Windows 2000 Security Checklist Basic Security ConsiderationsProvide Physical Security for the machineMost security breaches in corporate environments occur from the inside. Culprits can be well meaning "power users" who configure their co-workers PCs, to disgruntled employees, or they can be full blown corporate spies that are working at your company. It may not be practical to physically secure every workstation in your environment, but your servers need to be in a locked room with monitored access. Consider placing surveillance cameras in your server rooms and keeping the tapes for 30 days. For desktops, install a lock on the CPU case, keep it locked, and store the key safely away from the computer at a secure location. (i.e. a locked cabinet in the server room)
Disable the Guest AccountWindows 2000 finally disables the guest account by default, but if you didn't build the image yourself, always double check to make sure the guest account is not enabled. For additional security assign a complex password to the account anyway, and restrict its logon 24x7.
Limit the number of unnecessary accountsEliminate any duplicate user accounts, test accounts, shared accounts, general department accounts, etc., Use group policies to assign permissions as needed, and audit your accounts regularly. These generic accounts are famous for having weak passwords (and lots of access) and are at the top of every hacker's list of accounts to crack first. This can be a big problem at larger companies with understaffed IT departments. An audit at a Fortune 10 company I worked for revealed that 3,000 of their 15,000 active user accounts were assigned to employees who no longer worked for the company. To make matters worse, we were able to crack the passwords on more than half of those inactive accounts.
Create 2 accounts for AdministratorsI know this goes against the previous caveat, but this is the exception to the rule. Create one regular user account for your Administrators for reading mail and other common tasks, and a separate account (with a more aggressive password policy) for tasks requiring administrator privileges. Have your Administrators use the
"Run As" command available with Windows 2000 to enable the access they need. This prevents malicious code from spreading through your network with admin privileges.
Rename the Administrator AccountMany hackers will argue that this won't stop them, because they will use the SID to find the name of the account and hack that. Our view is, why make it easy for them. Renaming the Administrator account will stop some amateur hackers cold, and will annoy the more determined ones. Remember that hackers won't know what the inherit or group permissions are for an account, so they'll try to hack any local account they find and then try to hack other accounts as they go to improve their access. If you rename the account, try not to use the word 'Admin" in its name. Pick something that won't sound like it has rights to anything.
Consider creating a dummy Administrator accountAnother strategy is to create a local account named "Administrator", then giving that account no privileges and impossible to guess +10 digit complex password. This should keep the script kiddies busy for a while. If you create a dummy Administrative account, enabled auditing so you'll know when it is being tampered with.
Replace the "Everyone" Group with "Authenticated Users" on file shares"Everyone" in the context of Windows 2000 security, means anyone who gains access to your network can access the data. Never assign the "Everyone" Group to have access to a file share on your network, use "Authenticated Users" instead. This is especially important for printers, who have the "Everyone" Group assigned by default.
Password SecurityA good password policy is essential to your network security, but is often overlooked. In large organizations there is a huge temptation for lazy administrators to create all local Administrator accounts (or worse, a common domain level administrator account) that uses a variation of the company name, computer name, or advertising tag line. i.e. %companyname%#1, win2k%companyname%, etc. Even worse are new user accounts with simple passwords such as "welcome", "letmein", "new2you", that aren't required to changed the password after the first logon. Use complex passwords that are changed at least every 60 -90 days. Passwords should contain at least eight characters, and preferably nine (recent security information reports that many cracking programs are using the eight character standard as a starting point). Also, each password must follow the standards set for strong passwords .
Password protect the screensaverOnce again this is a basic security step that is often circumvented by users. Make sure all of your workstations and servers have this feature enabled to prevent an internal threat from taking advantage of an unlocked console. For best results, choose the blank screensaver or logon screensaver. Avoid the OpenGL and graphic intensive program that eat CPU cycles and memory. Make sure the wait setting is appropriate for your business. If you can get your users in the habit of manually locking their workstations when they walk away from their desks, you can probably get away with an idle time of 15 minutes or more. You can keep users from changing this setting via Group Policy.
