LAB 4: Securing Windows 2000

 

Although Windows 2000 is more secure out-of-the-box than Windows NT, you'll have to make quite a few changes to Windows 2000 if you want it to run securely. These recommendations are from http://www.lbl.gov/ICSD/Security/systems/win-2000checklist.html

 

Materials Needed:

 

Activity

1.        Make sure that Windows was installed from a reliable source

 

2.        Format each partition as an NTFS partition. If any volume is FAT-formatted, enter:

convert <partition letter>: /fs:ntfs

For example, to format partition D as an NTFS partition, enter:

convert d: /fs:ntfs

3.      Install the latest Service Pack (SP). On Windows 2000 workstations and servers, Service Pack 3 is the most recent one. You can obtain this SP from http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.asp.

4.      Install the latest hotfixes, many of which fix security-related vulnerabilities. http://v4.windowsupdate.microsoft.com/en/default.asp

5.      Ensure that your Windows 2000 system is part of a domain. Your alternative is to have your machine belong to a workgroup, something that is very dangerous given that anyone who finds the name of a workgroup can join a hostile machine to that workgroup, then attack systems within that workgroup. Workgroups provide almost no barriers to attackers. To check whether your system is part of a domain or workgroup, right click on My Computer to Properties, then click on Network Identification.

6.      Lock down access to the system drive (and, in the case of domain controllers, the drive on which Active Directory resides). In general, do not assign anything more than Read-Execute permissions to Everyone, but always assign Full Control to Creator Owner and Administrators.

·         Assign Everyone Read-Execute access to c:\%systemroot% (which by default is c:\winnt), c:\%systemroot%\system 32

·         Assign Everyone Read-Execute access to the sysvol, sysvol\sysvol, and ntds folders (wherever they may reside in the file system)

·         Remove all access (but do not assign No Access) to c:\%systemroot%\repair for the Everyone group

7.      Avoid sharing partitions if you do not need to do so. For each share, allow Creator Owner and Administrator to have Full Control. Remove Everyone's access (but do not assign No Access), then assign Authenticated Users the Change level of share access. To check or change share permissions, or to delete shares, go from Administrative Tools to the Distributed File System to the DFS root. Open up the tree under DFS root until you get to the share you want to get to, then right click to Properties.

8.      Go to Administrative Tools, then go to either Computer Management and Local Users and Groups or Domain Security Policy. Then go to Active Directory Users and Groups (depending on the particular version of Windows 2000):

·         Rename the default Administrator account to an innocuous name, change the account description to "User account," enter a ridiculously long (up to 104 characters) and as difficult to guess a password as possible. Write the password down on the piece of paper that you keep in your personal possession, e.g., in your wallet or purse whenever you are at work. Never share this password with others and do not leave the slip of paper on which this password is written anywhere where others might see it. Use the default Administrator account, which in Windows 2000 does not lock after excessive bad logon attempts, only for emergency access.

·         Create one additional account that is a member of the Administrators group for yourself and another for each person who needs to administer your system. Create an unprivileged account for each Administrator, also. Use the unprivileged account when you are engaged in normal activities such as Web surfing, obtaining FTP access, and downloading mail. Use the superuser account only when you are involved in system administration duties.

·         Create a new, unprivileged account named "Administrator." Ensure that this account is in the Guest group only. Look at your logs frequently to determine whether people are trying to logon to this account, which is a decoy account designed to deflect genuine attacks against your system.

·         Leave the Guest account disabled.

·         Limit the membership in the Enterprise Admins, Schema Admins, and Administrator groups, all of which have almost unlimited power.

9.      Go to Administrative Tools, then go to either Domain Security Policy or Local Security Policy (depending on the particular version of Windows 2000), then go to Security Settings:

·         Go to Account Policies, then Password Policy to set the following parameter values:

Enforce password history

24

Maximum password age

90 days

Minimum password age

5 days

Minimum password length

8

Passwords must meet complexity requirements

Enabled

Store passwords using reversible encryption

Yes, if there are shares

·         Go to Account Policies, then go to Account Lockout Policy to set the following parameters:

Account lockout duration — 480 min
Account lockout threshold — 5
Reset account lockout after — 480 min

·         Go to Domain Security Policy, then go to Active Directory Users and Groups or Local Security Policy, then go to Computer Management (again depending on the particular version of Windows 2000 you are running). Find the Users and Groups Container and double-click on it. For each user account, set the following Account Options:

·         User must change password at next logon.
— Ensure this is clicked whenever a new account is created to help ensure privacy of user passwords.

