downtime; however, automatically rebooting the system might not be a good option if an intruder has intentionally crashed your system. If the intruder uploaded malicious code to your system before the crash, an automatic reboot might harm your system. I recommend that you always write debugging information to a file, overwrite the existing log file, write an event to the System log, and send an administrative alert.