Windows 2000 Security

Security Whitepapers

Beginner Security Articles

Hacking Articles

IT Certification Articles

Computer How-To's

Web Hosting Tutorials

Network Security Jobs

Consultants Directory

Exploit Articles

Internet Anonymity

General Security

Encryption Information

E-Mail Security

HTTP Protocol Security

Linux Security

Exploit Discussion

Complete PDF Archive of Security Manuals

In The News General Security Information Exploit & Vulnerability Mailing List Archives Product and Program Reviews GSO Tutorials System Security Windows Systems Beginners Section Linux & Unix Systems Trojan & Virus Errata Networking Security / Firewall / IDS / VPN / Routers System Hardening E-Mail Security Wifi Security Trial Member Uploads Upload discovered Trojans & Mal ware (25 posts) The Cork Board Network Security Consultant Directory Network Security Jobs The Archives Encryption Information General Network Security Internet Anonymity HTTP Protocol Security Linux Security MS IIS Information Exploit Articles Programming / Tool Design GSO Software Projects Public Downloads Microsoft Security Questions and Papers
	Database Security (Common-sense Principles)
	Places that viruses and trojans hide on start up
	Step-by-Step Guide to Using the Security Configuration Tool Set
	Improving the Security of Your Site by Breaking Into it
	Domain Name Robbery
	XDCC - An .EDU Admin's Nightmare
	Database Security
	Database Security
	Is Database Security an Oxymoron?
	Database security: protecting sensitive and critical information
	The database security blanket
	Database security in your Web-enabled apps
	Making Your Network Safe for Databases
	SQL Injection: Modes of Attack, Defence, and Why It Matters
	Database Security in High Risk Environments
	Linksys Router Information (A collection)
	Common Ports
	Protection of the Administrator Account in the Offline SAM
	Windows 2000 Security
	The dangers of ftp conversions on misconfigured systems
	Win98.BlackBat
	AnnaKournikova worm decrypted
	C/C++ made easy with GoGooSE 1.0
	UNIX Bourne Shell Programming
	BATCH ProgramminG
	Assembly for nerds using linux
	THE LATEST IN DENIAL OF SERVICE ATTACKS: "SMURFING"
	The Ingredients to ARP Poison
	Outlook 2002: can't send .exe file with Email
	Windows 9x/Me Security and System Restrictions
	Exploiting The IPC Share
	Local Windows hacking
	Windows Cryptic Error Messages
	Windows NT Registry Tutorial
	catch a macro virus
	Protecting Files with Windows NTXP
	Microsoft Baseline Security Analyzer V1.1
	A Beginners Guide To Wireless Security
	Default Logins and Passwords for Networked Devices
	How To Eliminate The Ten Most Critical Internet Security Threats
	About computer crime
	System Backdoor Information
	System Backdoors Explained
	Introduction to Buffer Overflow
	Donald Pipkin's Security Tips for the Week of December 23rd
	Getting IP data from numerous sources
	Rainbow Series Library [The One The Only]
	Honeypots (Definitions and Value of Honeypots)
	General Attack Descriptions
	Wireless Taping
	CYBERTERRORISM
	Security from a different angle

Windows 2000 Security

By www.unc.edu

By default, Windows 2000 installations contain numerous potential security problems. Many unneeded services are installed and enabled, and there is no active local security policy. This document attempts to provide a solid foundation for the beginning administrator. Remember to test these tactics on a non-production server, particularly when applying a new service pack or hotfix. Most of the recommendations below are suggested to prevent the server from compromise by automated scripts launched by novice hackers or by rapidly propagating Trojan horse programs. These methods are certainly not exhaustive although they should be seriously considered by anyone concerned with a basic level of security. You can also visit Microsoft's site on Windows 2000 Security .

According to the SANS "Top 20 Most Critical Internet Security Vulnerabilities", a system's most insecure phase is its initial configuration after a default installation. It is strongly recommended that the administrator physically disconnect the network cable after installing the operating system as the system can easily be compromised during the early stages of configuration and customization.

Steps toward securing Windows 2000.

Details on securing Windows 2000

Converting to NTFS. During the installation, make sure you convert your drive partitions to NTFS. NTFS allows the administrator to set access-control lists (ACLs) on files and directories. This will allow the administrator to keep a tighter control over what services get started, and which files get modified or created.

NTFS Properties.

Creating groups. Create separate and specialized groups for the user accounts on the system. Using this model, an administrator can determine the needs of the individual account and add it to as many groups as it may need to perform its tasks. For example, on a system where multiple users work together to maintain a Web site, the administrator could create separate groups for the Web programmers, the graphic artists, and the content authors. Every group would have permission to access different files on the system (e.g. the graphic designers can be prohibited from viewing or making changes to the cgi-bin directory, while the Web programmers cannot manipulate files in the images directory.) Each user could belong in one, some, or all groups. The key is to only allow users access to the minimum amount of resources they need to complete their work. The "system" and administrator groups should have full access to the entire site.

