|
Cal Poly |
Cal Poly 3801 West Temple Avenue Submitted By: Daniel Formel Pomona, California 91768
|
Title V Project
Windows 2000 Server Checklist
Abstract
A security checklist for Windows 2000 Server based
on Microsoft’s best practices.
Basic Procedures
§
Install the
latest service packs and critical updates. Configure automatic updates.
§
Keep up with
the latest security patches by using the Security Bulletins Search.
§
Install
anti-virus software and keep it up to date.
§
Install and
properly configure a firewall.
§
Use the Baseline Security Analyzer to scan and
evaluate the security of your system.
§
Request a
vulnerability scan through the Help Desk. Contact the Help Desk at (909)
869-6776 or email them at helpdesk@csupomona.edu.
§
Be
proactive and vigilant. Once your server is configured and locked down, it will
not remain secure forever.
Checklist Overview
|
|
Steps |
|
□ |
Physically secure the machine |
|
□ |
Use NTFS for all partitions |
|
□ |
Rename the Administrator account and set a strong
password |
|
□ |
Create a dummy Administrator account |
|
□ |
Disable the Guest account and other unnecessary
accounts |
|
□ |
Set strong password policies |
|
□ |
Set a screensaver password |
|
□ |
Set an account lockout policy |
|
□ |
Prevent the last logged in username from being displayed |
|
□ |
Disable unnecessary services and ports |
|
□ |
Restrict access to public Local Security
Authority information |
|
□ |
Set appropriate ACLs |
|
□ |
Remove unnecessary file shares |
|
□ |
Enable security event auditing and set
permissions on logs |
|
□ |
Set logon warning messages |
|
□ |
Replace the "Everyone" Group with "Authenticated
Users" on file shares |
|
□ |
Create and deploy a backup/recovery plan |
|
□ |
Revoke the Debug programs user right |
|
□ |
Disable DirectDraw |
|
□ |
Enable Encrypted File System (EFS) |
|
□ |
Lockdown the registry |
|
□ |
Remove the OS/2 and POSIX Subsystems |
|
□ |
Disable Dump File Creation |
Checklist in Detail
§
Physically secure the machine
Your
server should be in a locked room with monitored access. This is to be sure
unauthorized users do not have physical access to the machine. Internal breaches
are not uncommon. Place a lock on the case if one is provided.
§
Use NTFS for all partitions
NTFS
is a more secure and reliable file system. FAT and FAT32 file systems do not
provide file level security. Every Windows 2000 Server should formatted using
NTFS.
§
Rename the Administrator account and set a strong
password
Rename
the Administrator account to a non-obvious name (e.g. not "admin,"
"root," etc.). This will make it more difficult for hackers to gain
access to this account. Also disable the local Administrator account.
§
Create a dummy Administrator account
Create
a decoy Administrator account (named “Administrator”) with no privileges, and
an impossible to guess complex password. Then periodically check the event logs
for attempts to logon to this account.
§
Disable the Guest account and other unnecessary
accounts
Verify
that the Guest account is disabled. For additional security assign a complex
password to the account anyway, and restrict its logon 24x7. Also, regularly
audit the list of all accounts to check for and remove inactive or unnecessary
accounts. Eliminate any duplicate user accounts, test accounts, shared
accounts, general department accounts, etc. Apply appropriate group policies as
needed.
§
Set strong password policies
Use
the Domain Security Policy (or Local Security Policy) snap-in to strengthen the
system policies for password acceptance. Microsoft suggests that you make the
following changes:
1.
Set the minimum
password length to at least 8 characters. Recommended value: 8.
2.
Set a
minimum password age appropriate to your network (typically between 1 and 7
days). Recommended value: 2.
3.
Set a
maximum password age appropriate to your network (typically no more than 42
days). Recommended value: 42.
4.
Set a
password history maintenance (using the "Remember passwords" option) of at least 6. Recommended value:
24.
5.
Set a
password complexity requirement (using the Passwords must meet complexity requirements option).
6.
Disable
the Store passwords using reversible
encryption option (disabled by default).
§
Set a screensaver password
Password-protect
the screensaver to prevent internal threats from accessing unmonitored
machines. Choose a blank screensaver or a logon screensaver.
