Securing
Microsoft Windows 2000 Professional
By
Marc DeBonis
Version 1.5 - 030213
Windows 2000 is an operating system from Microsoft Corporation. Its core system architecture is derived from its predecessor, Windows NT. The user interface is derived from the Windows 9x line of operating systems. While Windows 2000 Professional (W2K) may seem similar to Windows 9x, its code base is completely different. W2K is built upon an architecture where security is a key component of the system, not an afterthought. It is a very powerful operating system, scalable, stable and secure when set up correctly. Unfortunately, Microsoft had to make a lot of difficult design choices when they developed the system. For better or worse, they decided that on the “sliding scale” of operating systems (security vs. usability), the usability functions outweighed the security requirements. This document is provided to help you tighten the security of your system, while maintaining system usability.
Computer security should be the concern of every person who owns or operates a computer. If you’re not big on ethics, or aren’t convinced, you may wish to review this link:
In particular, line two of the document states in part:
“…You
are responsible for all activities on your userid or that originate from your
system…”
This clause negates the argument “There is
nothing on my computer anybody would want.”
If not for the data on your system they can and will use your system to
break into other people’s systems. When
the trail winds its way back, somebody will come knocking on your door. Don’t be surprised that the FBI doesn’t shed
a tear when you tell them that the only copy of your term paper is on your
computer and they tag-and-bag every piece of electronic equipment in your dorm
room. Strong stuff, but it happens
every day.
Don’t forget the social implications of your system becoming compromised. How long will your friends continue to read messages you send when your system spews out infected email, day after day? Or, when the assignment you turn into the professor infects his/her system with a nasty virus? Worked hard on that paper or your mp3 collection? Too bad that trojan you just ran from somebody you don’t even know is deleting every single file on your machine. Avoid all of that terrible stuff by following this guide.
The first thing you need to
do is make sure that your hard drive partitions are formatted with NTFS (NT
File System). This file system is
securer than the FAT or FAT32 partition schemes.
To check your hard drive partitions:
Now convert any FAT partitions on your system:
Windows 2000 allows you easy access to the basic security functionality of your system. The following suggested changes will make your system much more secure.
