LAB 4: Securing Windows 2000
Although Windows 2000 is more secure out-of-the-box than Windows NT, you'll have to make quite a few changes to Windows 2000 if you want it to run securely. These recommendations are from http://www.lbl.gov/ICSD/Security/systems/win-2000checklist.html
Materials Needed:
Activity
1. Make sure that Windows was installed from a reliable source
2.
Format each partition as an NTFS partition. If any volume is
FAT-formatted, enter:
convert <partition letter>: /fs:ntfs
For example, to format partition D as an NTFS partition, enter:
convert d: /fs:ntfs
3. Install the latest
Service Pack (SP). On Windows 2000 workstations and servers, Service Pack 3 is
the most recent one. You can obtain this SP from http://www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.asp.
4. Install the latest
hotfixes, many of which fix security-related vulnerabilities. http://v4.windowsupdate.microsoft.com/en/default.asp
5. Ensure that your
Windows 2000 system is part of a domain. Your alternative is to have your
machine belong to a workgroup, something that is very dangerous given that
anyone who finds the name of a workgroup can join a hostile machine to that
workgroup, then attack systems within that workgroup. Workgroups provide almost
no barriers to attackers. To check whether your system is part of a domain or
workgroup, right click on My Computer to Properties, then click on Network
Identification.
6. Lock down access to
the system drive (and, in the case of domain controllers, the drive on which
Active Directory resides). In general, do not assign anything more than
Read-Execute permissions to Everyone, but always assign Full Control to Creator
Owner and Administrators.
·
Assign Everyone Read-Execute access to c:\%systemroot%
(which by default is c:\winnt), c:\%systemroot%\system 32
·
Assign Everyone Read-Execute access to the sysvol, sysvol\sysvol,
and ntds folders (wherever they may reside in the file system)
·
Remove all access (but do not assign No Access) to
c:\%systemroot%\repair for the Everyone group
7. Avoid sharing
partitions if you do not need to do so. For each share, allow Creator Owner and
Administrator to have Full Control. Remove Everyone's access (but do not assign
No Access), then assign Authenticated Users the Change level of share access.
To check or change share permissions, or to delete shares, go from
Administrative Tools to the Distributed File System to the DFS root. Open up
the tree under DFS root until you get to the share you want to get to, then
right click to Properties.
8. Go to Administrative
Tools, then go to either Computer Management and Local Users and Groups or
Domain Security Policy. Then go to Active Directory Users and Groups (depending
on the particular version of Windows 2000):
·
Rename the default Administrator account to an innocuous name,
change the account description to "User account," enter a
ridiculously long (up to 104 characters) and as difficult to guess a password
as possible. Write the password down on the piece of paper that you keep in
your personal possession, e.g., in your wallet or purse whenever you are at
work. Never share this password with others and do not leave the slip of paper
on which this password is written anywhere where others might see it. Use the default
Administrator account, which in Windows 2000 does not lock after excessive bad
logon attempts, only for emergency access.
·
Create one additional account that is a member of the
Administrators group for yourself and another for each person who needs to
administer your system. Create an unprivileged account for each Administrator,
also. Use the unprivileged account when you are engaged in normal activities
such as Web surfing, obtaining FTP access, and downloading mail. Use the
superuser account only when you are involved in system administration duties.
·
Create a new, unprivileged account named
"Administrator." Ensure that this account is in the Guest group only.
Look at your logs frequently to determine whether people are trying to logon to
this account, which is a decoy account designed to deflect genuine attacks
against your system.
·
Leave the Guest account disabled.
·
Limit the membership in the Enterprise Admins, Schema Admins, and
Administrator groups, all of which have almost unlimited power.
9. Go to Administrative
Tools, then go to either Domain Security Policy or Local Security Policy
(depending on the particular version of Windows 2000), then go to Security
Settings:
·
Go to Account Policies, then Password Policy to set the following
parameter values:
|
Enforce
password history |
24 |
|
Maximum
password age |
90 days |
|
Minimum
password age |
5 days |
|
Minimum
password length |
8 |
|
Passwords
must meet complexity requirements |
Enabled |
|
Store
passwords using reversible encryption |
Yes, if
there are shares |
·
Go to Account Policies, then go to Account Lockout Policy to set
the following parameters:
Account lockout duration — 480 min
Account lockout threshold — 5
Reset account lockout after — 480 min
·
Go to Domain Security Policy, then go to Active Directory Users
and Groups or Local Security Policy, then go to Computer Management (again
depending on the particular version of Windows 2000 you are running). Find the
Users and Groups Container and double-click on it. For each user account, set
the following Account Options:
·
User must change password at next logon.