Computer Management Users.

Computer Management Groups.

Securing Guest and Administrator accounts. Make sure the Guest account is disabled, and consider changing the Administrator account name to prevent automated scripts from trying to brute-force a login through the Administrator account. You could rename Administrator to Keith or User or even to Guest!

Disabling TCP/IP and IIS. Do not install simple TCP/IP Services or Internet Information Services (IIS) unless these services will be immediately utilized. These services can always be installed and configured later if the need arises. If for some reason IIS does get installed, remove it using the Add/Remove Programs utility in the Control Panel. Disable any services that are not absolutely necessary for the routine performance of the system through the Services module under Administrative Tools. A listing of Windows 2000 services and their descriptions can be found here: http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp

Computer Management Services.

Windows Update. Install all the service packs and updates available from the Windows Update site before the system goes into production. Once it is in production, test future patches first on a test server that is similar to your current system. Ideally the service packs and hotfixes should be downloaded on another system and written to a CD or other removable media so that the packs can be installed without having to connect the unshielded and outdated system to the Internet. Obtain a copy of the HFNetChk tool and run it frequently to see if there may be new patches your system may need to plug security holes or address performance problems.

AntiVirus and firewall software. Install and frequently update Norton Anti-Virus on the system to prevent compromises from Trojans, worms, and viruses. UNC-Chapel Hill maintains free licenses for employees and students, available at https://shareware.unc.edu/ . Use Task Scheduler to run the Live Update feature at least once a week to keep virus protection on the system up to date. Of course when a new threat is issued, be sure to run Live Update immediately. Also, consider installing a personal firewall to protect the system from any unauthorized or unwanted network activity.

Disabling sharing. Unless you will definitely use them, remove from Network Properties both "File and Printer Sharing" and the default sharing of the local drives. For example, the C$ is shared by default and should be unshared immediately unless a specific application requires it or if the administrators wish to make major system changes remotely. When a system is rebooted however, the default share can return. In order to make this change permanent, a registry key needs to be changed. Under

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

Set AutoShareServer to 0, or if there is no entry add a value of type REG_DWORD and set that to 0. This will permanently disable all drive letter sharing and also disable the Remote Admin share (ADMIN$).

If administrators work on the system remotely, ensure that they use a secure channel to make changes. Set the encryption level to "High" on the Microsoft Terminal Services if this is the remote administration protocol used (note that Terminal Services come with Windows 2000 Server by default.)

File and Printer Sharing.

Creating a local security policy. The Administrative tools in the Control Panel allow you to create and configure a local security policy for all users. Microsoft has existing recommendations and explanations for local security policy. There are also existing templates in the c:\winnt\security\templates folder that contain a variety of pre-configured settings for different systems. Consider applying one of these templates and then customizing to more accurately reflect the needs and security goals of your system. The National Security Agency ( NSA ) is another great resource for pre-configured security templates. Note that at minimum, the security policy should contain something other than the default under the Additional restrictions for anonymous connections. This can also be changed by creating the following registry key:

HKLM\System\CurrentControlSet\Control\Lsa\RestrictAnonymous

Value Name: RestrictAnonymous
Data Type: REG_DWORD
Value: 1

for NT and mixed environments choose '1' for the data field. Or choose the "Do not allow enumeration of SAM accounts and shares" directive. For pure Windows 2000 environments, or for the paranoid, choose the data value of '2' or "No access without explicit anonymous permission." [shown below] This will prevent NULL session attacks which are a common and frequent threat. For more information on NULL sessions and their vulnerabilities, please see this SANS document: http://rr.sans.org/win/null.php or the two Microsoft Knowledgebase articles Q143474 and Q246261.

You can also implement the System Password Complexity Policy. This requires that passwords must be at least six characters long and must not contains the user name or any part of the user's full name. It also enforces the use of characters from at least three of the following four categories: upper case letters, lower case letters, numerals, and special characters.

Location for Local Security Policy.

Setting Local Security Policy.

Security Templates.

Setting a local password policy. It is extremely important to have an excellent password policy for both domains and workstations. Following best practices in choosing and managing passwords is important to maintain system integrity and satisfy audit requirements. This image shows some beginning guidelines to a good password policy.

Enabling auditing for log files. Make sure to enable auditing in the security policy in order to obtain a good set of log files. Your log files are your main ammunition against attackers whether your system is compromised or not. Also consider moving your log files from their default location to another part of the system (preferably another partition devoted only to the logs). Ensure that only administrators can read the system logs and that no other users have read permissions.

Setting Auditing.

The Microsoft Baseline Security Analyzer is a great tool that provides a cursory look at the security status of your system. As always, if you would like a vulnerability scanner run on your system after it has been secured, the ITS-Security office will be happy to run a scan and email you the reports. Please contact us at security@unc.edu for more information.