Hardening Windows W2K Server
- Install 2000 Server operating system
- Install only options required
- Specify machine is part of a Workgroup and not a domain
- Install latest OS service patches as recommended at
http://v4.windowsupdate.microsoft.com/en/default.asp - Install all needed "critical updates"
- Install all needed "Windows 2000 updates"
- Install latest Office updates as recommended at
http://office.microsoft.com/productupdates/ - Run Microsoft Baseline Security Analyzer (MBSA) that can be found at
http://www.microsoft.com/technet/treeview/?url=/technet/security/
tools/Tools/MBSAhome.asp. Select the applicable type of server configuration.
Note: This product will automatically set some of the setting below. - Rename the "Everyone" Group to a different name
- Rename the "Administrator" account to a different name (do not use "admin")
- Run syskey.exe, select Encryption Enabled, then select Ok
Registry Changes
- HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogin\LegalNoticeCaption
change value to include your company name or site owner - HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogin\LegalNoticeText change
value to "Unauthorized Use Prohibited by 18, U.S.C." - Run drwtsn32 uncheck all options except Append to "Existing Log File"
- Delete HKLM\System\CurrentControlSet\Control\Session Managaer\SubSystems\OS2
- Delete HKLM\System\CurrentControlSet\Control\Session Managaer\SubSystems\Posix
- Delete HKLM\System\CurrentControlSet\Control\Session Managaer\SubSystems\Optional
- Delete HKLM\Software\Microsoft\RPC\ClientProtocols\ncacn_ip_tcp
- Delete HKLM\Software\Microsoft\RPC\ClientProtocols\ncagd_ip_upd
Control Panel Changes
Control Panel\System/Advanced\Startup and Recovery- Set display list to 10 seconds.
- Check "Automatic Reboot"
- Set Write Debugging Information to "none"
- Enforce password history to 8
- Minimum password length to 8
- Maximum password age to 30
\Account Lockout Policy
- Account lockout duration to 10 minutes
- Account lockout threshold to 5
- Reset account lockout counter to 10 minutes
- Audit account logon events to Success, Failure
- Audit account management to Success, Failure
- Audit directory service access to Success, Failure
- Audit login events to Success, Failure
- Audit policy change to Success, Failure
- Audit privilege use to Success, Failure
- Audit process tracking to Success, Failure
- Audit system events to Success, Failure
- Allow System to Be Shut Down Without Having to Login On to Disabled
- Audit Use of Backup and Restore Privilege to Enabled
- Clear Virtual Memory Pagefile When System Shuts Down to Enabled
- Disable CTRL-ALT-DEL Requirements for Login to Disabled
- Do Not Display Last User Name in Login Screen to Enabled
- Message Text for Users Attempting to Log On to
"Unauthorized use prohibited by 18, U.S.C" - Message Title for Users Attempting to Log On to company or site owners name
- Prevent Users from Installing Printer Drivers to Enabled
- Recovery Console: Allow Automatic Administrative Login to Disabled
- Restrict CD-ROM Access to Locally Logged-On User to Enabled
- Restrict Floppy Access to Locally Logged-On user to Enabled
- Set Unsigned Driver Installation Behavior to Do not allow
(NOTE: May prevent software installs) - Unsigned Non-Driver Installation Behavior to Do no allow
(NOTE: May prevent software installs) - Additional restrictions for anonymous connections to No access without explicit
anonymous permissions
- Deselect all components except "Internet Protocol (TCP/IP)"
select Internet Protocol (TCP/IP), select Properties, select Advanced\Wins
- Disable NetBIOS over TCP/IP
- Disable LMHOSTS lookup
select Internet Protocol (TCP/IP), select Properties, select Advanced\Options\TCP/IP filtering
- Disable or filter all TCP, UDP, and IP ports as needed
- Guest account\General Tab\Cannot change password
- Guest account\General Tab\Password never expires
- Guest account\General Tab\Account disabled
- Guest account\Dial-in Tab\Remote Access Permission\Deny access
Services
