Awareness

SECURING WINDOWS 2000

Original author: Marc DeBonis, Modified and updated by Don Murdoch

Note: This page originally comes from Virginia Tech's Security Website - content is slightly modified for ODU.  Thanks Marc!

Background
Windows 2000 is an operating system from Microsoft Corporation.  Its core system architecture is derived from its predecessor, Windows NT.  The user interface is derived from the Windows 9x line of operating systems.  While Windows 2000 Professional (W2K) may seem similar to Windows 9x, its code base is completely different.  W2K is built upon an architecture where security is a key component of the system, not an afterthought.  It is a very powerful operating system, scalable, stable and secure when set up correctly.  Unfortunately, Microsoft had to make a lot of difficult design choices when they developed the system.  For better or worse, they decided that on the “sliding scale” of operating systems (security vs. usability), the usability functions outweighed the security requirements.  This document is provided to help you tighten the security of your system, while maintaining system usability.

Why should you care about computer security?
Computer security should be the concern of every person who owns or operates a computer.  If you’re not big on ethics, or aren’t convinced, you may wish to review this link: Old Dominion University Acceptable Usage Statement

Don’t forget the social implications of your system becoming compromised.  How long will your friends continue to read messages you send when your system spews out infected email, day after day?  Or, when the assignment you turn into the professor infects his/her system with a nasty virus?  Worked hard on that paper or your mp3 collection?  Too bad that trojan you just ran from somebody you don’t even know is deleting every single file on your machine.  Avoid all of that terrible stuff by following this guide.

Assumptions

• You have a valid, legally licensed copy of W2K
• W2K is the only operating system installed on your computer
• You have administrator rights to the system
• The computer has a clean, freshly installed system
• You understand the basics of the Windows operating system (opening windows, right-clicking, etc.)
• The computer is a standalone system not connected to a domain (a specially configured group of other NT systems)
• The computer has Internet access and networking is set up correctly

Make the file system more secure
The first thing you need to do is make sure that your hard drive partitions are formatted with NTFS (NT File System).  This file system is securer than the FAT or FAT32 partition schemes.

To check your hard drive partitions:

• Log in as Administrator.
• Right click on “My Computer” and choose explore
• Right click each drive letter (except for removable drives, like A and the cdrom) and choose properties.
• Under the general tab, note the File system type.  If it is FAT, record that drive letter.
• Click cancel to close the properties window.
• Follow steps 1 – 5 for each drive letter, noting which ones are labeled FAT.

Now convert any FAT partitions on your system:

• Go to Start->Run
• Type cmd and click OK.  You should now be at a command prompt.
• Type “convert driveletter /FS:NTFS /V” (without the quotes), where “driveletter” is each drive letter you noted above.
• Hit return to run the command
• Follow steps 1 – 4  for each FAT partition.  You may have to reboot the system to finish these operations.

Tighten local security policies
Windows 2000 allows you easy access to the basic security functionality of your system.  The following suggested changes will make your system much more secure.

1.        Log in as Administrator

2.        Go to Start->Programs->Administrative Tools->Local Security Policy

2.1.      If you do not see the Administrative Tools folder, you will need to enable it

2.2.      Go to Start->Settings->Taskbar & Start Menu

2.3.      In the Taskbar and Start Menu Properties window, click the Advanced tab

2.4.      Under the Start Menu Settings, check the box to the left of Display Administrative Tools

2.5.      Restart at step 2

3.        Expand Account Policies by clicking the + box

4.        Select “Password Policy”

5.        Double-click each policy setting to bring up a new window to make the following changes:

5.1.1.           Enforce password history - 5 passwords remembered

5.1.2.           Maximum password age - 0 days

5.1.3.           Minimum password age - 1 days

5.1.4.           Minimum password length   - 8 characters

5.1.5.           Passwords must meet complexity requirements - Enabled

5.1.6.           Store password using reversible encryption for all users in the domain - Disabled

6.        Select “Account Lockout Policy”

6.1.1.           Account lockout duration - 30 minutes

6.1.2.           Account lockout threshold - 5 invalid logon attempts

6.1.3.           Reset account lockout counter after - 30 minutes

7.        Expand Local Policies by clicking the + box

8.        Select “Audit Policy”

8.1.1.           Audit account logon events- Success, Failure

8.1.2.           Audit account management- Success, Failure

8.1.3.           Audit directory service access- Failure

8.1.4.           Audit logon events – Success, Failure

8.1.5.           Audit object access – Failure

8.1.6.           Audit policy change – Success, Failure

8.1.7.           Audit privilege use - No auditing

8.1.8.           Audit process tracking - No auditing

8.1.9.           Audit system events – Success, Failure

9.        Select “User Rights Assignment.”  If no change is noted, do not alter policy setting.

9.1.1.           Access this computer from the network - Remove Everyone, Remove Power Users

9.1.2.           Act as part of the operating system                

9.1.3.           Add workstations to domain                            

9.1.4.           Back up files and directories - Backup Operators, Administrators

9.1.5.           Bypass traverse checking - Remove Everyone, Remove Power Users

9.1.6.           Change the system time - Remove Power Users

9.1.7.           Create a pagefile - Administrators

9.1.8.           Create a token object                          

9.1.9.           Create permanent shared objects                     

9.1.10.        Debug programs - Administrators

9.1.11.        Deny access to this computer from the network                           

9.1.12.        Deny logon as a batch job                

9.1.13.        Deny logon as a service                    

9.1.14.        Deny logon locally                             

9.1.15.        Enable computer and user accounts to be trusted for delegation                              

9.1.16.        Force shutdown from a remote system - Administrators

9.1.17.        Generate security audits                    

9.1.18.        Increase quotas - Administrators

9.1.19.        Increase scheduling priority - Administrators

9.1.20.        Load and unload device drivers - Administrators

9.1.21.        Lock pages in memory                       

9.1.22.        Log on as a batch job                         

9.1.23.        Log on as a service

9.1.24.        Log on locally – Remove Guest, Remove Power Users

9.1.25.        Manage auditing and security log - Administrators

9.1.26.        Modify firmware environment values - Administrators

9.1.27.        Profile single process - Remove Power Users

9.1.28.        Profile system performance - Administrators 

9.1.29.        Remove computer from docking station - Remove Power Users

9.1.30.        Replace a process level token                           

9.1.31.        Restore files and directories - Backup Operators, Administrators

9.1.32.        Shut down the system - Remove Power Users

9.1.33.        Synchronize directory service data                  

9.1.34.        Take ownership of files or other objects – Administrators

10.     Select “Security Options”

10.1.1.        Additional restrictions for anonymous connections – No access with explicit anonymous permissions

10.1.2.        Allow server operators to schedule tasks (domain controllers only) - Not defined

10.1.3.        Allow system to be shut down without having to log on - Enabled

10.1.4.        Allowed to eject removable NTFS media - Administrators

10.1.5.        Amount of idle time required before disconnecting session - 15 minutes

10.1.6.        Audit the access of global system objects - Disabled

10.1.7.        Audit use of Backup and Restore privilege - Disabled 

10.1.8.        Automatically log off users when logon time expires (local) - Enabled

10.1.9.        Clear virtual memory pagefile when system shuts down - Disabled

10.1.10.     Digitally sign client communication (always) - Disabled              

10.1.11.     Digitally sign client communication (when possible) - Enabled

10.1.12.     Digitally sign server communication (always) - Disabled            

10.1.13.     Digitally sign server communication (when possible) - Enabled

10.1.14.     Disable CTRL+ALT+DEL requirement for logon - Disabled

10.1.15.     Do not display last user name in logon screen - Enabled

10.1.16.     LAN Manager Authentication Level - Send NTLM response only

10.1.17.     Message text for users attempting to log on                  

10.1.18.     Message title for users attempting to log on                 

10.1.19.     Number of previous logons to cache (in case domain controller is not available) - 0 logons

10.1.20.     Prevent system maintenance of computer account password - Disabled 

10.1.21.     Prevent users from installing printer drivers - Disabled               

10.1.22.     Prompt user to change password before expiration - 0 days

10.1.23.     Recovery Console: Allow automatic administrative logon - Disabled

10.1.24.     Recovery Console: Allow floppy copy and access to all drives and all folders - Disabled    

10.1.25.     Rename administrator account – (Should be something unique)

10.1.26.     Rename guest account – (Should be something unique)

10.1.27.     Restrict CD-ROM access to locally logged-on user only - Enabled

10.1.28.     Restrict floppy access to locally logged-on user only - Enabled

10.1.29.     Secure channel: Digitally encrypt or sign secure channel data (always) - Disabled

10.1.30.     Secure channel: Digitally encrypt secure channel data (when possible) - Enabled

10.1.31.     Secure channel: Digitally sign secure channel data (when possible) - Enabled

10.1.32.     Secure channel: Require strong (Windows 2000 or later) session key - Enabled     

10.1.33.     Send unencrypted password to connect to third-party SMB servers - Disabled    

10.1.34.     Shut down system immediately if unable to log security audits - Disabled              

10.1.35.     Smart card removal behavior - No Action

10.1.36.     Strengthen default permissions of global system objects (e.g. Symbolic Links) - Enabled

10.1.37.     Unsigned driver installation behavior - Warn but allow installation

10.1.38.     Unsigned non-driver installation behavior – Silently succeed

11.     Close the Local Policy Settings window when done.

Segment the user account from the administrative Account - this is a must!
One of the main challenges with managing an operating system is deciding how much authority to grant your normal user account.  The more authority your normal user account has, the more you can do with the system, including running malicious applications.  Take for example a trojan program you accidentally run.  If your user account can delete system files, so can the trojan.  If you can delete printers and send nasty email to the police, so can the trojan.  Accordingly, we want to segment the powerful rights we use infrequently from the common rights we use often.

1.                    Log in as Administrator.

2.                    Go to Start->Programs->Administrative Tools->Computer Management

3.                    Open Local Users and Groups

4.                    Click on the User folder

5.                    Right-click the Administrator account, and choose to rename it.  Make it a non-obvious name.

6.                    Right-click this renamed Administrator account and select “Set Password”, make the password hard to guess (use numbers, letters, and punctuation).  NEVER use a password that can be found in the dictionary!  DO NOT LOSE THE ADMINISTRATOR ACCOUNT NAME AND PASSWORD!

7.                    Right-click the Guest account, and choose to rename it.  Make it a non-obvious name.

8.                    Right-click this renamed Guest account, then select “Set Password.”  Make the password difficult to guess (use numbers, letters, and punctuation).  NEVER use a password that can be found in the dictionary! 

9.                    Right-click in the window with the accounts.  Select the “New User” option.

10.                 Create a new user for yourself and for each person who will use the machine locally.

11.                 For each new account, right click and select “Properties.”  Uncheck “User must change password at next logon.”

12.                 For each new account, right click and select “Set Password.”  Make these passwords hard to guess as well.

13.                 Use the accounts your created in steps 10 - 12 for normal, day-to-day tasks.   DO NOT use the renamed Administrator account as your normal user account.  Logon with the renamed Administrator account to install programs, printers, create file shares, etc.

14.                 Remove the descriptions for the renamed Administrator and Guest accounts to make them more difficult to discover.

A Note About the Guest Account
The Guest account is disabled in W2K by default, which is a very good thing. Enabling the guest account makes anonymous users guests. If you share a folder, the default permissions are Everyone having full control. If guest is enabled, guess what, Guest (i.e., anonymous) is included in Everyone! You’ll soon have all kinds of fun as people find your open share and stick all kinds of terrible things on your system. Always remove the share permissions from Everyone and add them to Authenticated Users. This is a much safer policy.

Remove Unnecessary Windows Components
The more applications that are installed on your system, the greater the chance of one of them containing a bug or security flaw. Remove all unnecessary components.

1. Log in as Administrator.
2. Go to Start->Settings->Control Panel->Add/Remove Programs
3. Select “Add/Remove Windows Components.”
4. Remove (uncheck) the following:
   
   Indexing Service
   Internet Information Service (IIS)
   Management and Monitoring Tools
   Message Queuing Services
   Networking Services
   Other Network File and Print Services
   Script Debugger

Update Windows components
The default install of W2K is already out of date.  Microsoft and others have found problems with the W2K software.  Microsoft provides three ways to update the base system.

1. Hotfixes, which fix a specific problem
2. Service Packs, which are collections of hotfixes
3. indows Update, a web based service

You should take advantage of all three methods to keep the system up to date. Be aware that all three methods are time sensitive, especially hotfixes. Hotfixes come out constantly (4-6 per month).  You must be proactive when checking for software updates! Don’t just follow the instructions below and move on. Check your system for software updates at least once per week..

The following information comes from the Microsoft support base article titles "How to configure and use Automatic Updates in Windows 2000".

Install the Automatic Updates Feature
If you are running Windows 2000 Service Pack 3 (SP3), you do not have to install Automatic Updates. Windows automatic updating is included in Windows 2000 SP3.

You can also install Automatic Updates on Windows 2000 Professional-based, Windows 2000 Server-based, or Windows 2000 Advanced Server-based computers that are running Service Pack 2 (SP2). To install the Automatic Updates feature on Windows 2000 SP2 if you are an administrator, install any of the following updates:

• The Windows Automatic Updating, June 2002 update.
  To obtain this update, visit the following Microsoft Windows Update Web site:
  http://v4.windowsupdate.microsoft.com/en/default.asp (http://v4.windowsupdate.microsoft.com/en/default.asp)
• The Automatic Updates June 2002 update.
  To obtain this update, visit the following Microsoft Web site:
  http://www.microsoft.com/windows2000/downloads/recommended/susclient/default.asp

Turn On Automatic Updates
To turn on automatic updates for your computer:

• In Control Panel, double-click Automatic Updates.
• Click one of the following options:
• Notify me before downloading any updates and notify me again before installing them on my computer
• Download the updates automatically and notify me when they are ready to be installed
• Automatically download the updates, and install them on the schedule that I specify 

Configure Windows to Remind You About Pending Updates
When Windows notifies you that updates are available, click Remind Me Later in the Automatic Updates dialog box before you download or install the update. In the Reminder dialog box, you can specify the time Windows waits before reminding you. If the reminder is for downloading, Windows reminds you only when you are connected to the Internet. If the reminder is for installing, Windows reminds you according to the schedule that you specify.

Prevent malware and spyware
Viruses, worms, trojans, and backdoor programs are invented by brilliant people who have nothing better to do with their time.  Every year these mal (bad) ware (software) programs destroy billions of files and cost people millions of dollars.  They may do anything from moving a decimal point in an Excel spreadsheet, to repeatedly dialing 911 from your modem and clogging needed emergency services.  Prevention, education, and communication are the cures.

Install a personal firewall
Unlike Windows XP, Windows 2000 does not come with a personal firewall capability. There are many good personal firewall products available with a "free for personal use" license. For corporate use on a University owned desktop, these products must be licensed.  Here are links to personal firewall vendors. It's suggested that you start with Zone Alarm.

Zone Alarm from Zone Labs (download)
Sygate personal firewall (download)

University AntiVirus
You can download antivirus software by visiting the OCCS Software download page. From there, login with your Lotus Notes user ID and password and look for McAfee Virus Scan. Download and install. Once that's done, right click on the McAfee shield in the system tray and configure automatic updates. 

The main source of malware is via applications delivered through email or chat clients.  NEVER blindly run a program that is sent to you or that you have downloaded from a site without scanning it for viruses FIRST!  Don’t assume that because you know the sender that an attachment isn’t bad.  Plenty of malware today will search a person’s email address book and sent itself to everyone on the list.  Don’t accidentally infect your friends, parents and relatives!  Also, don’t assume just because the program doesn’t have an .exe extension that it can’t run.  Plenty of other extensions can launch and do very bad things.  If in doubt, scan it out!

Spyware Protection
Another class of nasty programs are those called spyware.  These programs are usually attached to a free program in order to make the developer some money.  They do various things, like watch what web sites you go to, overlay different links on web pages, and other sneaky undocumented behavior.  The turn up in the most unlikely of places, like the Dilbert comet-cursor program that changes what your cursor looks like. 

Remove spyware with the free tool Spybot Search and Destroy. Note that Spybot S&D  is free for personal use; please consider a donation:

1. Log in as Administrator
2. Go to this link:  http://www.safer-networking.org/en/download/index.html
3. Download and install the latest version of Spybot S&D from a a mirror site.
4. Once installed, run Spybot S&D and let it scan your entire system.  Do this at least once a week.

Be aware that if the program you originally downloaded relied on some of these spyware components, using Spybot S&D may disable or cause the programs to malfunction.

Physical security
If you leave your computer unattended, you should ensure that no one has the ability to use it while logged in with your user account. Note that for any University owned desktop, this procedure is required under CoVA ITRM Sec 501-01.

• Log in as your normal user account
• Right-click on the desktop
• Select properties
• Select the screen saver tab
• Select a screen saver to use
• Check the password protected box

You should get into the habit of locking your system when you step away from more than a few minutes.  When you need to lock your system, hit CTRL+ALT+DEL key combination.  At the menu, click “Lock Computer”.