·         User cannot change password.
— Do not click on this.

·         Password never expires.
— Do not click on this except in the case of the default Administrator account and special accounts that have been installed for the sake of applications.

·         Account is disabled.
— Be sure to confirm that the following accounts are disabled:
Guest, accounts of employees who are no longer with your organization, accounts of employees who are on leave, and (unless your system is running an IIS web server) the IUSR_ and IWAM_ accounts. Disable these accounts by clicking on Account is Disabled for each if they are not already marked with a red "X."

10.  Set the following Security Options by going to Administrative Tools. Then go to either Domain Security Policy or Local Security Policy (depending on the version of Windows 2000 your system runs). Then go to Security Settings, then to Local Policies, and finally to Security Options. Double click on the Security Options container. Double click on the option of your choice to either enable or disable it.

·         Enable "Security restrictions for anonymous."

·         Enable "Clear Virtual Memory Pagefile When System Shuts Down."

·         But do not choose "Shut Down the Computer when the Security Log is Full," "Recovery Console: Allow Automatic Administrative Logon," and "Allow Server Operators to Schedule Tasks."

11.  Enable a baseline of logging. Go to Administrative Tools, then either Domain Security Policy or Local Security Policy (depending on the version of Windows 2000 your system runs), then to Security Settings, then to Local Policies, then to Audit Policy. Double click on the Audit Policy container to view the audit options. To enable any type of auditing, double click on the name and in the sheet that will appear (under Audit these Attempts) click on both Success and Failure. At a minimum enable "Audit account logon events." If you need higher levels of auditing, you may choose to enable additional types of auditing such as "Audit logon events," "Audit account management," "Audit policy change," and "Audit privilege use."

12.  Set logging properties for the Security Log properly. Go to Administrative Tools, then Event Viewer. Click on Security and right click to Properties. Set Maximum Log size to about 8000K and (under When maximum log size is reached) click on "Overwrite as needed."

13.  Check your system's logs regularly (daily, if possible) to determine whether your system has been attacked. If your system appears to have been attacked, contact your Division Liaison as soon as possible.

14.  Ensure that the bare number of services that you need are running. Disable any unnecessary services by going to Administrative Tools, then Services. Highlight the name of each unnecessary service, double click, then under Service Status click on Stop and under Startup Type set this to Manual. The following are services that are usually not needed in Windows 2000:

— Computer Browser
— FTP
— IIS Admin Service (this is needed for IIS Web servers)
— Indexing Service
— Messenger
— Print Spooler
— Remote Access Service
— SNMP
— Telnet
— Windows Installer Service
— Worldwide Web Publishing Service (this is needed for IIS Web servers)

15.  Ensure that rights are given only as they are needed. Check User Rights by going to Administrative Tools, then go to either Domain Security Policy or Local Security Policy (depending on the version of Windows 2000 your system runs). Next, go to Security Settings, then to Local Policies, and finally to User Rights Assignment. Double click on the User Rights Assignment container. To assign or revoke a right, double click on the right of your choice, then add or remove the right to/from the user or group of your choice. Ensure at a minimum that the Everyone group does not have any of the following rights:

— Act as part of the operating system
— Add workstations to domain
— Backup files and directories
— Create a pagefile
— Create a token object
— Debug programs
— Enable computer and user accounts to be trusted for delegation
— Force shutdown from a remote system
— Increase quotas
— Increase scheduling priority
— Load and unload device drivers
— Lock pages in memory
— Logon as a batch job
— Logon as a service
— Logon locally
— Manage auditing and security log
— Modify firmware environment variables
— Replace a process-level token
— Restore files and directories
— Shut down the system
— Take ownership of files and other objects

Conclusion

These guidelines are designed to provide a baseline level of security in Windows 2000. For a more complete checklist visit:

http://nsa1.www.conxion.com/index.html