Home

Securing Windows Systems


Ensure that you have disabled the guest account

The 'Guest' account allows anonymous access to a machine. Making sure that this account is disabled will prevent people from using services you may have inadvertently left open. You can do this by "Right clicking on My Computer > Manage > Local Users and Groups > Users > Double click the Guest account and make sure "Account is Disabled" is checked.

There is a tendency to confuse the "Everyone" group with the guest account/group. "Everyone" represents people that are authenticated in any way the client can verify, be locally or to a domain. If you are anyone, you are "Everyone". If a user doesn't have any other method of authentication, then they are allowed to access whatever the guest group/account has rights to. This is why you should disable the guest account.


But keep in mind: anyone is everyone, including your own valid user. It is a common mistake for new users to set the file system permissions at the root of their system to "deny" Everyone access. Doing so will keep everyone, including you out.

Rename Administrator Account

Unlike other Accounts, the Administrator ID cannot be locked out. This means that people can try as many times as they like to crack this ID. To make this more difficult, rename your administrative account to something else. Make it very easy to remember, like "RealAdmin" or something like "UNT#Admin" where UNT# is the UNT decal number of the computer. Now create the ID you will actually be logging in with everyday. If it's your main desktop, go ahead and add this to the administrator's group for your local machine. Use this ID to log in for most things, reserving your renamed Administrator account for emergencies. If you are a member of a NT 4.0 domain or a Windows 2000 Active Directory tree, it is also a good idea to audit Logon Failures. This is not an option in Windows 2000 professional in a standalone configuration.

Use Smart Passwords and Settings

There's a lot of discussion on how complex/long you should make your password. Remember, if your password is easy to guess, it doesn't matter how well encrypted it is, so use something unusual but that you can remember.

Tips for choosing strong passwords:

  1. Do not use common words that can be found in a dictionary.

  2. Do not use passwords that are directly related to you (i.e. your name, address, or anything that someone could guess about you).

  3. Do not choose passwords that can be found in dns records.

  4. Do not use the word "password".

  5. Do not use a blank or null password.

  6. Really, don't use a blank or null password.

  7. Use a combination of letters, numbers and special characters ($, *, !, etc.). Use the first (or second, or last, ...) letter of each word in a phrase.

  8. Choose passwords that are a minimum of eight characters in length.

  9. Make sure that no one is peering over your shoulder when you type in your password.

  10. To defeat automated scanning tools, set the windows registry key for "Restrict Anonymous" to 2
    HKLM\SYSTEM\CurrentControlSet\Control\LSA\RestrictAnonymous=2

If you are sharing your machine with others, you should make sure that all the users use different ID's and passwords. You don't want someone to be able to delete anyone else's files or be able to read their email. Windows 2000 has greatly improved on the Profiles that NT 4 used to keep your files separate from other users. It is also a good idea to delete any unnecessary accounts.

Firewalls and Ports

When Internet-based programs try to connect to your machine, they first locate the machine itself via an IP address (which itself is resolved from a hostname, like www.unt.edu). Once your computer knows where to locate the other, it then attempts to talk to whatever service on the remote computer that you're requesting, be it HTTP, FTP, NNTP, etc.. Think of an IP address as a phone number to a large corporation, and ports as the extensions to the various departments and people in it. Some well-known ports are: the Web (HTTP, port 80 TCP), Telnet (21 TCP) or Outgoing Mail (SMTP, 25 TCP). If you where to shut off port 80, no one would be able to connect via HTTP to your machine.

By shutting down any ports that you don't use, you cut down on the number of ways that an intruder can break into your system. But Windows can use a lot of weird ports to communicate to do things like run the update wizard, but most programs that scan for open ports (strangely named "port scanners") only check the first thousand or two (known as "well known ports"), so this isn't a problem.

There are three basic types of exploits that are used on TCP ports. The first is when someone sends many, many packets to your machine so that it freezes or blue screens under the electronic onslaught. This is a form of a denial of service (DoS) attack. The second is where they send a specially crafted packet that "overloads" the port, allowing them to either execute code or cause the service/OS to crash. This is called a buffer overrun. The last is when you haven't properly secured your services, and they can connect to your mail server, and then send commands to the OS under the credentials of the mail service. For the most part the last is not something you need to worry about on a Windows 2000 workstation.

Firewall products can be configured to let you know about all such noteworthy events, and they will make your machine a lot safer from hackers.

Shares and Shared Resources

Now that we have determined what we don't want the rest or the world to see, we need to decide what to make accessible, and who should be able to access it. After you have decided what drives and printers you want the outside world to see, you have to share them. Do this by going to the resource you want to share and opening its properties. Go to sharing (not security), and select "New Share" for folders or "Shared as" for printers and assign the object the share name you want it to be seen as on the network. If you append a dollar sign to the share, it will not be displayed as browseable to the network, but it is still there. This doesn't really add security, but is a nice trick.

