Installing a Safe Windows 2000 Web Server- Best Practices
Outline for IIS web server setup.
Preparation work for new system- Steps to take
Planning for a Reliable Web Server
Installing the OS
Post Set Up Issues to Address
Best Practices for Windows 2000 (From Labmice.net)
Our Own Suggestions
Appendix
[top]LONG TERM CARE OF THE SYSTEM - BEST PRACTICES
This section will address long term methods to ensure safe administration of the OS and IIS. We used the best practices from LabMice.Net since they seemed well thought out and are periodically updated. There are many sources for this type of information and we encourage you to always be on the lookout for new techniques to keep your system secure and healthy.
PREPARATION FOR THE NEW SYSTEM
PLANNING FOR A RELIABLE WEB SERVER
While most departments on campus have standardized on the use of RAID and formal server class systems to house important services such as IIS and database programs, we still suggest you visit the issue of sizing and tuning your system properly. Dell, Compaq and IBM all offer web-based or GUI-based sizing tools to assist you in planning for adequately sized systems. NACS can also offer their suggestions based on our own work with all Microsoft products and all major hardware platforms. We run most Back Office products and have extensive experience with Compaq and Dell servers.
With the proper hardware in place, your system setup planning should focus on allowing yourself easy data recovery and maximum availability. NACS has found that when your needs for reliability and uptime dictate a 99.99% uptime, you should consider a dual boot system. You may use the following scenario as an example of how to size partitions and maximize your reliability.
This is only one example of how to build a system for maximum availability, and your group might feel more comfortable using alternative methods such as Ghosting the system. We don’t describe that here due to the issues with building boot disks and the fact that Ghost requires you to have a FAT partition to run the program. We have used the process on systems, but it requires much more trial and error testing to get it working well.
Server specs- Compaq Proliant DL 360 PIII 933 MHz (dual processor capable), 512 Megs of RAM, Embedded RAID Controller, Two 18.1 GB Drives and dual onboard NIC’s.
Drive setup- System uses RAID 1, so the drives are mirrored using the RAID array built into the motherboard. An 18.1 GB drive will be visible as an available drive once start the setup process begins. Since the option of using larger partitions under Windows 2000 does exist, you might want to use a larger size, but a 4.0 gig C:\ drive for the primary OS installation is sufficient. Format it with the NTFS option and complete the installation (described later in this paper in “Installing the OS”). Once the OS is completely installed and patched, we may use the Disk Management tool to create additional drives with the unused space on our array.
Use a 3-4 Gig partition for D:\ and the rest of the available space for E:\. On D:\ we will install another Windows 2000 OS and just leave it with the default settings. This second OS allows you to boot into it to recover from any software or driver issues that might render the primary OS inoperable. Once both OS’s are completed, you will have to set the default OS and choose the amount of time to wait for selecting either OS. Boot into either OS installation and makes these changes-
|
**Important** If you are not sure of
how to do this please or uncomfortable with the process please contact
a local Computing Support Coordinator for help. Improperly edited
boot.ini files WILL render your system inoperable and you will not be
able to get back into any OS installation.
|
Example of edited file using Notepad
|
[boot loader] timeout=10 |
You can also edit Windows to offer you a choice of which OS to use once the
system boots up by going to
Control Panel > Settings > System and editing the Advanced tab > Startup
and Recovery.
Then selecting which OS to boot to using the drop down menu. The OS installations
will both be named Windows 2000, so you will most likely have to try to find
out which one is the fully patched installation. You may also assign the
time to have for selecting that choice in this window.
*Note* In order to prevent someone rebooting the server into the unpatched Windows 2000 OS and making it available online, you can disable the NIC in the secondary OS hardware profile.
[top]Use the most current version of Operating System with the latest Service Pack included in it. Currently there are installation CD’s for Windows 2000 with the latest Service Pack included in the setup. If you do not have access to such a setup CD, then download all Service Packs and Hot fixes from Microsoft ahead of time and save them onto a CD for use later on. Microsoft Tech Net lists all Hot Fixes (HF) by Service Pack date, and you can download all pertinent HF files that way.