1. Log in as Administrator
2. Go to Start->Programs->Administrative Tools->Local Security Policy
2.1. If you do not see the Administrative Tools folder, you will need to enable it
2.2. Go to Start->Settings->Taskbar & Start Menu
2.3. In the Taskbar and Start Menu Properties window, click the Advanced tab
2.4. Under the Start Menu Settings, check the box to the left of Display Administrative Tools
2.5. Restart at step 2
3. Expand Account Policies by clicking the + box
4. Select “Password Policy”
5. Double-click each policy setting to bring up a new window to make the following changes:
5.1.1. Enforce password history - 5 passwords remembered
5.1.2. Maximum password age - 0 days
5.1.3. Minimum password age - 1 days
5.1.4. Minimum password length - 8 characters
5.1.5. Passwords must meet complexity requirements - Enabled
5.1.6. Store password using reversible encryption for all users in the domain - Disabled
6. Select “Account Lockout Policy”
6.1.1. Account lockout duration - 30 minutes
6.1.2. Account lockout threshold - 5 invalid logon attempts
6.1.3. Reset account lockout counter after - 30 minutes
7. Expand Local Policies by clicking the + box
8. Select “Audit Policy”
8.1.1. Audit account logon events- Success, Failure
8.1.2. Audit account management- Success, Failure
8.1.3. Audit directory service access- Failure
8.1.4. Audit logon events – Success, Failure
8.1.5. Audit object access – Failure
8.1.6. Audit policy change – Success, Failure
8.1.7. Audit privilege use - No auditing
8.1.8. Audit process tracking - No auditing
8.1.9. Audit system events – Success, Failure
9. Select “User Rights Assignment.” If no change is noted, do not alter policy setting.
9.1.1. Access this computer from the network - Remove Everyone, Remove Power Users
9.1.2. Act as part of the operating system
9.1.3. Add workstations to domain
9.1.4. Back up files and directories - Backup Operators, Administrators
9.1.5. Bypass traverse checking - Remove Everyone, Remove Power Users
9.1.6. Change the system time - Remove Power Users
9.1.7. Create a pagefile - Administrators
9.1.8. Create a token object
9.1.9. Create permanent shared objects
9.1.10. Debug programs - Administrators
9.1.11. Deny access to this computer from the network
9.1.12. Deny logon as a batch job
9.1.13. Deny logon as a service
9.1.14. Deny logon locally
9.1.15. Enable computer and user accounts to be trusted for delegation
9.1.16. Force shutdown from a remote system - Administrators
9.1.17. Generate security audits
9.1.18. Increase quotas - Administrators
9.1.19. Increase scheduling priority - Administrators
9.1.20. Load and unload device drivers - Administrators
9.1.21. Lock pages in memory
9.1.22. Log on as a batch job
9.1.23. Log on as a service
9.1.24. Log on locally – Remove Guest, Remove Power Users
9.1.25. Manage auditing and security log - Administrators
9.1.26. Modify firmware environment values - Administrators
9.1.27. Profile single process - Remove Power Users
9.1.28. Profile system performance - Administrators
9.1.29. Remove computer from docking station - Remove Power Users
9.1.30. Replace a process level token
9.1.31. Restore files and directories - Backup Operators, Administrators
9.1.32. Shut down the system - Remove Power Users
9.1.33. Synchronize directory service data
9.1.34. Take ownership of files or other objects – Administrators
10. Select “Security Options”
10.1.1. Additional restrictions for anonymous connections – No access with explicit anonymous permissions
10.1.2. Allow server operators to schedule tasks (domain controllers only) - Not defined
10.1.3. Allow system to be shut down without having to log on - Enabled
10.1.4. Allowed to eject removable NTFS media - Administrators
10.1.5. Amount of idle time required before disconnecting session - 15 minutes
10.1.6. Audit the access of global system objects - Disabled
10.1.7. Audit use of Backup and Restore privilege - Disabled
10.1.8. Automatically log off users when logon time expires (local) - Enabled
10.1.9. Clear virtual memory pagefile when system shuts down - Disabled
10.1.10. Digitally sign client communication (always) - Disabled
10.1.11. Digitally sign client communication (when possible) - Enabled
10.1.12. Digitally sign server communication (always) - Disabled
10.1.13. Digitally sign server communication (when possible) - Enabled
10.1.14. Disable CTRL+ALT+DEL requirement for logon - Disabled
10.1.15. Do not display last user name in logon screen - Enabled
10.1.16. LAN Manager Authentication Level - Send NTLM response only
10.1.17. Message text for users attempting to log on
10.1.18. Message title for users attempting to log on
10.1.19. Number of previous logons to cache (in case domain controller is not available) - 0 logons
10.1.20. Prevent system maintenance of computer account password - Disabled
10.1.21. Prevent users from installing printer drivers - Disabled
10.1.22. Prompt user to change password before expiration - 0 days
10.1.23. Recovery Console: Allow automatic administrative logon - Disabled
10.1.24. Recovery Console: Allow floppy copy and access to all drives and all folders - Disabled
10.1.25. Rename administrator account – (Should be something unique)
10.1.26. Rename guest account – (Should be something unique)
10.1.27. Restrict CD-ROM access to locally logged-on user only - Enabled
10.1.28. Restrict floppy access to locally logged-on user only - Enabled
10.1.29. Secure channel: Digitally encrypt or sign secure channel data (always) - Disabled
10.1.30. Secure channel: Digitally encrypt secure channel data (when possible) - Enabled
10.1.31. Secure channel: Digitally sign secure channel data (when possible) - Enabled
10.1.32. Secure channel: Require strong (Windows 2000 or later) session key - Enabled
10.1.33. Send unencrypted password to connect to third-party SMB servers - Disabled
10.1.34. Shut down system immediately if unable to log security audits - Disabled
10.1.35. Smart card removal behavior - No Action
10.1.36. Strengthen default permissions of global system objects (e.g. Symbolic Links) - Enabled
10.1.37. Unsigned driver installation behavior - Warn but allow installation
10.1.38. Unsigned non-driver installation behavior – Silently succeed
11. Close the Local Policy Settings window when done.
One of the main challenges with managing an operating system is deciding how much authority to grant your normal user account. The more authority your normal user account has, the more you can do with the system, including running malicious applications. Take for example a trojan program you accidentally run. If your user account can delete system files, so can the trojan. If you can delete printers and send nasty email to the police, so can the trojan. Accordingly, we want to segment the powerful rights we use infrequently from the common rights we use often.
