SECURING WINDOWS 2000
Original author: Marc DeBonis, Modified and updated by Don Murdoch
Note: This page originally comes from Virginia Tech's Security Website - content is slightly modified for ODU. Thanks Marc!
Windows 2000 is an operating system from Microsoft Corporation. Its core system architecture is derived from its predecessor, Windows NT. The user interface is derived from the Windows 9x line of operating systems. While Windows 2000 Professional (W2K) may seem similar to Windows 9x, its code base is completely different. W2K is built upon an architecture where security is a key component of the system, not an afterthought. It is a very powerful operating system, scalable, stable and secure when set up correctly. Unfortunately, Microsoft had to make a lot of difficult design choices when they developed the system. For better or worse, they decided that on the sliding scale of operating systems (security vs. usability), the usability functions outweighed the security requirements. This document is provided to help you tighten the security of your system, while maintaining system usability.
Why should you care about computer security?
Computer security should be the concern of every person who owns or operates a computer. If youre not big on ethics, or arent convinced, you may wish to review this link: Old Dominion University Acceptable Usage Statement
Dont forget the social implications of your system becoming compromised. How long will your friends continue to read messages you send when your system spews out infected email, day after day? Or, when the assignment you turn into the professor infects his/her system with a nasty virus? Worked hard on that paper or your mp3 collection? Too bad that trojan you just ran from somebody you dont even know is deleting every single file on your machine. Avoid all of that terrible stuff by following this guide.
- You have a valid, legally licensed copy of W2K
- W2K is the only operating system installed on your computer
- You have administrator rights to the system
- The computer has a clean, freshly installed system
- You understand the basics of the Windows operating system (opening windows, right-clicking, etc.)
- The computer is a standalone system not connected to a domain (a specially configured group of other NT systems)
- The computer has Internet access and networking is set up correctly
Make the file system more secure
The first thing you need to do is make sure that your hard drive partitions are formatted with NTFS (NT File System). This file system is securer than the FAT or FAT32 partition schemes.
To check your hard drive partitions:
- Log in as Administrator.
- Right click on My Computer and choose explore
- Right click each drive letter (except for removable drives, like A and the cdrom) and choose properties.
- Under the general tab, note the File system type. If it is FAT, record that drive letter.
- Click cancel to close the properties window.
- Follow steps 1 5 for each drive letter, noting which ones are labeled FAT.
Now convert any FAT partitions on your system:
- Go to Start->Run
- Type cmd and click OK. You should now be at a command prompt.
- Type convert driveletter /FS:NTFS /V (without the quotes), where driveletter is each drive letter you noted above.
- Hit return to run the command
- Follow steps 1 4 for each FAT partition. You may have to reboot the system to finish these operations.
Tighten local security policies
Windows 2000 allows you easy access to the basic security functionality of your system. The following suggested changes will make your system much more secure.
