Computer Protection Program Berkeley Lab
Computer Protection Program at Berkeley Lab Security
Ernest Orlando Lawrence Berkeley National Laboratory
Emergencies | Site Index | Contact Us
CPP Home
Contacts
Policy Guidelines
Scan Information
System Procedures
Tools & Services
ALERTS
Recent CPP Actions
News & Articles
CPP Intranet
 
 
  PROCEDURES FOR SECURING SYSTEMS  
Checklist for Securing Windows 2000  

<< Back to Windows Security

_____________

Introduction

Microsoft's Windows 2000 operating system consists of four separate but related products:

  • Windows 2000 Professional ("Win2K Pro") — the workstation product

  • Windows 2000 Server — the "normal" server product

  • Windows 2000 Advanced Server — a high-ended server product with higher memory capacity, clustering, and load balancing

  • Windows 2000 Data Center — for large hosts that require high amounts of RAM, fault tolerance, and high-ended multiprocessor support

Although Windows 2000 is more secure out-of-the-box than Windows NT, you'll have to make quite a few changes to Windows 2000 if you want it to run securely. The purpose of this posting is to describe the most basic steps in securing Windows 2000. Please note that this checklist is not intended to provide a complete set of measures, but rather is intended to make your system "just secure enough."

Baseline Security Measures

Establishing at least a baseline level of security is essential if Windows 2000 workstations and servers are going to be able to withstand the most basic kinds of attacks. Implementing the following measures will produce a baseline level of security:

  • Install Windows 2000 from trusted media.

  • Ensure that your system's hard drive consists of a minimum of two partitions, C and D. Use C as the installation drive; this partition will contain critical system directories and files. Do not set up user shares to this partition. In workstations and member servers, use D to hold other files and folders; set up user shares to D as needed. In domain controllers, use D to hold Active Directory files and folders; do not set up user shares to D. Set up drive E in domain controllers to hold user files and folders. To grant users access to resources they need, set up user shares to drive E.

  • Format each partition as an NTFS partition [fn1]. If any volume is FAT-formatted, enter:

    convert <partition letter>: /fs:ntfs

For example, to format partition D as an NTFS partition, enter:

convert d: /fs:ntfs

  • If your Windows 2000 system has been upgraded from Windows NT 4.0 (i.e., it is not a native installation), use the secedit command to bring the default level of security to the level that is present in a native installation. In workstations and member servers, change your current directory to c:\%systemroot%\security\templates, then enter:

    secedit /configure /db /basicws.inf /log <logfile_name> /quiet

  • Install the latest Service Pack (SP) [fn2]. On Windows 2000 workstations and servers, Service Pack 4 is the most recent one. You can obtain this SP from http://www.lbl.gov/download/ .

  • Install the latest hotfixes, many of which fix security-related vulnerabilities.

  • Download post SP4 hotfixes from:
    http://www.lbl.gov/download/

  • Ensure that your Windows 2000 system is part of a domain. Your alternative is to have your machine belong to a workgroup, something that is very dangerous given that anyone who finds the name of a workgroup can join a hostile machine to that workgroup, then attack systems within that workgroup. Workgroups provide almost no barriers to attackers. To check whether your system is part of a domain or workgroup, right click on My Computer to Properties, then click on Network Identification. For information concerning how to join a domain at LBNL, contact Curtis McDonald, cjmcdonald@lbl.gov.

  • Lock down access to the system drive (and, in the case of domain controllers, the drive on which Active Directory resides). In general, do not assign anything more than Read-Execute permissions to Everyone, but always assign Full Control to Creator Owner and Administrators.

    • Assign Everyone Read-Execute access to c:\%systemroot% (which by default is c:\winnt), c:\%systemroot%\system 32

    • Assign Everyone Read-Execute access to the sysvol, sysvol\sysvol, and ntds folders (wherever they may reside in the file system)

    • Remove all access (but do not assign No Access) to c:\%systemroot%\repair for the Everyone group

  • Avoid sharing partitions if you do not need to do so. For each share, allow Creator Owner and Administrator to have Full Control. Remove Everyone's access (but do not assign No Access), then assign Authenticated Users the Change level of share access. To check or change share permissions, or to delete shares, go from Administrative Tools to the Distributed File System to the DFS root. Open up the tree under DFS root until you get to the share you want to get to, then right click to Properties.