Once the OS setup process is completed, you may install all necessary patches by using QChain to script the entire process. Patching offline is necessary to avoid infecting the system in the time it takes to download all the files from Microsoft. This is an EXTREMELY process important to follow. Please skip to the “Post Setup Issues to Address” for more information on this process.
We will provide you with links on how to use QChain.exe, the Microsoft tool that simplifies scripting multiple Hot Fixes to run with a single reboot at the end of the process. Use of QChain and HFNetCheck will allow you to make sure your system comes online in as up-to-date a manner as possible. Please follow the link in the Appendix to see sample scripts and options for using QChain.
Important Setup Issues to Address
Unnecessary Services:
Microsoft DNS Server Index Service Remote Installation Services WINS Certificate Service DHCP Server Simple TCP/IP Services SMTP NNTP
Security Checklist
Account Policies
| Password Policy: | Enforce Password History- 7 passwords remembered | |
| Minimum length- 7 characters | ||
| Lockout duration- 30 minutes | ||
| Maximum password age- 90 days | ||
| Minimum password age- 0 days | ||
| Password must meet complexity requirements- enabled | ||
| Account Policy: | Account Lockout duration- 30 minutes | |
| Account lockout threshold- 3 invalid attempts | ||
| Reset lockout counter- 30 minutes | ||
Local Policies (Using the Local System Policy Tool)
System Audit Policy (see illustration below)
User Rights Assignment
The best solution is to remove the “Everyone” group from the following assignments-
Security Options (See illustration below)
Event Log Settings
All Event logs should be set to capture at least 14 days of events, with
30 days as the preferred length. Setting the log size at 10048 KB should
give you adequate space for such logging. Setting Access Control Lists
on your logs to prevent them from being tampered with or deleted can be done
at this time too. Note the path of the directory and set access at this
level. The directory C:\WINNT\system32\config is the default location
of the files, but you may decide to move them. Please consult the Microsoft
Tech Net article to find out how to move them. This requires editing the
registry which should be done with extreme caution. http://support.microsoft.com/support/kb/articles/Q216/1/69.ASP
|
***Secure the logs wherever you decide to store them
by setting access to the directory are set to:
Administrators - Full Control / System - Full Control *** |
[top]
Illustrations of the log file properties:
Application Log
Security Log
System Log
[top]
Disable unnecessary services
Using the Services
feature under Control Panel or Administrative Tools, disable and stop the following
services-
| Telnet Server | Workstation | Computer Browser |
| TCP/IP Helper | Net Meeting | Remote Registry |
| DHCP Client | Net Logon Server | Fax |
| Internet Connection Sharing | Simple Mail Transport Protocol |
|
**Note** |
Example of stopped and disabled service
Installation of web directories
Due to recent web folder infections we have seen traversals from C:\Inetpub
to C:\WINNT\system32 using scripted shell attacks. From there a command
is executed to ping hosts on a remote network. The specific way to prevent
this is to locate you Inetpub directory on a separate drive such as D:\ or E:\.
Do not use D:\ if you use a dual boot setup!
IIS Auditing Settings
Auditing IIS is EXTREMELY important.
Reporting tools and even manual viewing of access of the system will require
you to set auditing of the following items-
Client IP Address, User Name, Method, URI Stem, HTTP Status, Win32 Status, User Agent, Server IP Address, Server Port, URI Query
Edit this by opening the IIS Administrator tool and opening the properties of the web page you will have online. These settings also may be used for FTP if you have that enabled.
(See illustrations)
[top]
Port Filtering
Port filtering allows you to filter out unnecessary access points on your
web server. There are many default ports that remain open to the outside
that serve no purpose other than to allow unauthorized access into the system.
Disabling ports such as the NetBIOS/TCP port (139), Remote Procedure Call/TCP
port (135) and NetBIOS/UDP (Port 135) will close several known exploit points.
Please consult the Microsoft Tech Net page for the latest listings of what ports
are used on your operating system and the services that are associated with
these ports.
Setting Permissions on WINNT
In order to protect the C:\WINNT\system32 directory from being exploited
you can set file and executable permissions to avoid unwanted usage by intruders.
You should set permissions for the files in C:\WINNT\system32 to allow authorized
users, and preferably only administrators should have full control of them.