Use NTFS on all partitionsFAT and FAT32 File systems don't support file level security and give hackers a big wide open door to your system. Make sure all of your system partitions are formatted using NTFS.
Always run Anti-Virus softwareAgain, this is something that is considered a basic tenet of security, but you would be surprised at how many companies don't run Anti-Virus software, or run it but don't update it. Today's AV software does more than just check for known viruses, many scan for other types of malicious code as well.
Secure your Backup tapesIt's amazing how many organizations implement excellent platform security, and then don't encrypt and/or lock up their backup tapes containing the same data. It's also a good idea to keep your Emergency Repair Disks locked up and stored away from your servers.
Mid Level Security Measures
Use the Security Configuration Toolset included with Windows 2000 to configure policies.Microsoft provides a Security Configuration Toolset which provides plug in templates for the MMC that allow you to easily configure your policies based on the level of security you require. The template includes a long list of configurable options (many of which appear on this checklist) and also includes a useful security analysis tool. For more information, download the documentation
here. If your workstation is not part of a domain, you can still enable policies by using the Poledit.exe file from the Windows 2000 Server CD-ROM. For more information, check out
Microsoft Knowledge Base Article: 269799 - How to Secure Windows 2000 Professional in a Non-Domain Environment.Don't allow unmonitored modems in your environmentOne of the easiest hacks in the world is finding a company's phone number prefix and suffix range and wardialing for a modem that picks up. After weeding through the fax machines, you can either look for an unsecured workstation with RAS enabled, or one with Symantec's PC Anywhere loaded on it. If either one is configured incorrectly, you can easily gain access to the local machine and work up from there. If you have a digital phone system, get a list of every analog line that comes into your workplace and find out where it goes! Every PC hooked to a modem is a security risk. Make sure they're configured correctly and audited regularly.
Shut down unnecessary servicesUnnecessary services take up system resources and can open holes into your operating system. IIS, RAS, and Terminal Services have security and configuration issues of their own, and should be implemented carefully if required. There are also several malicious programs that can run quietly as services without anyone knowing. You should be aware of all the services that all run on your servers and audit them periodically. The default services allowed in a Windows NT 4.0
C2 certified installation are:
Computer Browser
Microsoft DNS Server
Netlogon
NTLM SSP
RPC Locator
RPC Service
TCP/IP NetBIOS Helper
Spooler
Server
WINS
Workstation
Event Log
Windows 2000 has not been submitted for C2 certification by Microsoft, so an updated list of services is not available. What services are deemed unnecessary may vary based on the function of your server and/or workstations. Please test your specific configuration in a lab environment before enabling it in your production network. A list of services available in Windows 2000 Server (as well as their default settings) can be found
hereShut down unnecessary portsThis is a judgment call based on your needs and risks. Workstations aren't normally at risk behind a firewall, but never assume your servers are safe! A hackers first attempt at rattling the doors and windows usually involves using a port scanner. You can find out a list of open ports on your local system by opening the file located at %systemroot%\drivers\etc\services. You can configure your ports via the TCP/IP Security console located in the TCP/IP properties (Control Panel > Network and Dial Up Connections > Local Area Connection > Internet Protocol (TCP/IP) > Properties > Advanced > Options > TCP/IP Filtering) To allow only TCP and ICMP connections, configure the UDP and IP Protocol check boxes to "Permit Only" and leave the fields blank. A list of default ports for Windows 2000 Domain Controllers can be found
hereEnable AuditingThe most basic form of Intrusion Detection for Windows 2000 is to enable auditing. This will alert you to changes in account policies, attempted password hacks, unauthorized file access, etc., Most users are unaware of the types of doors they have unknowingly left open on their local workstation, and these risks are often discovered only after a serious security breach has occurred. At the very minimum, consider auditing the following events:
Event >>
Level of AuditingAccount logon events >> Success, failure
Account management >> Success, failure
Logon events >> Success, failure
Object access >> Success
Policy change >> Success, failure
Privilege use >> Success, failure
System events >> Success, failure
Set permissions on the security event logThe event log files are not protected by default, so permissions should be set on the event log files to allow access to Administrator and System accounts only.
Store all sensitive documents on file serversAlthough most new workstations come with some very large drives, you should consider storing all of a users data (documents, spreadsheets, project files, etc.,) on a secured server, where the data is backed up regularly. Modify the parameters for the "My Documents" folder to always point to the users network share on a secured server. For laptop users, enable the "Make available offline" capabilities to synchronize the folder's content.
Prevent the last logged-in user name from being displayedWhen you press Ctrl-Alt-Del, a login dialog box appears which displays the name of the last user who logged in to the computer, and makes it easier to discover a user name that can later be used in a password-guessing attack. This can be disabled using the security templates provided on the installation CD, or via Group Policy snap in. For more information, see
Microsoft KB Article Q310125Check Microsoft's web site for the latest hotfixesNobody writes 30 million lines of code and is going to have it perfect the first time, so updating service packs and hotfixes can go a long way to plug security holes. The problem is that hotfixes and service packs aren't regression-tested as thoroughly as service packs and can come with bugs of their own. You should always test them on a comparable, non production system before deploying them. Check
Microsoft's TechNet Security Page frequently for the latest hotfixes and decide which ones you need to roll out. Tip: Our home page at
LabMice.net always features
Microsoft's latest hotfix to save you time.
Advanced Security SettingsSet a power on passwordThis should be mandatory for all laptop users, but is rarely done in most environments for servers and workstations because it doesn't allow you to remotely log on and reboot a machine to the point that the Operating System will restart. Keep in mind that an intruder who can physically open your computer's central processing unit (CPU) can adjust hardware switches to disable the power-on password, and could also temporarily install a drive and boot another OS, bypassing all of your security settings. If this is a concern for your company, consider locking the case (if the model permits it) or using removable hard drives that are locked up every night.
Disable DirectDrawThis prevents direct access to video hardware and memory which is required to meet the basic C2 security standards. Disabling DirectDraw may impact some programs that require DirectX (games), but most business applications should be unaffected. To disable it edit the Registry HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\DCI and set the value for Timeout (REG_DWORD) to 0
Disable the default sharesWindows NT and Windows 2000 open hidden shares on each installation for use by the system account. (Tip: You can view all of the shared folders on your computer by typing NET SHARE from a command prompt.) You can disable the default Administrative shares two ways. One is to stop or disable the Server service, which removes the ability to share folders on your computer. (However, you can still access shared folders on other computers.) When you disable the Server service (via Control Panel > Administration Tools > Services), be sure to click Manual or Disabled or else the service will start the next time the computer is restarted. The other way is via the Registry by editing HKeyLocal Machine\SYSTEM\CurrentControlSet\Services\LanManServer\Parameters. For Servers edit AutoShareServer with a REG_DWORD Value of 0. For Workstations, the edit AutoShareWks. Keep in mind that disabling these shares provide an extra measure of security, but may cause problems with applications. Test your changes in a lab before disabling these in a production environment. The default hidden shares are:
Share
Path and Function
C$ D$ E$
Root of each partition. For a Windows 2000 Professional computer, only members of the Administrators or Backup Operators group can connect to these shared folders. For a Windows 2000 Server computer, members of the Server Operators group can also connect to these shared folders
ADMIN$
%SYSTEMROOT% This share is used by the system during remote administration of a computer. The path of this resource is always the path to the Windows 2000 system root (the directory in which Windows 2000 is installed: for example, C:\Winnt).
FAX$
On Windows 2000 server, this used by fax clients in the process of sending a fax. The shared folder temporarily caches files and accesses cover pages stored on the server.
IPC$
Temporary connections between servers using named pipes essential for communication between programs. It is used during remote administration of a computer and when viewing a computer's shared resources
NetLogon
This share is used by the Net Logon service of a Windows 2000 Server computer while processing domain logon requests.
PRINT$
%SYSTEMROOT%\SYSTEM32\SPOOL\DRIVERS Used during remote administration of printers.