1. Log in as Administrator
2. Go to Start->Programs->Administrative Tools->Local Security Policy
2.1. If you do not see the Administrative Tools folder, you will need to enable it
2.2. Go to Start->Settings->Taskbar & Start Menu
2.3. In the Taskbar and Start Menu Properties window, click the Advanced tab
2.4. Under the Start Menu Settings, check the box to the left of Display Administrative Tools
2.5. Restart at step 2
3. Expand Account Policies by clicking the + box
4. Select Password Policy
5. Double-click each policy setting to bring up a new window to make the following changes:
5.1.1. Enforce password history - 5 passwords remembered
5.1.2. Maximum password age - 0 days
5.1.3. Minimum password age - 1 days
5.1.4. Minimum password length - 8 characters
5.1.5. Passwords must meet complexity requirements - Enabled
5.1.6. Store password using reversible encryption for all users in the domain - Disabled
6. Select Account Lockout Policy
6.1.1. Account lockout duration - 30 minutes
6.1.2. Account lockout threshold - 5 invalid logon attempts
6.1.3. Reset account lockout counter after - 30 minutes
7. Expand Local Policies by clicking the + box
8. Select Audit Policy
8.1.1. Audit account logon events- Success, Failure
8.1.2. Audit account management- Success, Failure
8.1.3. Audit directory service access- Failure
8.1.4. Audit logon events Success, Failure
8.1.5. Audit object access Failure
8.1.6. Audit policy change Success, Failure
8.1.7. Audit privilege use - No auditing
8.1.8. Audit process tracking - No auditing
8.1.9. Audit system events Success, Failure
9. Select User Rights Assignment. If no change is noted, do not alter policy setting.
9.1.1. Access this computer from the network - Remove Everyone, Remove Power Users
9.1.2. Act as part of the operating system
9.1.3. Add workstations to domain
9.1.4. Back up files and directories - Backup Operators, Administrators
9.1.5. Bypass traverse checking - Remove Everyone, Remove Power Users
9.1.6. Change the system time - Remove Power Users
9.1.7. Create a pagefile - Administrators
9.1.8. Create a token object
9.1.9. Create permanent shared objects
9.1.10. Debug programs - Administrators
9.1.11. Deny access to this computer from the network
9.1.12. Deny logon as a batch job
9.1.13. Deny logon as a service
9.1.14. Deny logon locally
9.1.15. Enable computer and user accounts to be trusted for delegation
9.1.16. Force shutdown from a remote system - Administrators
9.1.17. Generate security audits
9.1.18. Increase quotas - Administrators
9.1.19. Increase scheduling priority - Administrators
9.1.20. Load and unload device drivers - Administrators
9.1.21. Lock pages in memory
9.1.22. Log on as a batch job
9.1.23. Log on as a service
9.1.24. Log on locally Remove Guest, Remove Power Users
9.1.25. Manage auditing and security log - Administrators
9.1.26. Modify firmware environment values - Administrators
9.1.27. Profile single process - Remove Power Users
9.1.28. Profile system performance - Administrators
9.1.29. Remove computer from docking station - Remove Power Users
9.1.30. Replace a process level token
9.1.31. Restore files and directories - Backup Operators, Administrators
9.1.32. Shut down the system - Remove Power Users
9.1.33. Synchronize directory service data
9.1.34. Take ownership of files or other objects Administrators
10. Select Security Options
10.1.1. Additional restrictions for anonymous connections No access with explicit anonymous permissions
10.1.2. Allow server operators to schedule tasks (domain controllers only) - Not defined
10.1.3. Allow system to be shut down without having to log on - Enabled
10.1.4. Allowed to eject removable NTFS media - Administrators
10.1.5. Amount of idle time required before disconnecting session - 15 minutes
10.1.6. Audit the access of global system objects - Disabled
10.1.7. Audit use of Backup and Restore privilege - Disabled
10.1.8. Automatically log off users when logon time expires (local) - Enabled
10.1.9. Clear virtual memory pagefile when system shuts down - Disabled
10.1.10. Digitally sign client communication (always) - Disabled
10.1.11. Digitally sign client communication (when possible) - Enabled
10.1.12. Digitally sign server communication (always) - Disabled
10.1.13. Digitally sign server communication (when possible) - Enabled
10.1.14. Disable CTRL+ALT+DEL requirement for logon - Disabled
10.1.15. Do not display last user name in logon screen - Enabled
10.1.16. LAN Manager Authentication Level - Send NTLM response only
10.1.17. Message text for users attempting to log on
10.1.18. Message title for users attempting to log on
10.1.19. Number of previous logons to cache (in case domain controller is not available) - 0 logons
10.1.20. Prevent system maintenance of computer account password - Disabled
10.1.21. Prevent users from installing printer drivers - Disabled
10.1.22. Prompt user to change password before expiration - 0 days
10.1.23. Recovery Console: Allow automatic administrative logon - Disabled
10.1.24. Recovery Console: Allow floppy copy and access to all drives and all folders - Disabled
10.1.25. Rename administrator account (Should be something unique)