|
1. Log in as Administrator. 2. Go to Start->Programs->Administrative Tools->Computer Management 3. Open Local Users and Groups 4. Click on the User folder 5. Right-click the Administrator account, and choose to rename it. Make it a non-obvious name. 6. Right-click this renamed Administrator account and select “Set Password”, make the password hard to guess (use numbers, letters, and punctuation). NEVER use a password that can be found in the dictionary! DO NOT LOSE THE ADMINISTRATOR ACCOUNT NAME AND PASSWORD! 7. Right-click the Guest account, and choose to rename it. Make it a non-obvious name. 8. Right-click this renamed Guest account, then select “Set Password.” Make the password difficult to guess (use numbers, letters, and punctuation). NEVER use a password that can be found in the dictionary! |
A note about the Guest account The Guest account is disabled in W2K by default, which is a very good thing. Enabling the guest account makes anonymous users guests. If you share a folder, the default permissions are Everyone having full control. If guest is enabled, guess what, Guest (i.e., anonymous) is included in Everyone! You’ll soon have all kinds of fun as people find your open share and stick all kinds of terrible things on your system. Always remove the share permissions from Everyone and add them to Authenticated Users. This is a much safer policy. |
9. Right-click in the window with the accounts. Select the “New User” option.
10. Create a new user for yourself and for each person who will use the machine locally.
11. For each new account, right click and select “Properties.” Uncheck “User must change password at next logon.”
12. For each new account, right click and select “Set Password.” Make these passwords hard to guess as well.
13. Use the accounts your created in steps 10 - 12 for normal, day-to-day tasks. DO NOT use the renamed Administrator account as your normal user account. Logon with the renamed Administrator account to install programs, printers, create file shares, etc.
14. Remove the descriptions for the renamed Administrator and Guest accounts to make them more difficult to discover.
The more applications that are installed on your system, the greater the chance of one of them containing a bug or security flaw. Remove all unnecessary components.
1. Log in as Administrator.
2. Go to Start->Settings->Control Panel->Add/Remove Programs
3. Select “Add/Remove Windows Components.”
4. Remove (uncheck) the following:
Indexing Service
Internet Information Service (IIS)
Management and Monitoring Tools
Message Queuing Services
Networking Services
Other Network File and Print Services
Script Debugger
The default install of W2K is already out of date. Microsoft and others have found problems with the W2K software. Microsoft provides three ways to update the base system.
1. Hotfixes, which fix a specific problem
2. Service Packs, which are collections of hotfixes
3. Windows Update, a web based service
You should take advantage of all three methods to keep the system up to date. Be aware that all three methods are time sensitive, especially hotfixes. Hotfixes come out constantly (4 - 6 per month). You must be proactive when checking for software updates! Don’t just follow the instructions below and move on. Check your system for software updates at least once per month.
1. Log in as Administrator.
2. Go to Start->Run
3. Type “winver” and click OK
4. This will bring up a screen with the current version of the operating system. It should return Version 5.0 (build 2195)
5. Get a VTnet 2001 CD and stick it in the cdrom drive. If your system needs the latest service pack, Vtnet will offer to install it. The latest Service Pack to date is SP2. Allow VTnet 2001 to install this Service Pack, if required.
6. Once you’ve rebooted, log back in as Administrator
7. Run winver again (steps 2 – 3). It should return Version 5.0 (build 2195, Service Pack 2).
8. Goto Start->Run->Windows Update
9. On the web page, select the “Product Updates” link in the top left hand corner
10. If necessary, click YES to allow the ActiveX script to run so it can check your system
11. Once it’s done checking your system, select the following items to install. This list is current as of this report’s date.