— Ensure this is clicked whenever a new account is created to help ensure
privacy of user passwords.
·
User cannot change password.
— Do not click on this.
·
Password never expires.
— Do not click on this except in the case of the default Administrator account
and special accounts that have been installed for the sake of applications.
·
Account is disabled.
— Be sure to confirm that the following accounts are disabled:
Guest, accounts of employees who are no longer with your organization, accounts
of employees who are on leave, and (unless your system is running an IIS web
server) the IUSR_ and IWAM_ accounts. Disable these accounts by clicking on
Account is Disabled for each if they are not already marked with a red "X."
10. Set the following
Security Options by going to Administrative Tools. Then go to either Domain
Security Policy or Local Security Policy (depending on the version of Windows
2000 your system runs). Then go to Security Settings, then to Local Policies,
and finally to Security Options. Double click on the Security Options
container. Double click on the option of your choice to either enable or
disable it.
·
Enable "Security restrictions for anonymous."
·
Enable "Clear Virtual Memory Pagefile When System Shuts Down."
·
But do not choose "Shut Down the Computer when the Security
Log is Full," "Recovery Console: Allow Automatic Administrative
Logon," and "Allow Server Operators to Schedule Tasks."
11. Enable a baseline of
logging. Go to Administrative Tools, then either Domain Security Policy or
Local Security Policy (depending on the version of Windows 2000 your system
runs), then to Security Settings, then to Local Policies, then to Audit Policy.
Double click on the Audit Policy container to view the audit options. To enable
any type of auditing, double click on the name and in the sheet that will
appear (under Audit these Attempts) click on both Success and Failure. At a
minimum enable "Audit account logon events." If you need higher
levels of auditing, you may choose to enable additional types of auditing such
as "Audit logon events," "Audit account management,"
"Audit policy change," and "Audit privilege use."
12. Set logging properties
for the Security Log properly. Go to Administrative Tools, then Event Viewer.
Click on Security and right click to Properties. Set Maximum Log size to about
8000K and (under When maximum log size is reached) click on "Overwrite as
needed."
13. Check your system's
logs regularly (daily, if possible) to determine whether your system has been
attacked. If your system appears to have been attacked, contact your Division
Liaison as soon as possible.
14. Ensure that the bare
number of services that you need are running. Disable any unnecessary services
by going to Administrative Tools, then Services. Highlight the name of each
unnecessary service, double click, then under Service Status click on Stop and
under Startup Type set this to Manual. The following are services that are
usually not needed in Windows 2000:
— Computer Browser
— FTP
— IIS Admin Service (this is needed for IIS Web servers)
— Indexing Service
— Messenger
— Print Spooler
— Remote Access Service
— SNMP
— Telnet
— Windows Installer Service
— Worldwide Web Publishing Service (this is needed for IIS Web servers)
15. Ensure that rights are
given only as they are needed. Check User Rights by going to Administrative
Tools, then go to either Domain Security Policy or Local Security Policy
(depending on the version of Windows 2000 your system runs). Next, go to
Security Settings, then to Local Policies, and finally to User Rights
Assignment. Double click on the User Rights Assignment container. To assign or
revoke a right, double click on the right of your choice, then add or remove
the right to/from the user or group of your choice. Ensure at a minimum that
the Everyone group does not have any of the following rights:
— Act as part of the operating system
— Add workstations to domain
— Backup files and directories
— Create a pagefile
— Create a token object
— Debug programs
— Enable computer and user accounts to be trusted for delegation
— Force shutdown from a remote system
— Increase quotas
— Increase scheduling priority
— Load and unload device drivers
— Lock pages in memory
— Logon as a batch job
— Logon as a service
— Logon locally
— Manage auditing and security log
— Modify firmware environment variables
— Replace a process-level token
— Restore files and directories
— Shut down the system
— Take ownership of files and other objects
These guidelines are designed to provide a baseline level of security in Windows 2000. For a more complete checklist visit: