University of Colorado at Boulder  
Map A to Z Index Search CU Home
ITS logo
Information Technology Services News | ITS Search
UCB Windows 2000 Resource Center

 
Learn More
Back to the UCB Windows 2000 Resource Center
UCB W2K Admin Guide Start
Why Windows 2000 and Active Directory at UCB?
Joining the AD infrastructure at UCB
Using the AD infrastructure at UCB
Additional information and resources
Quick index of the administrators guide documents


Learn More
Other security web sites
  ITS Security page
  Microsoft Security page

 

UCB Windows 2000 Server Security Guidelines

This document contains some basic security precautions to protect Windows 2000 file and print servers. These steps do not completely protect a server from any attack, but do greatly reduce the potential for intrusion and damage.

Warning: Security restrictions can interfere with the operation of computing services. ITS recommends testing any changes on non-production computers before employing them on production servers or workstations. Complications may be difficult to predict due to the unique environment and applications used by different groups at UCB.

  1. Installing and Patching
    1. Partitioning and formatting
    2. Components
    3. Service packs and hot fixes
  2. Locking down
    1. Physical security
    2. Virus protection
    3. Account security
    4. File system security
    5. Local security policies
  3. Cleaning up (for more advanced administrators)
    1. Services
  4. Maintaining security
    1. Computer use
    2. Logging/Auditing
    3. Remote administration
    4. Backups
    5. Keeping up on patching
  5. More information
    1. Microsoft
    2. ITS
    3. Other web sites
    4. Books

  1. Installing and patching
    1. Partitioning and formatting
      1. Begin your installation by removing the server from the network. Before appropriate patches are installed, your computer could be attacked or exploited, and automated exploits could very easily attack your computer before you have a chance to secure it.
      2. Create separate partitions for each major portion of the server: operating system, file serving, web serving, logs, etc. This helps to prevent vulnerabilities allowing access to one section to allow access to other sections.
      3. Format all drives using NTFS either during installation of Windows 2000, or afterward via conversion or reformatting. The NTFS file system allows you to control access to files and directories, the FAT file system does not. To verify if partitions are formatted in NTFS, open My Computer, right-click on a partition, select Properties, and check if the file system is listed as NTFS. Here is an image showing the properties on a partition formatted using NTFS:

        Windows 2000 disk properties showing NTFS file system

    2. Components
      1. Only install required components. Do not install items like simple TCP/IP services, Internet Information Server, WINS, etc. unless they are needed. Extraneous services expose your server to additional exploits. Note that Internet Information Server is selected by default during installation and should be unselected if not needed.
    3. Service Packs and hot fixes
      1. Install service packs and hot fixes appropriate to your server (some hot fixes may be for a service, like IIS, that is not installed on your server) while the server is still offline. Most attacks use known vulnerabilities for which there is a patch. To stay up to date on Microsoft patches, visit the MS Technet security site where you can join an e-mail list to notify you of new patches. The "Windows Update" function allows you to download many patches and updates, and allows you to be informed of critical updates, but it does not contain all security patches.
      2. Several a couple of tools to assist in patching. Other tools that require network access are listed later in this document, but should not be used until after the securing process.
        • MS Network Security Hotfix Checker (hfnetchk) - a tool that allows you to check which security hotfixes are installed on computers. It must first be run on a computer with network access to download a current list of hotfixes, but then can be copied to unsecure computers not yet connected to the network. This tool only checks for hotfixes related to the operating system and other core components like Internet Explorer. It will not notify the user of hotfixes for applications like Microsoft Office.
        • Qchain - a tool that allows you to install multiple hotfixes while only rebooting once

  2. Locking down
    1. Physical security
      1. Keep your server in a locked location with controlled access. Someone with physical access to your server will be able to circumvent most of the security precautions outlined in this document.
      2. BIOS configuration - The process to change BIOS settings varies by computer vendor, check your hardware documentation for instructions.
        1. After installing the operating system, set the boot order to boot from the hard drive first. This prevents someone with physical access from booting off of a floppy or CD to compromise your system.
        2. Set a password for altering BIOS settings. This prevents someone with physical access to the system from changing BIOS security settings.
    2. Virus protection
      1. Install and keep updated an anti-virus software package. It is very important to keep anti-virus products updated as new viruses appear daily. Updating should be done regularly and frequently, ideally once a week. Most anti-virus programs can be configured to automatically download updates. This can protect your server from known viruses, worms, and Trojan horses.
    3. Account security
      1. Make sure the Guest account is disabled. It should be disabled by default, but it is best to verify this.
      2. Many groups advise renaming the Administrator account and creating a dummy, locked account named "Administrator". While there is no harm in doing this, the security gains are minimal.
    4. File system security
      1. Restrict access to files to only those who require access. To simplify this process, create groups for different levels of access (eg. budget group, personnel group), grant access to these groups, then add or remove users from these groups as needed. Remove general groups like "Everyone" from having access and use controlled membership groups. Remember to leave full access for "SYSTEM" and "Administrators" (or a separate administrative group).
      2. If file and printer sharing is not required, remove "File and Printer Sharing for Microsoft Networks" from the networking properties.
      3. Windows 2000 creates "administrative" shares that are not seen through network browsing. These shares have known names (like C$) and can be exploited without proper NTFS permissions. To remove the shares, right-click on My Computer and select Manage. Browse to Shared Folders then to Shares. Right-click on each of the administrative shares (noted by "$" at the end of the name) and select Stop Sharing. These shares will recreate themselves upon reboot, unless the instructions in MS knowledgebase article Q288164 are followed. Note that some applications rely on the presence of these shares.
      4. Protect system files by limiting NTFS permissions: There are several executable files located in the %systemroot%\system32 (usually c:\winnt\system32) directory that are commonly used to gain access or attack systems. To protect from such an exploit, change the permissions on all .exe and .com files in this folder so that only a special group can access them. This means removing all other groups (including SYSTEM and Administrators) from the access list and giving a new group read and execute access to these files as well as giving this group ownership of the files. Add users who require access to these files to this new group.
    5. Local security policies
      1. The Local Security Policy console is available by clicking on the Start menu, selecting Settings, clicking on Control Panels, double-clicking the Administrative Tools icon, and then double-clicking the Local Security Policy icon. This console allows you to configure security settings for the local computer including password and account settings. If the computer is a member of the campus Active Directory, these settings can be made for multiple computers using Group Policy Objects (GPOs). Below is a description of the security templates that may be used in this console and a list of some recommended settings for local security policies.
      2. Microsoft provides three levels of security templates that can be used locally or with a GPO. These templates contain Microsoft suggested security settings for workstations and domain controllers. The three levels are basic (default settings), secure (more restrictive settings), and hisec (very restrictive settings). These template files (basicws for workstations, basicsv for servers, securews for workstations and servers, and hisecws for workstations and servers) can be found in %system folder%\security\templates (usually c:\winnt\security\templates).

        Using the "securews" template is a good baseline for most computers, but be aware that it establishes settings for password expiration, password complexity, account lockout, and other areas. To use these policies, select Import Policy from that Action menu of the Local Security Policy console while "Security Settings" is highlighted in the left pane.

      3. Account Policies - The account policies section of the local security policy applies only to local accounts on the server, not campus domain accounts.
        • Password Policy - This allows you to set restrictions on password length, strength, and age. Some recommended settings:
          • Maximum password age - 60 days or less
          • Minimum password length - at least 6 characters, preferably 8
          • Passwords must meet complexity requirements - Enabled
          • Store password using reversible encryption for all users in the domain - Disabled (unless required)
          Here is an image showing the password policy from the hisecws template:

          Windows 2000 local security settings showing password policy

        • Account Lockout Policy - This allows you to configure the threshold and time period for locking out accounts after invalid logon attempts.
          • Account lockout duration - at least 5 minutes
          • Account lockout threshold - no fewer than 3, but less than 10
          • Reset account lockout counter after - no fewer than 5 minutes
          Here is an image showing the account lockout policy from the hisecws template:

          Windows 2000 local security settings showing account lockout policy

      4. Local Policies
        • Audit Policy - This allows you to configure what events are logged into the security event logs. Here are some recommended settings:
          • Audit account logon events - Success and Failure
          • Audit account management - Success and Failure
          • Audit directory service access - No auditing
          • Audit logon events - Success and Failure
          • Audit object access - Success and Failure (this item only add to logs when auditing is enabled on specific files or other objects)
          • Audit policy change - Success and Failure
          • Audit privilege use - No auditing
          • Audit process tracking - No auditing
          • Audit system events - Success and Failure
          Here is an image showing the above auditing policy:

          Windows 2000 local security settings showing audit policy

        • User Rights Assignment - This allows for restrictions on which users are allowed to perform certain tasks. Some items to consider restricting:
          • Access this computer from the network - generally workstations only need to have Administrators listed, whereas servers usually must be accessed by many different users from the network.
          • Create permanent shared objects - Administrators only
          • Logon locally - only those who require local access
          • Manage auditing and security log - Administrators only
          • Take ownership of files or other objects - Administrators only
        • Security Options - This allows to configure several security related items like anonymous access, logon messages, and authentication support. Some recommended settings:
          • Additional restrictions for anonymous connections - Do not allow enumeration of SAM accounts and shares
          • Disable CTRL+ALT+DEL requirement for logon - Disabled
          • Do not display last user name in logon screen - Enabled
          • LAN Manager Authentication Level - generally workstations may have a more restrictive setting of "Send NTLMv2 response only" or higher, whereas servers usually must support a broader range of clients and should use "Send LM & NTLM - use NTLMv2 session security if negotiated".
          • Message text for users attempting to log on - Many groups place a disclaimer on improper computer use here
          • Message title for users attempting to log on - An appropriate window name for the above message

  3. Cleaning up
    1. Services
      1. Services: You can reduce the number of possible exploits by turning off additional services that are enabled by default. Some applications may depend on these services so you should check the dependencies before disabling the service. Here is a list of the Windows 2000 services, their functions and some possible ramifications of disabling them. Your computer may have additional services installed by third-party applications.