You may remove POSIX and OS/2 subsystems by deleting them from the registry.
If you feel the previous issues are not important, the minimal security issue you MUST take is setting permissions on the ping.exe and cmd.exe files.
|
****Ping.exe and cmd.exe should be available only
to administrators, and if you are looking for true security- remove all
access to them completely.****
|
Specific Actions to consider for executables in WINNT
The recommendation to change permissions on the executables in the System32
folder is very important in order to prevent someone from exploiting your system.
Intrusion is only part of the problem with hacking today. Exploitation
of your system likely brings shutting off of connectivity to the outside world
if the system is being used in a DoS attack or to launch other intrusions.
Set permissions to remove all access for everyone but administrators. (See illustration
below) Use this on any or all of the following executables-
|
ARP.EXE
|
AT.EXE
|
CACLS.EXE
|
|
CMD.EXE
|
CSCRIPT.EXE
|
DEBUG.EXE
|
|
EDIT.EXE
|
EDLIN.EXE
|
FINGER.EXE
|
|
FTP.EXE
|
IPCONFIG.EXE
|
ISSYNC.EXE
|
|
NBTSTAT.EXE
|
NET.EXE
|
NETSH.EXE
|
|
NETSTAT.EXE
|
NSLOOKUP.EXE
|
PING.EXE
|
|
POLEDIT.EXE
|
POSIX.EXE
|
QBASIC.EXE
|
|
RCP.EXE
|
RDISK.EXE
|
REGEDIT.EXE
|
|
REGEDT32.EXE
|
REXEC.EXE
|
ROUTE.EXE
|
|
RSH.EXE
|
RUNAS.EXE
|
RUNONCE.EXE
|
|
SECFIXUP.EXE
|
SYSKEY.EXE
|
TELNET.EXE
|
|
TFTP.EXE
|
TRACERT.EXE
|
TSKILL.EXE
|
|
WSCRIPT.EXE
|
XCOPY.EXE
|
[top]
Remove POSIX and OS/2 subystems and DOS/Win16 --- check location
Modify the Registry Values in HKey Local Machine
SubSystemValue Name Type Recommended Value
HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\SubSystems\Optional REG_BINARY 00 00
OS/2 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\Os2 REG_SZ Remove
POSIX HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\Posix REG_SZ Remove
WIN16 HKLM\SYSTEM\CurrentControlSet\Control\Session Manager\Subsystems\WOW REG_SZ Remove
Remove the following files from C:\system32\dllcache,
| Filename | Description |
| ntio.sys | DOS io.sys equivalent |
| ntdos.sys | DOS dos.sys equivalent |
| command.com | DOS command interpreter |
| ntvdm.exe | Win16 VDM subsystem |
| krnl386.exe | Win16 VDM component |
and then C:\WINNT\system32 directories.
| Filename | Description |
| posix.exe | POSIX subsystem |
| psxdll.dll | POSIX component |
| psxss.exe | POSIX component |
| os2.exe | OS/2 1.x subsystem |
| os2ss.exe | OS/2 1.x component |
| os2srv.exe | OS/2 1.x component |
| os2 (directory) | Other OS/2 files |
Setting ACL’s for IIS Directory (even if you move it to
another drive)
Recommended default IIS ACL’s by file type.
Rather than setting ACL’s on each file, you are better off creating new
directories for each file type, setting ACL’s on the directory, and allowing
the ACL’s to inherit to the files. For example, a directory structure might
look like this:
C:\inetpub\wwwroot\myserver\static (.html)
C:\inetpub\wwwroot\myserver\include (.inc)
C:\inetpub\wwwroot\myserver\script (.asp)
C:\inetpub\wwwroot\myserver\executable (.dll)
C:\inetpub\wwwroot\myserver\images (.gif, .jpeg)
Also, be aware that two directories need special attention:
C:\inetpub\ftproot (FTP server)
C:\inetpub\mailroot (SMTP server)
The ACL’s on both these directories are Everyone (Full Control) and should be overridden with something tighter, depending on your level of functionality. Place the folder on a different volume than the IIS server if you're going to support Everyone (Write), or use Windows 2000 disk quotas to limit the amount data that can be written to these directories.