10.1.26. Rename guest account (Should be something unique)
10.1.27. Restrict CD-ROM access to locally logged-on user only - Enabled
10.1.28. Restrict floppy access to locally logged-on user only - Enabled
10.1.29. Secure channel: Digitally encrypt or sign secure channel data (always) - Disabled
10.1.30. Secure channel: Digitally encrypt secure channel data (when possible) - Enabled
10.1.31. Secure channel: Digitally sign secure channel data (when possible) - Enabled
10.1.32. Secure channel: Require strong (Windows 2000 or later) session key - Enabled
10.1.33. Send unencrypted password to connect to third-party SMB servers - Disabled
10.1.34. Shut down system immediately if unable to log security audits - Disabled
10.1.35. Smart card removal behavior - No Action
10.1.36. Strengthen default permissions of global system objects (e.g. Symbolic Links) - Enabled
10.1.37. Unsigned driver installation behavior - Warn but allow installation
10.1.38. Unsigned non-driver installation behavior Silently succeed
11. Close the Local Policy Settings window when done.
Segment the user account from the administrative Account - this is a must!
One of the main challenges with managing an operating system is deciding how much authority to grant your normal user account. The more authority your normal user account has, the more you can do with the system, including running malicious applications. Take for example a trojan program you accidentally run. If your user account can delete system files, so can the trojan. If you can delete printers and send nasty email to the police, so can the trojan. Accordingly, we want to segment the powerful rights we use infrequently from the common rights we use often.
1. Log in as Administrator.
2. Go to Start->Programs->Administrative Tools->Computer Management
3. Open Local Users and Groups
4. Click on the User folder
5. Right-click the Administrator account, and choose to rename it. Make it a non-obvious name.
6. Right-click this renamed Administrator account and select Set Password, make the password hard to guess (use numbers, letters, and punctuation). NEVER use a password that can be found in the dictionary! DO NOT LOSE THE ADMINISTRATOR ACCOUNT NAME AND PASSWORD!
7. Right-click the Guest account, and choose to rename it. Make it a non-obvious name.
8. Right-click this renamed Guest account, then select Set Password. Make the password difficult to guess (use numbers, letters, and punctuation). NEVER use a password that can be found in the dictionary!
9. Right-click in the window with the accounts. Select the New User option.
10. Create a new user for yourself and for each person who will use the machine locally.
11. For each new account, right click and select Properties. Uncheck User must change password at next logon.
12. For each new account, right click and select Set Password. Make these passwords hard to guess as well.
13. Use the accounts your created in steps 10 - 12 for normal, day-to-day tasks. DO NOT use the renamed Administrator account as your normal user account. Logon with the renamed Administrator account to install programs, printers, create file shares, etc.
14. Remove the descriptions for the renamed Administrator and Guest accounts to make them more difficult to discover.
A Note About the Guest Account
The Guest account is disabled in W2K by default, which is a very good thing. Enabling the guest account makes anonymous users guests. If you share a folder, the default permissions are Everyone having full control. If guest is enabled, guess what, Guest (i.e., anonymous) is included in Everyone! Youll soon have all kinds of fun as people find your open share and stick all kinds of terrible things on your system. Always remove the share permissions from Everyone and add them to Authenticated Users. This is a much safer policy.
Remove Unnecessary Windows Components
The more applications that are installed on your system, the greater the chance of one of them containing a bug or security flaw. Remove all unnecessary components.
- Log in as Administrator.
- Go to Start->Settings->Control Panel->Add/Remove Programs
- Select Add/Remove Windows Components.
- Remove (uncheck) the following:
Internet Information Service (IIS)
Management and Monitoring Tools
Message Queuing Services
Other Network File and Print Services
Update Windows components
The default install of W2K is already out of date. Microsoft and others have found problems with the W2K software. Microsoft provides three ways to update the base system.
- Hotfixes, which fix a specific problem
- Service Packs, which are collections of hotfixes
- indows Update, a web based service
You should take advantage of all three methods to keep the system up to date. Be aware that all three methods are time sensitive, especially hotfixes. Hotfixes come out constantly (4-6 per month). You must be proactive when checking for software updates! Dont just follow the instructions below and move on. Check your system for software updates at least once per week..
The following information comes from the Microsoft support base article titles "How to configure and use Automatic Updates in Windows 2000".