Disable Dump File CreationA dump file can be a useful troubleshooting tool when either the system or application crashes and causes the infamous "Blue Screen of Death". However, they also can provide a hacker with potentially sensitive information such as application passwords. You can disable the dump file by going to the Control Panel > System Properties > Advanced > Startup and Recovery and change the options for 'Write Debugging Information" to None. If you need to troubleshoot unexplained crashes at a later date, you can re-enable this option until the issue is resolved but be sure to disable it again later and delete any stored dump files.
Enable EFS (Encrypting File System)Windows 2000 ships with a powerful encryption system that adds an extra layer of security for drives, folders, or files. This will help prevent a hacker from accessing your files by physically mounting the hard drive on another PC and taking ownership of files. Be sure to enable encryption on Folders, not just files. All files that are placed in that folder will be encrypted. For more information check out our
EFS Resource CenterEncrypt the Temp FolderApplications use the temp folder to store copies of files while they are being updated or modified, but they don't always clean the folder when you close the program. Encrypting the temp folder provides an extra layer of security for your files.
Lock down the RegistryIn Windows 2000, only Administrators and Backup Operators have default network access to the registry, however you may wish to tighten this down even further. To restrict network access to the registry, follow the steps listed in
TechNet Article Q153183Clear the Paging File at shutdownThe Pagefile is the temporary swap file Windows NT/2000 uses to manage memory and improve performance. However, some 3rd party programs may store store unencrypted passwords in memory, and there may be other sensitive data cache as well. You can clear the pagefile at shutdown by editing the Registry Key HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Memory Management and changing the data value of the ClearPageFileAtShutdown value to 1
Disable the ability to boot from a floppy or CD ROM on physically unsecured systems.There are a number of 3rd party utilities that pose a security risk if used via a boot disk (including resetting the local administrator password.) If your security needs are more extreme, consider removing the floppy and CD drives entirely. As an alternative, store the CPU in a locked external case that still provides adequate ventilation.
Disable AutoRun for CD-ROM drives on physically unsecured systems.One of the easiest ways for a hacker with physical access to a company's PC's to distribute malicious code is via the CD-ROM. By creating a custom CD with a payload set to launch from the autorun feature in any machine, a hacker can affect any number of unlocked systems without ever leaving a fingerprint or touching a keyboard. Or he/she can simply leave a few of these lying around the office marked "MP3's", or "Payroll Data" and wait for an unsuspecting user to simply pick it up and insert it into their machine. You can disable this function by editing the Registry and changing the HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services Cdrom subkey and set the AutoRun value to 0
Remove the OS/2 and POSIX SubsystemsIf you are not using these subsystems (and people rarely do), removing them may improve performance and also closes a potential security risk.To remove the OS/2 and POSIX subsystems:1. Delete the \winnt\system32\os2 directory and all of its subdirectories.2. Use the Registry Editor to remove the following registry entries:
Key:
HKEY_LOCAL_MACHINE\SOFTWARE
Subkey:
Microsoft\OS/2 Subsystem for NT
Entry:
delete all subkeys
Key:
HKEY_LOCAL_MACHINE\SYSTEM
Subkey:
CurrentControlSet\Control\Session Manager\Environment
Entry:
Os2LibPath
Value:
delete entry
Key:
HKEY_LOCAL_MACHINE\SYSTEM
Subkey:
CurrentControlSet\Control\Session Manager\SubSystems
Entry:
Optional
Values:
delete entry
Key:
HKEY_LOCAL_MACHINE\SYSTEM
Subkey:
CurrentControlSet\Control\Session Manager\SubSystems
Entry:
delete entries for OS2 and POSIX
The changes take effect the next time the computer is started. You might want to update the emergency repair disk to reflect these changes.
Consider using SmartCard or Biometric devices instead of passwords.The more stringent your password policy is, the more likely your users will begin keeping paper password lists in their desk drawers, or taped to the bottom of their keyboard. Windows 2000 supports these devices, so consider the costs vs. risks of your most sensitive data.
Consider implementing IPSecBasically, IPSec provides encryption for network sessions using the Internet Protocol (IP) and promises to offer transparent and automatic encryption of network connections. For more information, click
here