[Top]Remove All Sample Applications and
IISADMPWD Virtual Directory
Sample web pages and scripts are
included with IIS and should be deleted or not installed. Windows NT or IIS
resource kits include more samples and provide handy tools for hackers. Delete
the following directories:
\inetpub\iissamples and all subdirectories.
\Program Files\Common Files\System\msadc\Samples
\inetpub\AdminScripts
%systemroot%\System32\Inetsrv\IISadmpwd
Disable Dump File
Using the Crash dump file is not something most people do regularly, so
disabling the file using
Control Panel > System Properties > Advanced > Startup and Recovery
and then change the properties from Write Debugging Information to “NONE”.
Password Protect the BIOS
In order to make changes to the BIOS you should have to have a secure password.
Booting to other devices
Use the BIOS to disable booting from any device but the Hard Drive.
Clearing Page File
Clearing the system page file is recommended, but will mean longer times
for shut down and rebooting. The system will look like it is hung, but
it is merely clearing this large file. To enable this go to Local Security
Policy and under the Security Options enable the “Clear virtual memory page
file when system shuts down” entry.
Account access for FTP and IIS
Windows by default allows anonymous access for FTP and IIS web sites (other
than the administrative and default pages). The account that uses this
anonymous access is “IUSR_computername” and it allows clients to connect
to your web site without having to log in. Restricting access for anonymous
users is something you might want to consider. If your web site only needs
to be access by authorized personnel or employees, you may have them log onto
the web site, or restrict it to specific network subnets. You might
want to consult Tech Net for information on how to restrict access by username/password
by looking here- http://support.microsoft.com/support/kb/articles/Q310/3/44.ASP
You can restrict by subnet by reading the “IP Address Access Control” section of the IIS 5.0 checklist from Microsoft- http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/iis/reskit/iis50rg/introiis.asp
Web Server Application Mappings
Another way for you to secure your system is to remove the default mappings
for web applications from the system. You may find these mappings by opening
properties for your web site, then under the Home Directories tab open up the
Configuration option and remove unnecessary mapping from here.
Another method is to use the Microsoft Security Toolkit or the IIS Lockdown tool to remove these mappings. Removing existing mappings on a server may render current operating Web sites unavailable, so be cautious in your editing.
See illustration for default mappings-
Remove these mappings to prevent them from exploitation-
.htr
.htw
.printer
.ida
.idc
.idq
.stm
.shtm
.shtml
[top]
Web DAV
Another issue is to set access on the file named Httpext.dll to deny Everyone.
To set this access, look in
C:\Winnt\system32\inetsrv
and open properties for this file. Then remove all entries except
Everyone, and then select deny Full Control.
(see illustration below)
BEST PRACTICES FOR WINDOWS 2000
From LabMice.Net
CREATE A RECOVERY DISK
Let's go a bit off-topic before
we begin. You should always create a recovery disk before messing with system
settings. Get a blank diskette.
Start -> Programs -> Accessories -> System Tools -> Backup.
Select Backup Tab, go to Tools, and select "Create an Emergency Repair Disk".
---or---
If for some reason you don't have the Backup program in your system tools (it happens sometimes), you can access it by creating a shortcut.
Right-click on the desktop -> New -> Shortcut. In the box type in:
%SystemRoot%\system32\NTBACKUP.EXE under the name, type in "Backup"
RECOVERY CONSOLE
Another handy tool that can be used in the event of an emergency is the Recovery
Console. This lets you fix disks when you can't boot into Windows, create/format
partitions, and disable/enable services, among other things. It's a useful second
step, usually AFTER you try your ERD. While you can run it many ways, the easiest
is to load it as a boot-time option (when you press F8 while Windows is loading).
To do this, put in your Windows 2000 CD, go to Start -> Run and type in X:\i386\winnt32.exe
/cmdcons where "X" is the CD-ROM drive letter (note there is a space
between "winnt32.exe" and "/cmdcons"). I won't go into how
to use it here (it's a lot like DOS, and uses some of the same commands). The
following article describes it in more detail: http://support.microsoft.com/support/kb/articles/q216/4/17.asp?id=Q216417&sd=GN&fr=0&ln=EN-US
ACCOUNT MANAGEMENT
The default Win2000 installation will come with two accounts: "Administrator",
and "Guest". You should disable "Guest", rename "Administrator",
and create at least one account that you will use as your main account.