§
Set an account lockout policy
Set
an account lockout policy to disable an account after a specified number of
failed logon attempts. It is recommended to set the limit to 3-5 attempts, and
then disable the account for 30 minutes. Reset the count after 30 minutes.
§
Prevent the last logged in username from being displayed
By default the login
screen will display the last username that was logged in. This will make it
easier to find usernames to be used in a brute force password attack.
§
Disable unnecessary services and ports
You
should disable any services that are not required for the machine. Unnecessary
services take up system resources and can leave your system vulnerable to
numerous threats. You should be aware of all the services that run on your
servers and audit them periodically. Here is a list of services that should be
disabled (if possible) according to Microsoft.
-
Internet
Information Server (IIS) services: FTP Publishing Service, IIS Admin Service,
Network News Transport Protocol (NNTP), Simple Mail Transport Protocol (SMTP),
and the World Wide Web Publishing Service.
-
Server
service. Disable if server is not being used for file and print sharing.
-
SNMP service.
Disable if SNMP monitoring is not required.
The
following is a list of acceptable services used an “Evaluated Configuration” in
accordance with the Windows 2000 Common Criteria (C2) Security Target.
|
List of Evaluated Services |
|
|
Alerter Service COM+ Event System Computer Browser DHCP Client DHCP Server Distributed File System (DFS) DNS Client DNS Server Event Log File Replication Service Intersite Messaging IPSec Policy Agent Logical Disk Manager Logical Disk Manager
Administrative Service Messenger Net Logon |
Network Connections NTLM Security Support Provider Plug and Play Print Spooler Protected Storage Remote Procedure Call (RPC) Remote Procedure Call (RPC)
Locator Remote Registry Service Security Accounts Manager Server System Event Notification TCP/IP NetBIOS Helper Service Windows Internet Name Service
(WINS) Windows Management
Instrumentation Windows Management
Instrumentation Driver Extensions Windows Time Workstation |
Disable
unnecessary services as they apply to you. A complete list of services that
Windows 2000 provides can be found here.
You
may also want to disable open ports. Ports that are open may provide easy
access for hackers and other potential threats. “You can configure your ports
via the TCP/IP Security console located in the TCP/IP properties (Control
Panel > Network and Dial Up Connections > Local Area Connection
Properties > Internet Protocol (TCP/IP) > Properties > Advanced >
Options > TCP/IP Filtering > Properties). For example, to allow only
TCP and ICMP connections, configure the UDP and IP Protocol check boxes to
"Permit Only" and leave the fields blank. A list of default ports for
Windows 2000 Domain Controllers can be found here”
[Labmice.net].
To
test for open ports on your machine, use Nmap
Port Scanner.
§
Restrict access to public Local Security Authority
information
Restrict
anonymous access to LSA information. To restrict anonymous access create and
set the following registry key.
|
Hive |
HKEY_LOCAL_MACHINE
\SYSTEM |
|
Key |
CurrentControlSet\Control\LSA
|
|
Value Name |
RestrictAnonymous |
|
Type |
REG_DWORD |
|
Value |
1 |
§
Set appropriate ACLs
Set
appropriate permissions as required per user. By default, all users have full
control on newly created file shares. Ensure that each user has appropriate share
level access. Also, ensure the registry is locked down. Windows 2000 systems
have secure default ACLs on the registry. However, upgrades from a previous
version of Windows may not. Refer to Default Access Control Settings in Windows 2000
document on the Microsoft TechNet Security Web site for details.
§
Remove unnecessary file shares
Windows
2000 opens hidden administrative shares on each PC for use by the system
account. You can go to a command prompt and see these by typing NET SHARE.
These should be disabled to prevent malicious users from gaining access to your
system. To disable hidden administrative shares, disable the Server service. (Control Panel > Administrative Tools
> Services > right click Server properties > change the startup type
to disabled). For more information see Microsoft Knowledge Base Article 318751.
§
Enable security event auditing and set permissions
on logs
It is
important to enable security event auditing to alert you of changes in account
policies, failed logons, and unauthorized file access. To set audit policies go
to Control Panel > Administrative
Tools > Local Security Policy > Local Policies > Audit Policies. Consider
auditing the following events.
|
Event |
Level
of Auditing |
|
Account logon events |
Success, failure |
|
Account management |
Success, failure |
|
Logon events |
Success, failure |
|
Object access |
Success |
|
Policy change |
Success, failure |
|
Privilege use |
Success, failure |
|
System events |
Success, failure |
For
more information refer to Microsoft Knowledge Base Article 300549. By default log files are
unprotected, so permissions should be set on the event log files to allow
access to Administrator and System accounts only.