Configure the following Windows Services to start automatically:- DNS Client
- Event Log
- Logical Disk Manager
- IPSec Policy Agent
- Plug and Play
- Protected Storage
- Remote Registry Service
- RunAs
- Security Accounts Manager
- Task Scheduler
- Application Management
- ClipBook
- COM+ Event System
- Logical Disk Manager Administrative Service
- Distributed Link Tracking Server
- Fax Service
- File Replication
- Indexing Service
- Internet Connection Sharing
- Net Logon
- Netmeeting Remote Desktop
- Network Connections
- Network DDE
- Network DDE DSDM
- NT LM Security Support Provider
- Performance Logs and Alerts
- Qos RSVP
- Remote Access Auto Connection Manager
- Remote Access Connection Manager
- Remote Procedure Call (RPC) Locator
- Smart Card
- Smart Card Helper
- Unit Power Supply
- Utility Manager
- Windows Installer
- Windows Management Instrumentation Driver Extensions
- DHCP Client
- Intersite Messaging
- Kerberos Key Distribution Center
- Messenger
- Print Spooler
- Routing and Remote Access
- Simple Mail Transport Protocal (SMTP)
- Telephony
- Telnet
- Terminal Services
- Windows Time
General Changes
For the Everyone Group that was renamed- C Drive: Document and Settings folder rights: Read and Execute, List Folder Contents, Read
- C Drive: WinNT folder rights: none
- Web folder: Read and Execute, List Folder Contents, Read
c:\winnt\system32 files
- arp.exe
- at.exe
- cacls.exe
- cmd.exe
- command.exe
- debug.exe
- edit.com
- edlin.exe
- finger.exe
- ftp.exe
- ipconfig.exe
- nbtstat.exe
- net.exe
- netstat.exe
- nslookup.exe
- ping.exe
- posix.exe
- rdisk.exe
- rcp.exe
- rexec.exe
- regedit.exe
- regedt32.exe
- route.exe
- rsh.exe
- runone.exe
- syskey.exe
- tracert.exe
- telnet.exe
- xcopy.exe
- (And any others not needed)
- Stop Administrative Web Site
- Stop Default SMTP Virtual Server
- Stop FTP Site if installed
- Delete the "iisstart.asp" in the WWWRoot directory
- Delete the "iissamples" folder under the "inetpub" directory
- Delete the "iisadmin" folder under the "inetpub" directory
- Delete the "iishelp", "issadmin" and "iissamples" virtual directory for all current webs.
NOTE: These directories should be deleted on any future webs also.
- Set screen saver to "Logon Screen Saver"
- Set screen saver to 5 minutes
- Check password protect
- Disable Guest account
- Uncheck Internet Locator services if an option
- Disable or close all unnecessary ports
- Be sure to grant access IP access to any machine that will be used to administer the
server remotely
- Enable "start program on Windows startup" option
- Turn on all activity logs (detection, quarantine, etc)
- Disable "audible alert" option
- Check that "how to respond when a virus is found" is set for an automatic solution.
(Norton for example uses the a default of "ask me what to do".) - Enable scan of "master boot records"
- Enable scan of "boot records"
- Scan all inbound file types
- Create directory for web content (do not use default web directory)
- Load content
- Set directory, and .NET if applicable, permissions
- Use SiteRecons URL Comments page (http://www.siterecon.com/URLComments.aspx)
to verify not inappropriate comments are embedded in your pages.
- Use a vulnerability scanner or scanning services to verify your site is secure and no
vulnerability exist. A web search for the term "vulnerability scanner" will yield numerous
companies to select from.
NOTE: Other security steps may be required based on you system, architecture, and specific needs!
Site and server security requires daily procedures to insure a proper defense. Security patched must be applied upon release, and the system and firewall logs need to be reviewed daily to track activity and intrusion attempts.
About the Author
Lew Newlin is CTO of Information Solutions, Inc. that operates SiteRecon.com. SiteRecon specializes in security, email monitoring, and web site monitoring for Internet service providers and businesses.Bookmark/Search this post with:
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 
| 