While you are in "Users and Passwords" we can change a few other things. Rename the Administrator account by right-clicking on it and going to "Rename". Make it something you can remember, but avoid having "Administrator" or "Admin" as part of the name. Right-click on the new name, go to Properties, and clear out the "Full Name" and "Description" boxes. (A lot of people argue this step is like "putting tape on a safe", in that it does not increase security all that much. In a regular network system this is probably true. In fact NSA guidelines for hardening an NT workstation even leave this step out. There are so many ways to get a list of user names that it isn't worth it, and could be counter-productive in that it gives you a false sense of security. However, on a non-networked workstation, there are just a few ways you can get user names off the net, and we will be patching the known ones up for the most part, so this step is still useful for this type of setup).
Make a dummy Administrator account going to "Action" and selecting "New User". Name it Administrator. Right-click on it, go to Properties, and go to the "Member Of" tab. Make sure it is not a member of anything. If it is, highlight them and hit "Remove". Right-click on the dummy Administrator account, select "Set Password", and give it a (very) strong password (see below).
Create an account you will use every day. Click on "Add" in the "Users" tab. Put in the name and password when prompted (ALWAYS use a password, see below). At this point, you need to select what type of account this is. The standard advice is for your main account to be a "Standard User (Power Users Group)". This setting will allow you to add/remove programs, but restricts a lot of system settings. This setting is necessary for many programs written for Windows NT. Note that Power Users cannot install many programs written for NT, as they change system registry settings which Power Users do not have access to.
For more security (but bigger headaches) you can also try the "Restricted User (User Group)" setting for more security. This type of user can't even install or remove programs, and so are very safe from Trojans. They should be able to run any program that was written to be compatible with Win2000.
If you need administrative rights to access a program (such as Regedit), you can use the "Run As" feature in Win2000. Just right click the program you want to run, and select "Run As". You can then type in the name and password of your renamed Administrator account.
Log in with Administrator access as rarely as possible. A Trojan that is run by mistake, or a malicious ActiveX or Java component run by a webpage, will have access to anything the account has access to. Many bugs that let hostile web pages damage your system have already been found more are most likely out there. If a dangerous program runs as an Administrator, it will have access to your system files, such as the registry. Running as a Restricted User can mean the difference between having your individual User profile wiped out, versus having your entire system wiped out as an Administrator. Note that running a Trojan as a Standard User can affect some system-wide settings, but not all.
PASSWORDS
Always put in passwords, strong passwords.
Meaning a combination of lower-case, upper-case, numerals, and special characters
like !@#$%. You should NOT use real words or any word that is in the dictionary
in your password, as password-breaking programs will exploit this. For example,
instead of "RIOTGIRL" as a password, use "R10tG1rl" instead.
How many characters should you use? In Win2000, you can have up to 127 characters,
which is obviously not going to be used that often. The method in which passwords
are stored means that a 7-character password is probably the best for most people.
MS explains why: "On NT, passwords are strongest when they are 14 characters long, the maximum allowed by the User Manager GUI. But who can remember a 14-character password? The next best "magic number" is 7 characters. This is because the LANMan algorithm used to store the passwords within the SAM file breaks them into 7-character chunks before encrypting them. Thus a 10-character password is really 7 characters plus 3. The 3 are trivially guessed by modern password cracking tools, and it may provide clues to the composition of the other 7 (take, for example, the five-finger mambo: QWERTYUIOP - cracking the last three characters might make you guess about the other 7."
There are some utilities that can crack your passwords, like L0phtCrack. To defeat these programs, there are certain ASCII characters accessed with the numeric keypad ALT key that you can include in your passwords. These will make an extremely hard password. These are shown at: http://sysopt.earthweb.com/articles/win2kpass/index.html IMPORTANT NOTE: There have been reports that some of these characters might not be recognized by the Recovery Console. To be on the safe side, you can allow automatic administrative login to your Recovery Console, instead of having to type in a password. (Obviously, you might not want to do this if you have other users that have physical access to your computer, as this could let them change system settings.) Go to Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> find the Local Policies tab, go into Security Options. Under "Recovery Console", ENABLE both "Allow automatic administrative logon" and "Allow floppy copy and access to all drives and folders".