Install the Automatic Updates Feature
If you are running Windows 2000 Service Pack 3 (SP3), you do not have to install Automatic Updates. Windows automatic updating is included in Windows 2000 SP3.
You can also install Automatic Updates on Windows 2000 Professional-based, Windows 2000 Server-based, or Windows 2000 Advanced Server-based computers that are running Service Pack 2 (SP2). To install the Automatic Updates feature on Windows 2000 SP2 if you are an administrator, install any of the following updates:
- The Windows Automatic Updating, June 2002 update.
To obtain this update, visit the following Microsoft Windows Update Web site:
- The Automatic Updates June 2002 update.
To obtain this update, visit the following Microsoft Web site:
Turn On Automatic Updates
To turn on automatic updates for your computer:
- In Control Panel, double-click Automatic Updates.
- Click one of the following options:
- Notify me before downloading any updates and notify me again before installing them on my computer
- Download the updates automatically and notify me when they are ready to be installed
- Automatically download the updates, and install them on the schedule that I specify
Configure Windows to Remind You About Pending Updates
When Windows notifies you that updates are available, click Remind Me Later in the Automatic Updates dialog box before you download or install the update. In the Reminder dialog box, you can specify the time Windows waits before reminding you. If the reminder is for downloading, Windows reminds you only when you are connected to the Internet. If the reminder is for installing, Windows reminds you according to the schedule that you specify.
Prevent malware and spyware
Viruses, worms, trojans, and backdoor programs are invented by brilliant people who have nothing better to do with their time. Every year these mal (bad) ware (software) programs destroy billions of files and cost people millions of dollars. They may do anything from moving a decimal point in an Excel spreadsheet, to repeatedly dialing 911 from your modem and clogging needed emergency services. Prevention, education, and communication are the cures.
Install a personal firewall
Unlike Windows XP, Windows 2000 does not come with a personal firewall capability. There are many good personal firewall products available with a "free for personal use" license. For corporate use on a University owned desktop, these products must be licensed. Here are links to personal firewall vendors. It's suggested that you start with Zone Alarm.
Zone Alarm from Zone Labs (download)
Sygate personal firewall (download)
You can download antivirus software by visiting the OCCS Software download page. From there, login with your Lotus Notes user ID and password and look for McAfee Virus Scan. Download and install. Once that's done, right click on the McAfee shield in the system tray and configure automatic updates.
The main source of malware is via applications delivered through email or chat clients. NEVER blindly run a program that is sent to you or that you have downloaded from a site without scanning it for viruses FIRST! Dont assume that because you know the sender that an attachment isnt bad. Plenty of malware today will search a persons email address book and sent itself to everyone on the list. Dont accidentally infect your friends, parents and relatives! Also, dont assume just because the program doesnt have an .exe extension that it cant run. Plenty of other extensions can launch and do very bad things. If in doubt, scan it out!
Another class of nasty programs are those called spyware. These programs are usually attached to a free program in order to make the developer some money. They do various things, like watch what web sites you go to, overlay different links on web pages, and other sneaky undocumented behavior. The turn up in the most unlikely of places, like the Dilbert comet-cursor program that changes what your cursor looks like.
Remove spyware with the free tool Spybot Search and Destroy. Note that Spybot S&D is free for personal use; please consider a donation:
- Log in as Administrator
- Go to this link: http://www.safer-networking.org/en/download/index.html
- Download and install the latest version of Spybot S&D from a a mirror site.
- Once installed, run Spybot S&D and let it scan your entire system. Do this at least once a week.
Be aware that if the program you originally downloaded relied on some of these spyware components, using Spybot S&D may disable or cause the programs to malfunction.
If you leave your computer unattended, you should ensure that no one has the ability to use it while logged in with your user account. Note that for any University owned desktop, this procedure is required under CoVA ITRM Sec 501-01.
- Log in as your normal user account
- Right-click on the desktop
- Select properties
- Select the screen saver tab
- Select a screen saver to use
- Check the password protected box
You should get into the habit of locking your system when you step away from more than a few minutes. When you need to lock your system, hit CTRL+ALT+DEL key combination. At the menu, click Lock Computer.