Todd Anderson from SANS.org
March 21, 2001
The first consideration in a Windows 2000 installation is to define the purpose of the installation. One would set up a home machine very differently from one set up as a web server. Generally, it is a good idea to limit the roles any given machine will play, especially when connecting a machine directly to the internet, where every port you open or service you enable creates a potential security hole.
Installation of Windows 2000
There are a few security options that can be addressed while installing the operating system. If you are not using a script or performing an unattended installation, and have no need of a network connection, disconnect the machine until a strong administrator password has been set, service packs have been installed and necessary hot fixes applied.
File System Security
Be sure to format all partitions as NTFS, including the system partition. Windows 2000 runs best on an NTFS partition. Many of the features of Windows 2000 - resistance to fragmentation, file and folder level access rights, encrypted file systems, distributed file systems - can only be leveraged using the NTFS file system.
NTFS includes the use of encrypted file systems (EFS).1 EFS is a capability, integrated into Windows 2000, which allows users to transparently encrypt files. Those needing to store sensitive data on a Windows 2000 machine should consider using EFS to add an extra layer of defense to protect their data.
The decision to implement EFS, however, should not be taken lightly, especially on a standalone machine. When encrypting files it is important to use a strong password and even more important not to forget it. If a user encrypts a folder and that user’s account is deleted, the folder cannot be unencrypted because the user’s key will no longer exist. Normally, the administrator could reset the user’s password and then login to recover the encrypted files. This will not work if the account has been deleted2.
More information can be found on EFS can be found at
http://www.infosecuritymag.com/articles/february01/features_applied_crypto.shtmland
http://www.microsoft.com/windows2000/library/planning/security/efssteps.asp
Protocol Configuration
The next option during setup is the configuration of protocols. Use only what you need to get the job done. If you don’t need Client for Microsoft Networks or File and Print Sharing for Microsoft Networks, it is best not to install them. If you need to have the Microsoft client installed or file and print sharing enabled, you will need more than a hardened workstation to protect you data, you will need a secure network infrastructure, including a firewall.
Configure the advanced TCP/IP options3. On the WINS tab, uncheck "Enable LMHOSTS lookup" and check Disable NetBIOS over TCP/IP.
On the TCP/IP options tab, select TCP/IP filtering. By enabling filtering you can prevent many incoming connections while, at the same time, allowing outgoing and established connections to work normally. If your machine is a single purpose machine, configure the protocols you want to allow in. In the example below TCP is IP protocol4 as defined in the IP protocol header and TCP port 80 is http. This configuration would allow incoming connections to a web server. These settings will prevent remote administration capabilities if not configured correctly, creating a Denial of Service on yourself.
This should not be the only line of defense. Defense in Depth is the goal. Make your box more work than it is worth to break into.
Whether you are configuring a home machine or a web server, a virus scanner and some type of firewall are essential tools. It is important to regularly update virus definition files. Keep your OS patches current. Many patches fix known exploits and vulnerabilities.
Post Windows 2000 Installation
After Windows reboots, there is plenty more to configure. As with Windows NT, in order to properly configure or harden your system, you must at some point edit the registry (obligatory note to back up registry first). However, many of the registry changes that need to be made can be done with security policies.
Security Configuration Tools
Many services can be configured using the System Security Toolbox5. These security snap-ins can assist configuring and hardening your Windows 2000 machine. On a local or standalone machine the group policy snap-in or gpedit.msc allows you to view or edit the policy on the machine.
Using the Security Configuration and Analysis tool and the Security Template tool, which are snap-ins in the Microsoft Management Console (MMC), you can centrally manage the local computer policy and avoid making many of the direct registry modification that were required when hardening Windows NT.
As described in other GSEC papers6, 7, the templates allow you to configure make templates for many of the Windows settings. The settings allow you to manage account and local policies, restrict groups, control registry and file system access, and manage system services. Security templates are stored as text based .inf files in SystemRoot\Security\Templates by default. The template files can either be edited manually using a text editor such as notepad or using the Security Template tool. You must be an administrator to create save or implement security policies.
With the system policy you can create a template for the security policy of the machine. Creating a template is beneficial. First, it creates a file that can be easily transferred to another machine where the same configuration is desirable. Second, by creating a security template, you create an auditing tool. By analyzing the current configurations against the configuration of the template, you can determine if the computer policy has been altered.
Many of the settings in these policies are undefined, even in the high security policies. Taking the time to go through these and create a good template is worth the time and effort. Each section of the policy template has settings that are important. There are too many to go over here in detail, but a good resource is the Windows 2000 Security Handbook3
To use the security configuration tools, create a custom Microsoft Management Console (mmc from the command line). Add the Security Configuration and Analysis tool, and the Security Template tool. Follow these steps:
- Create a template or use a pre-configured template from one of the Security Templates.
- Create a new database
Right click on the Security Configuration and Analysis snap-in and select Open Database…. Type in the name of the database you are going to create. Next you need to choose the template file (*.inf).
At this point you have two options you can either analyze or apply the policy file.
If you choose to analyze the computer you can then view and edit the results. Discrepancies between the system and the template are highlighted with a red flag. Consistencies are highlighted with a green check mark. The security setting is not specified in the database if there is no flag or check mark.
Once the configuration is defined as you like it you can apply the policy using the Configure Computer Now… option of Security Configuration and Analysis tool.
It may seem easier to just edit the local security settings in the Administrative Tools section of the Control Panel or by using gpedit.msc. While this is true for a single machine, if you have to edit multiple machines and desire to check them occasionally to make sure that settings have not been modified, use a policy.
These tasks can be automated even further through the use of the secedit.exe command. Secedit.exe is a command line version of the security configuration and analysis snap-in.
secedit /configure [/DB filename ] [/CFG filename ] [/overwrite][/areas area1 area2...] [/log logpath] [/verbose] [/quiet]
Configure the machine with the least amount of privilege to serve its function. This includes logons, services, and protocols. Audit the machine, using event logging to monitor the system. It may be worth using Tripwire to check file integrity for critical machines.
There are many tools in Windows 2000 (at least relative to Windows NT) that make the job of securing the operating system easier. It is important to learn these tools. New exploits will require responses; these tools will help you respond.