Note the "account lockout" setting has no affect on the Administrator account. This is because MS doesn't want the administrator to be inadvertently locked out (and force a potential reinstall). It's bad in that this will allow a cracker to brute force the Administrator's password without ever being locked out. This is one reason to make the administrator password as strong as possible.
Examine the Password Policies settings too. Settings may be needed if have other users on your system. Generally, these settings can be a real pain to use (as they require users to make new passwords at predefined times), but do help security.
AUDITING
If someone does break in, you may not know it unless you have auditing enabled
and actually check your logs.
Start -> Programs -> Administrative Tools -> Local Security Policies -> Local Policies -> Audit Policy
Under “Audit account logon events records logons” select “Audit success” (to see if someone stole a password) and failure (for random password hacks). “Audit policy changes tracks security policy changes” - “Audit success and failure”. “Audit privilege use can identify when a user tries to use a right not assigned to them” - “Audit failure”. “Audit system events can monitor if someone clears the event log” - “Audit success and failure”.
Learn how to use Event Viewer, which lets you examine the logs. Info is shown at http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/event_overview_01.htm but the best way is to just run it and look. Note that under default conditions, you can only view the security logs from an administrator account.
To run Event Viewer, go to Start -> Run and type in eventvwr and go to the "security log" tab. You should make a shortcut to keep Event Viewer on your administrative account desktop for easy access (and to remind you to look at it). Do it as shown in the section above for creating a shortcut to the Backup program, but the path this time is:
%SystemRoot%\system32\eventvwr.exe
It is a good idea to put Event Viewer into your administrator account startup folder so it automatically starts when you boot up:
Start -> Settings -> Task Bar & Start Menu -> Advanced -> Add -> type in %SystemRoot%\system32\eventvwr.exe and hit
"Next", find the "Startup" folder (under Start Menu -> Programs) and double-click on it, hit "Finish."
It only takes a second to check the log and exit the program. Otherwise (take it from me) you will probably never bother.
OTHER SECURITY SETTINGS
Note: Many default Win2000
installations do not show the "Group Policy" tool. To add it, create
a shortcut to %SystemRoot%\system32\gpedit.msc and run it. It is useful to put
this shortcut into your Administrative Tools folder.
Start -> Programs -> Administrative Tools -> Local Security Policy -> Security Setting -> Local Policies -> Security Options:
Set "Additional restrictions for anonymous connections" to "No access without explicit anonymous permissions." (By default, an anonymous user is considered part of the "Everyone" group. Even though we restricted access to the "Everyone" group earlier, this provides another layer of protection. Note that in NT, the highest setting was "Do not allow enumeration of SAM accounts and shares", which replaces "Everyone" with "Authenticated Users" in the security permissions for resources. Win2000 has added the "no access" setting to provide even more security - this will take out both Everyone and any network connections that don't have explicit permission. Both these settings will defeat programs (i.e. "Redbutton") that log anonymously and are designed to find the names of user accounts and/or the name of the renamed Administrator account.)
Enable "Restrict users from installing printer drivers". This prevents others from installing bogus printer drivers. You will have to disable this if you replace or add a printer driver.
Think about enabling "Clear virtual memory pagefile when system shuts down". This is for the truly paranoid -- it wipes out the pagefile memory (the part of the hard drive that acts as RAM memory when you don't have enough RAM) on shutdown. This is mainly for those computers that have to be secure in case someone steals the hard drive, or laptops. Of course, there is the chance on a home system that a network user could gain control of your computer and mine this memory looking for stuff like admin passwords and credit cards. This option can add a LONG time to your shutdown time, so you should consider if you really need this.
Start -> Programs -> Administrative Tools -> Local Security Settings -> Security Setting -> Local Policies -> User Rights Assignment:
SHARING
Windows 2000 uses hidden directories for
use by the system account, but these can also be abused to break into your system.