§
Set logon warning messages
Create
a warning message for users who logon to your system. Although this does not
prevent an attacker from gaining access, it does increase your organization’s
ability to prosecute attacks by increasing the attacker’s legal liability. To
set logon messages go to Control Panel
> Administrator Tools > Local Security Policy > Local Policies >
Security Options. Microsoft
recommends setting the following values.
-
Set Message
text for users attempting to log on to the following message value: This
system is restricted to authorized users. Individuals attempting unauthorized
access will be prosecuted. If unauthorized, terminate access now! Clicking on
OK indicates your acceptance of the information in the background.
-
Set Message
title for users attempting to log on to: IT IS AN OFFENSE TO CONTINUE
WITHOUT PROPER AUTHORIZATION.
§
Replace the "Everyone" Group with "Authenticated
Users" on file shares
Do
not assign the “Everyone” group access to file shares on your system. This means
that anyone from the network can access them. Change the group to
“Authenticated Users”.
§
Create and deploy a backup/recovery plan
Create
an appropriate backup plan for your environment and ensure that your backups
are secure. If your server is compromised you should be able to restore your
system quickly, and be able to provide evidence of the compromise incase legal
action is taken. The Title V Incidence Response Team can assist you in the
event of a compromise. Refer to the Backup Integrity Report here.
Call the Help Desk at (909) 869-6776 to setup an appointment with the Incidence
Response Team.
§
Revoke the Debug programs user right
The
ability to debug programs can be exploited by trojans
to extract sensitive information such as hashed passwords. Disable the “Debug
programs” user right for all users (even Administrators) except those users
that need to use this feature. (Control
Panel > Administrator Tools > Local Security Policy > Local Policies
> User Rights Assignment > disable Debug programs).
§
Disable DirectDraw
Basic
C2 security standards recommend disabling DirectDraw to prevent direct access
to video hardware and memory. To disable DirectDraw change the following
Registry key.
HKLM\SYSTEM\CurrentControlSet\Control\GraphicsDrivers\DCI and set the value for Timeout (REG_DWORD) to 0
§
Enable Encrypted File System (EFS)
Take
advantage of the Encrypted File System. It can help prevent a hacker from
physically mounting the hard drive on another machine. Enable encryption on
sensitive directories and files. For more information on EFS refer to the Windows 2000 Server Security Center.
§
Lockdown the Registry
Restrict
remote access to the Registry. By default only Administrators and Backup
Operators have network access to the Registry, however, you may want to change
this depending on your requirements. For more information refer to Microsoft
Knowledge Base Article 153183.
§
Remove the OS/2 and POSIX Subsystems
If you are not using
these subsystems, then remove them as they may pose a potential security risk. They
are also not part of the C2 security standards. To remove them see the
instructions below from labmice.net.
To
remove the OS/2 and POSIX subsystems:
1. Delete the \winnt\system32\os2
directory and all of its subdirectories.
2. Use the Registry Editor to remove the following registry entries:
|
||||||||||||||||||||||||||||||||||||
§
Disable Dump File Creation
A dump file can be used to
troubleshoot problems, but it can also be used by hackers to extract sensitive
information. To disable the dump file Right click My Computer >
Properties > Advanced > StartUp and Recovery… > change Write Debug
Information to none. Enable it only when needed.
Sources
Information
from this guide was obtained from the following sources.
LabMice.net
Windows 2000 Security Checklist
http://www.labmice.net/articles/securingwin2000.htm
Windows
2000 Server Baseline Security Checklist
Related Links
Here are some other useful links on Windows 2000
security.
Windows 2000
http://www.microsoft.com/technet/security/prodtech/windows/windows2000/default.asp
Microsoft
Windows 2000 Security Configuration Guide (Common Criteria – C2 Security)
http://www.microsoft.com/technet/security/issues/W2kCCSCG/default.asp
National
Security Agency Windows 2000 Security Guides
http://nsa1.www.conxion.com/win2k/index.html
Microsoft
Solution for Securing Windows 2000 Server
http://www.microsoft.com/technet/security/prodtech/windows/secwin2k/default.asp