  • Go to Administrative Tools, then go to either Computer Management and Local Users and Groups or Domain Security Policy [fn3]. Then go to Active Directory Users and Groups (depending on the particular version of Windows 2000):
    • Rename the default Administrator account [fn4] to an innocuous name, change the account description to "User account," enter a ridiculously long (up to 104 characters) and as difficult to guess a password as possible. Write the password down on the piece of paper that you keep in your personal possession, e.g., in your wallet or purse whenever you are at work. Never share this password with others and do not leave the slip of paper on which this password is written anywhere where others might see it. Use the default Administrator account, which in Windows 2000 does not lock after excessive bad logon attempts, only for emergency access.

    • Create one additional account that is a member of the Administrators group for yourself and another for each person who needs to administer your system. Create an unprivileged account for each Administrator, also. Use the unprivileged account when you are engaged in normal activities such as Web surfing, obtaining FTP access, and downloading mail. Use the superuser account only when you are involved in system administration duties.

    • Create a new, unprivileged account named "Administrator." Ensure that this account is in the Guest group only. Look at your logs frequently to determine whether people are trying to logon to this account, which is a decoy account designed to deflect genuine attacks against your system.

    • Leave the Guest account disabled.

    • Limit the membership in the Enterprise Admins, Schema Admins, and Administrator groups, all of which have almost unlimited power.

  • Go to Administrative Tools, then go to either Domain Security Policy or Local Security Policy (depending on the particular version of Windows 2000), then go to Security Settings:

    • Go to Account Policies, then Password Policy to set the following parameter values:
      Enforce password history 24
      Maximum password age 90 days
      Minimum password age 5 days
      Minimum password length 8
      Passwords must meet complexity requirements Enabled
      Store passwords using reversible encryption Yes (but in some cases, No) [fn5]


    • Go to Account Policies, then go to Account Lockout Policy to set the following parameters:

      Account lockout duration — 60 min
      Account lockout threshold — 5
      Reset account lockout after — 60 min

    • Go to Domain Security Policy, then go to Active Directory Users and Groups or Local Security Policy, then go to Computer Management (again depending on the particular version of Windows 2000 you are running). Find the Users and Groups Container and double-click on it. For each user account, set the following Account Options:

      • User must change password at next logon.
        — Ensure this is clicked whenever a new account is created to help ensure privacy of user passwords.
      • User cannot change password.
        — Do not click on this.
      • Password never expires.
        — Do not click on this except in the case of the default Administrator account and special accounts that have been installed for the sake of applications.
      • Account is disabled.
        — Be sure to confirm that the following accounts are disabled:
        Guest, accounts of employees who are no longer with your organization, accounts of employees who are on leave, and (unless your system is running an IIS web server) the IUSR_ and IWAM_ accounts. Disable these accounts by clicking on Account is Disabled for each if they are not already marked with a red "X."

  • Set the following Security Options by going to Administrative Tools. Then go to either Domain Security Policy or Local Security Policy (depending on the version of Windows 2000 your system runs). Then go to Security Settings, then to Local Policies, and finally to Security Options. Double click on the Security Options container. Double click on the option of your choice to either enable or disable it.

    • Enable "Security restrictions for anonymous."
    • Enable "Clear Virtual Memory Pagefile When System Shuts Down."
    • But do not choose "Shut Down the Computer when the Security Log is Full," "Recovery Console: Allow Automatic Administrative Logon," and "Allow Server Operators to Schedule Tasks."

  • Enable a baseline of logging. Go to Administrative Tools, then either Domain Security Policy or Local Security Policy (depending on the version of Windows 2000 your system runs), then to Security Settings, then to Local Policies, then to Audit Policy. Double click on the Audit Policy container to view the audit options. To enable any type of auditing, double click on the name and in the sheet that will appear (under Audit these Attempts) click on both Success and Failure. At a minimum enable "Audit account logon events." If you need higher levels of auditing, you may choose to enable additional types of auditing such as "Audit logon events," "Audit account management," "Audit policy change," and "Audit privilege use."

  • Set logging properties for the Security Log properly. Go to Administrative Tools, then Event Viewer. Click on Security and right click to Properties. Set Maximum Log size to about 8000K and (under When maximum log size is reached) click on "Overwrite as needed."

  • Check your system's logs regularly (daily, if possible) to determine whether your system has been attacked. If your system appears to have been attacked, contact your Division Liaison as soon as possible.

  • Ensure that the bare number of services that you need are running. Disable any unnecessary services by going to Administrative Tools, then Services. Highlight the name of each unnecessary service, double click, then under Service Status click on Stop and under Startup Type set this to Manual or Disabled. The following are services that are usually not needed in Windows 2000:

    • Computer Browser
    • FTP
    • IIS Admin Service (this is needed for IIS Web servers)
    • Indexing Service
    • Messenger
    • Print Spooler
    • Remote Access Service
    • SNMP
    • Telnet
    • Windows Installer Service
    • Worldwide Web Publishing Service (this is needed for IIS Web servers)

  • Ensure that rights are given only as they are needed. Check User Rights by going to Administrative Tools, then go to either Domain Security Policy or Local Security Policy (depending on the version of Windows 2000 your system runs). Next, go to Security Settings, then to Local Policies, and finally to User Rights Assignment. Double click on the User Rights Assignment container. To assign or revoke a right, double click on the right of your choice, then add or remove the right to/from the user or group of your choice. Ensure at a minimum that the Everyone group does not have any of the following rights:

    • Act as part of the operating system
    • Add workstations to domain
    • Backup files and directories
    • Create a pagefile
    • Create a token object
    • Debug programs
    • Enable computer and user accounts to be trusted for delegation
    • Force shutdown from a remote system
    • Increase quotas
    • Increase scheduling priority
    • Load and unload device drivers
    • Lock pages in memory
    • Logon as a batch job
    • Logon as a service
    • Logon locally
    • Manage auditing and security log
    • Modify firmware environment variables
    • Replace a process-level token
    • Restore files and directories
    • Shut down the system
    • Take ownership of files and other objects
  • Be sure to run Symantec AntiVirus on your system, and to keep its signatures updated every day. To check whether you have Symantec AV, go to Programs. If Symantec AntiVirus is one of the selections, your system is running this program. Go here to download Symantec AV. To update Symantec AV, go from Start to Programs to Symantec AntiVirus Corporate Edition to Symantec AntiVirus Corporate Edition to Live Update. Click on Live Update and follow the instructions. You will now have the latest updates to Symantec AntiVirus, which is the best all-around defense against virus and worm infections.

Conclusion

As mentioned earlier, these guidelines are designed to provide a baseline level of security in Windows 2000. For a more complete checklist visit:

http://nsa1.www.conxion.com/index.html

References

Bragg, R. Windows 2000 Security. Indianapolis: New Riders, 2000.

Cox, P. and T. Sheldon. The Windows 2000 Security Handbook. Berkeley, CA: Osborne, 2000.

McLean, I. Windows 2000 Security: Little Black Book. Scottsdale, AZ: Coriolis, 2000.

Norberg, S. Securing Windows NT/2000 Servers for the Internet. Sabastopol, CA: O'Reilly, 2000.

Schultz, Eugene. Windows NT/2000 Network Security. Indianapolis: New Riders, 2000.

_____________

Footnotes

1. The only potential limitation is that 16-bit applications are likely to break if they are installed on NTFS partitions. If you have 16-bit applications that need to run in the Windows 2000 environment, create another, small FAT32 partition for these applications. But do not jeopardize other applications by putting them on a FAT32 partition — FAT32 has no access permissions whatsoever.

2. To check which version of Service Pack a Windows 2000 system is running, go from Start to Run, then enter "winver."

3. If your Windows 2000 system is a domain controller, always go to Domain Security Policy. Domain Security Policy settings prevail over any local policy settings.

4. To do this you will need to enable a Security Option setting, "Rename Administrator Account." Dealing with Security Options will soon be covered.

5. Reversible encryption is the weaker form of encryption (based on the much maligned DES encryption algorithm) in Windows 2000. If no other system needs to connect to shares or to authenticate to your system, you can choose No for this setting, which is something that is much better for security. But if other systems need share or authentication connections, you would do better to choose Yes here to prevent unnecessary disruption of service and functionality.


 
 

Home | Contacts | Policy Guidelines | System Procedures | Tools & Services | ALERTS | News & Articles