You can disable the "Server" service as described above to stop people
from using these hidden directories, but you should also manually edit the registry
as well.
Run or create a shortcut to Regedit (the path is X:\WINNT\regedit.exe, where X is your Win2000 drive) Go into Regedit. Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters, select Edit -> New -> Dword Value. As the name, put in "AutoShareWks" if you have Windows 2000 Pro and "AutoShareServer" if you have Windows2000 Server. The value should come out to "REG_DWORD : 0" by default. If not, hit modify and change. Exit Regedit.
Note: disabling shares with Windows Explorer (as written in some other guides) will only work until the next reboot.
ENABLE TCP/IP FILTERING
I'll add this in for completeness
sake, but enabling TCP/IP filtering is often a pain if you don't know what you
are doing (and even when you are). Basically, you are instructing Windows to
let some connections in based on what ports they are accessing, and denying
the rest. (Outgoing connections are not affected; neither are most incoming
connections that are responding to a connection you have already established).
Let's repeat this as its important -- you are telling Win2000 what ports you
are NOT blocking, not those ports you want to block. Big difference. If you
turn filtering on and you don't tell it want you want to let through, it blocks
everything.
This is part of what a firewall does, and what the free firewalls mentioned above already do. This is just another layer of protection (in case, for example, a malicious program shuts down your primary firewall). The problem here is that if you don't know what ports are necessary, your computer might stop responding. For example, if you filter out tcp port 80, you won't be able to access web pages (http protocol).
Filtering is usually best when the computer is used for a specific purpose and you know it will only access certain ports (i.e. web or ftp server), and is much harder to accomplish when the computer is used for a variety of purposes (i.e. a general-purpose home computer) as the number and types of ports you need to access are much more numerous and varied. If you do want to play around with this, go to:
Start -> Settings -> Control Panel -> Network and Dial-up Connections
You need to go into all the connections listed here ("Local Area Connection" if you use DSL/Cable for example), then hit "Properties", double-click "Internet Protocol (TCP/IP)" -> Advanced -> Options, double-click "TCP/IP Filtering".
To enable filtering, click the "Enable TCP/IP Filtering (all adapters)" button. By default, "Permit All" is selected. To filter, select the box called "Permit Only".
Ports used by MS services (if you are using a network) are described in part here: http://support.microsoft.com/support/kb/articles/q150/5/43.asp
Third-party applications could use different ports, which you might need to find out. A partial list is at: http://www.iana.org/assignments/port-numbers
For a list of ports you computer is using now, go to:
Start -> Programs -> Accessories -> Dos Command Line and type in netstat -a at the command line.
Two freeware tools that are useful to find open ports on you computer are:
"Active Ports" program at: http://www.ntutility.com/freeware.html
and “TCPView” at http://www.sysinternals.com/ntw2k/source/tcpview.shtml
DRIVE PERMISSIONS
You can set up NTFS drives to allow read/write/edit permissions for different
users/files. This is another way to ensure protection of your system in case
an anonymous user gets access.
First, we need to replace the default permission for "Everyone" or anonymous users to access your drives (including anonymous users/guests), and set it up so only real users that have logged in have access. Go into Windows Explorer, expand "My Computer", right-click on your hard drive(s), and select "Properties". Go into the "Security" tab. Click Advanced. Under the Permissions Tab, select "Everyone". Hit View/Edit. Hit Change. Select "Authenticated Users". Hit OK, and OK again.
Next, we need to deny access to our dummy Administrator account, in case someone actually manages to log on with it. If you have not created a dummy Administrator account, don't follow the rest of these instructions or you may lock yourself out of your computer. Hit the "Add" button, and select "Administrator". IMPORTANT: Do NOT hit "Administrators", as this is the entire GROUP of (real) Administrators. You want the USER "Administrator”. It will have an entry in the "In Folder" section next to the name; the "Administrators" GROUP will NOT. Hit "OK". Back in the main Security Tab, hit Advanced. Select Administrator. Hit View/Edit. For "Apply Onto:” make sure "This folder, subfolder and files" is selected. Then click all boxes under "Deny". Hit OK three times.