  4. Maintaining security
    1. Computer use
      1. Avoid reading e-mail or web browsing on your server. This could expose your system to opportunities for exploit. The nimda virus, for example, distributes itself via direct server-to-server attacks, infected e-mails, and infected web pages.
      2. Log off of the computer when it is not in use and lock the desktop when leaving the computer for short periods of time. Close remote administration consoles (like Terminal Services or PC Anywhere connections) or lock the desktop on computers used to remotely administer servers. Actively logged in computers leave opportunities for those with physical access to the computers.
    2. Logging/Auditing
      1. Logging can provide information about attempted attacks or misuses of access. The previous section on local security policies addresses configuring what events are recorded in the security event logs.
      2. Relocating your logs can reduce the chances of an attacker covering their tracks, but requires editing the registry. It is recommended that logs be located on a dedicated partition separate from the system and other services. See MS knowledgebase article Q216169 for details on moving the event log location.
      3. Restrict the permissions on the logs to allow full access for administrators and SYSTEM, but do not allow any access to other users. If other users require access, limit them to read access only.
      4. Configure logs to a larger size (10-50MB provides good records for servers) and set writing properties: Open the Event Viewer, right-click on one of the event logs (Application, Security, or System), and select Properties. Then set the Maximum log size to 10000 to 50000KB and select Overwrite events as needed. You may get a message stating that Windows must round the file size to fit a particular increment, click OK when this message appears. Repeat this process for the other event log categories. The large log size prevents attacks from "rolling" the logs by triggering many events to be logged in the hopes of quickly filling the logs and overwriting the section revealing their real attack. On critical systems logs should be periodically archived.
      5. Below is an image of the security event log properties reflecting both a new location and a new log size.

        Windows 2000 security event log properties showing new location and size

    3. Remote administration
      1. If you wish to remotely administer your server, use a tool that encrypts at least your logon and preferably the entire session.
      2. Windows 2000 Server comes with Microsoft Terminal Services, which is capable of encrypting the session. This is the most convenient tool for remote administration because it comes with the operating system and is free to use for remote administration.
        1. Set the encryption level to an appropriate setting. By default Terminal Services is configured to "Medium" encryption which is adequate for most purposes. Increasing this setting to "High" has minimal impact on performance and can increase you security. This requires that both the server and client have 128-bit encryption support installed. This encryption support is included with Windows 2000 Service Pack 2. To change the encryption level:
          • Launch the Terminal Services Configuration console located in the Administrative Tools folder of the Control Panels.
          • Select Connections in the left pane and then right-click RDP-Tcp in the right pane and select Properties.
          • Under the Encryption section of the General tab set the Encryption Level to High.
      3. PCAnywhere is another remote administration option with built-in security.
      4. VNC is a popular solution because it if free, but it is not as secure as Terminal Services or PCAnywhere. If you use VNC, we suggest looking into a tunneling security protocol for it like SSH. It is also necessary to have good physical security of any computers using VNC as people with physical access to the computer will be able to leverage the remote login to gain access to the computer.
    4. Backups
      1. Create an Emergency Repair Disk
        • This can be done from the built-in backup program located under the Start menu inside Programs, then Accessories, then System Tools.
      2. Do regular backups of at least irreplaceable information. If possible, do full backups of critical systems like servers.
      3. Keep backups in a separate, secure location if possible. Ideally this location would be in a separate building than the original computer in case of a fire or other disaster.
    5. Keeping up on patching
      1. Join the Microsoft security bulletins e-mail list mentioned earlier to be notified of new security patches.
      2. Several tools are available for checking and installing patches including:
        • MS Network Security Hotfix Checker (hfnetchk) - a tool that allows you to check which security hotfixes are installed on computers
        • Qchain - a tool that allows you to install multiple hotfixes while only rebooting once
        • MS Personal Security Advisor - a web page that checks for security hotfixes and other common security issues with Windows operating systems
        • Windows Update - a web page found in the Start menu of most Windows computers that checks for various updates to Windows. It does not currently include all security updates and should not be used in place of one of the other tools.
        • Windows Update Corporate site - a complementary site to the regular Windows Update site that allows updates and patches to be downloaded as files and then distributed in various ways.
        • Update Expert - a third-party tool that checks for security and non-security hotfixes for MS products on computers and can remotely install missing patches

  5. More information
    1. Microsoft
    2. ITS
    3. Other web sites
    4. Books

Getting Help

help@colorado.edu
       
       Support | Training | Facilities | About ITS | ITS Home
 

Last reviewed: October 30, 2006

IT Service Center: 303-735-4357 (5-HELP), help@colorado.edu, Location and Hours of Operation
Computer Support Representative (CSR) look-up tool

itsfeedback@colorado.edu  | Policies | Privacy
© 2000 The Regents of the University of Colorado