Critical Updates Package
Windows Critical Update Notification 3.0
Root Certificates Update
12. Click the “Download” button to start download
13. Click the “Start Download” button to continue
14. Click the Yes button to allow the installation
15. Watch download progress…
16. When finished installing, reboot system
17. Log in as Administrator
18. Point your web browser to http://vtwug.w2k.vt.edu/daisy.html
19. Download and save the application to a temp directory (not the desktop!)
20. Close down all other programs and run daisy.exe
21. It will figure out what hotfixes you need for your system, download and install them automatically
22. Wait until you get a message saying Daisy is done
23. Reboot the machine
24. Run the program again
25. Check the output.txt file in the temporary directory you installed Daisy to insure everything install correctly
26. Run this program at least once a month to make sure you have the latest hotfixes on your system
Prevent malware and spyware
Viruses, worms,
trojans, and backdoor programs are invented by brilliant people who have
nothing better to do with their time.
Every year these mal (bad) ware (software) programs destroy billions of
files and cost people millions of dollars.
They may do anything from moving a decimal point in an Excel
spreadsheet, to repeatedly dialing 911 from your modem and clogging needed
emergency services. Prevention,
education, and communication are the cures.
Download antivirus
software:
1. Log in as Administrator
2. Install the antivirus software off the VTnet 2001 CD
3. Use the Liveupdate feature of Norton Antivirus to make sure the application and virus definitions are up-to-date
4. Scan your entire system for malicious applications
5. Make sure that Norton Antivirus is scheduled to check your system weekly
6. Make sure that Norton Antivirus is schedule to run LiveUpdate weekly
The main source of malware is via applications delivered through email or chat clients. NEVER blindly run a program that is sent to you or that you have downloaded from a site without scanning it for viruses FIRST! Don’t assume that because you know the sender that an attachment isn’t bad. Plenty of malware today will search a person’s email address book and sent itself to everyone on the list. Don’t accidentally infect your friends, parents and relatives! Also, don’t assume just because the program doesn’t have an .exe extension that it can’t run. Plenty of other extensions can launch and do very bad things. If in doubt, scan it out!
Another class of nasty programs are those called spyware. These programs are usually attached to a free program in order to make the developer some money. They do various things, like watch what web sites you go to, overlay different links on web pages, and other sneaky undocumented behavior. The turn up in the most unlikely of places, like the Dilbert comet-cursor program that changes what your cursor looks like.
Remove spyware with the free tool Ad-aware:
1. Log in as Administrator
2. Go to this link: http://www.lavasoftusa.com/
3. Download and install the latest version of Ad-aware on the site (currently 5.5). Be sure to download the latest Ad-aware signature file.
4. Once installed, run Ad-aware and let it scan your entire system. Do this at least once a month.
Be aware that if the program you originally downloaded relied on some of these spyware components, using Ad-aware may disable or cause the programs to malfunction.
Although prevention is the best medicine, it’s not always possible. An optional W2K system component named the recovery console can help you restore the system if its malfunctioning. The recovery console is not installed by default.
1. Log in as Administrator
2. Go to this link: http://www.w2k.vt.edu/faqrecovcon.html
3. Install the recovery console according to the instructions.
If you leave your computer unattended, you should ensure that no one has the ability to use it while logged in with your user account.
1. Log in as your normal user account
2. Right-click on the desktop
3. Select properties
4. Select the screen saver tab
5. Select a screen saver to use
6. Check the password protected box
You should get into the habit of locking your system when you step away from more than a few minutes. When you need to lock your system, hit CTRL+ALT+DEL key combination. At the menu, click “Lock Computer”.
Although this document does not show you every security change possible, it does attempt to make your system much more secure than the default install. For better or worse, Microsoft has decided that usability is a higher priority than security. This document aims to help you tighten the security of your system while maintaining system usability.
|
4help computing consulting |
|
|
Security links |
|
|
Antivirus links |
|
|
Windows 2000 deployment at VT |
|
|
Microsoft Security website |
Special thanks to my editors; Nancy Brauer, Michael Johnson, and Doug Edmonds
By Marc DeBonis