(If you have any other Names in the top box besides "Administrator" and "Authenticated Users", remove them unless you know they belong for some reason. There should not be anything else in a clean install.)
You have to repeat this for every drive / partition.
[Top]OUR OWN SUGGESTIONS
Software Updates
Using Windows Live Update is the simplest method to update your browser
and OS. While it will not fix most security issues, it is the simplest
way to get up-to-date fixes for current exploitations.
Bookmark the following pages and make them available offline.
Cache them and copy a shortcut to the desktop for each. When they change
you will see a red X on them. You will know they have been updated and
there are new issues to read about. The links are Tech Net’s security
bulletin search pages for Post SP2 IIS and Windows 2000 Advanced Server-
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp?productid=17&servicepackid=2 This is for IIS 5.0
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/current.asp?productid=7&servicepackid=2 This is for Windows 2000 Advanced Server
Stay current with applications by applying Service Packs.
Applying service
packs to applications such as Cold Fusion, SQL and any other programs will often
be a good way to avoid being exploited. Applying a update the week it
comes out is usually not a prudent idea, but within a two to three week period
is a good idea.
Stay Current with reading material
Read the SANS and other security pages
weekly for updates and news about the latest issues. Here is a list
of security sites that offer information you will find helpful:
http://www.sans.org/infosecFAQ/win2000/win2000_list.htm SANS Site
http://www.microsoft.com/technet/ Microsoft Tech Net
http://www.ntsecurity.net/ An Windows security magazine
These are formal sites for reviewing documents about Windows 2000-
http://nsa2.www.conxion.com/ NSA Windows 2000 Security document
http://www.foundstone.com/cgi-bin/display.cgi?Section_ID=8 Foundstone has excellent papers on security
Tools Available for System Administrators- Unless you are very skilled in IIS administration and Windows administration, do not rely on these tools to secure an existing server. The changes made might render your sites and server unable to communicate with clients. Either check with other administrators on campus for their suggestions or experiences, or test it on another system to make sure the tool is compliant with your needs. The links to these tools are in the Appendix.
APPENDIX
IIS 5.0 Security Checklist
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/prodtechnol/iis/tips/iis5chk.asp
The best place to start!
Microsoft’s Security checklist-
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asp
Microsoft’s Guide to Securing NT Server and Windows 2000 Server-
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/tools/content.asp
List of Windows 2000 & IIS Services for a high security web server
http://support.microsoft.com/support/kb/articles/q189/2/71.asp
Windows 2000 Servers TCP/IP Ports for Running Exchange & Terminal
http://support.microsoft.com/support/kb/articles/q150/5/43.asp
Ports used on Windows 2000 Domain Controllers
http://support.microsoft.com/support/kb/articles/Q289/2/41.ASP
Verisign Article on Strong Security in Multiple server Environment
http://www.verisign.com/rsc/wp/onsite/index.html
Default ACL’s for Windows 2000
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/windows2000serv/maintain/featusability/secdefs.asp
How to harden the TCP/IP Stack for Windows 2000
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/itsolutions/security/network/secdeny.asp
All Microsoft Tools
http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/security/tools/tools.asp
HFNetCheck
http://support.microsoft.com/support/kb/articles/Q303/2/15.ASP
IIS Lockdown Tool
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp
QChain
http://support.microsoft.com/support/kb/articles/Q296/8/61.asp
CREDITS AND SOURCES OF INFORMATION
LabMice.Net
http://www.labmice.net/
Software, FAQ’s,
Documentation and Links
SANS Windows 2000 Security
http://www.sans.org/top20.htm
Top Twenty Security Issues on the web
Microsoft’s Tech Net Page
http://www.microsoft.com/technet/
Software,
FAQ’s, Documentation and Hot Fixes
Windows Security Administrator
http://www.ntsecurity.net/
Online Magazine
Hacking Exposed- Windows 2000
Joel Scambry & Stuart McClure
Osborne/McGraw Hill 2001
In Collaboration With
Michael McCabe - NACS Security Team
School of Biological Science Computing Support Group
UCI Medical Center Information Services
Brad Judy - University of Colorado, Boulder ITS Group
Network & Academic Computing Services > Security > Microsoft
Updated: December 3, 2001
University of California, Irvine