Now here's the important part: remove the Everyone group. In some ways, since we have disabled the Guest account this is redundant, but it is better to do a little extra work so that if you missed something, you still are secure at a second point (and in the NT 4.0 days, there was more than one exploit involving the "Everyone" group, so let's err on the side of being cautious). Now add the people or groups that you want to access your computer. This can be as wide open as the "Domain Users" or "Authenticated users" or as restrictive as just your user ID. One thing to remember is that regardless who has rights to the file system, if they don't have rights to the share they can�t get to it. The same thing works in reverse, too. If you are sharing your MP3 collection as:

\\computername\mp3s$

... and you set the share to allow full control to everyone in the Authenticated Users group, those settings will not override the file system settings. Therefore, if all of your MP3s are only readable by user 'frufruhead,' then your share security settings won't change that. Now you can see why shares default so that "Everyone" can read them: on the most basic level, "everyone" can try and browse the share, but the default permissions take over on the file system.

Program Security and Antivirus

We've got to get a word in about applications, viruses, and Trojan Horses. Commercial software is pretty much assumed safe from malicious code, but with the number of programs the average person downloads from the Internet, Trojan horses are becoming a major threat. Basically, a Trojan Horse is when you run a program to do one thing, but in the background it is doing another. These are often referred to as viruses, and frequently commercial antivirus programs will catch the most common ones, but they are easy to make, and can access anything the person running them can. As a rule of thumb, don't download new software and install it, unless you are sure it comes from a reputable source. Make sure that your antivirus software is up to date so you can catch the latest viruses (viri?). Last, make sure your applications are run in a secure manner. Disable macros in your Office programs. Don't run email attachments unless you are absolutely certain that they are safe. These issues are especially important if you are the administrator on a large network. While the average user has the rights to delete his or her files, most admins can delete everything on network drives, too. This is a bad thing.

Keep the OS up-to-date with Service Packs and Hotfixes

You should stay on top of Service Pack releases and apply them when they are available. You should also use HFNETCHK or Windows Update to stay on top of security issues with Internet Explorer, Outlook and other programs that are installed on your system.

This is only a partial list of things to help secure Windows 2000 installs and is not intended to be a comprehensive checklist in securing the OS.

Monitor the System

System administrators should audit their systems at least once per week. Routine review and comparison of data is important for determining "normal" activity. Out-of-the ordinary activities will easily be detected if systems are regularly audited, and auditing provides a way to help determine if damage has been done to the system. System auditing should complement, rather than replace, other security measures (i.e. policy, password management, use of firewalls, use of malicious code protection software, performance of back-ups, presence of appropriate physical security measures, etc.)

Develop A Baseline
Determine what is normal activity- collect (document) as much data as possible during periods of expected low, medium and high activity and use the data as your baseline, and for comparison during future audits.

  • Know the difference between successful and failed logon attempts.

  • Know which ports should be open/active.

  • Be aware of permission, file, or registry changes.

  • Know who has permission to access the system.

  • Document user and group accounts and permissions, review periodically for appropriateness, and monitor non-active user sessions.

Perform an Audit

  • Use verification procedures to determine that data are accurate.

  • Prepare auditing tools on removable media (do not store them on the system).

  • Keep auditing tools secure.

  • Use a dedicated, secure system for data review/audit.

  • Schedule audits, determine how they are performed and how long the data will be retained.

  • Vary the times the audit is performed.

  • Automate your audits.

  • Report suspicious activity to the Information Security Team.

In General

  • Learn about and use utilities found in the Administrative Tools group (e.g. Local Security Policy, Performance, Services, Computer Management, Event Viewer, etc.).

  • Learn about and use the Windows Resource Kit: http://www.microsoft.com/windows2000/techinfo/reskit/default.asp

  • Regularly check the Task Manager for running processes.

  • Run netstat, net start, and netsvc commands to determine what types of network connections are made to and from systems.

  • Runthe sysdiff.exe commands to check for registry changes: http://www.microsoft.com/windows2000/techinfo/reskit/default.asp

  • Run the DIR command to check file stamps.

  • Automate your audits using AT from the command line, or use the Resource Kit GUI (winat). (The Scheduler service must be running to run AT.)

Performance and Storage of Appropriate Back-ups

  • Determine which method will be used to back-up (tape, disk, server, other location).

  • Determine if full configurations or partial (incremental/differential) configurations will be saved.

  • Choose the software which will be used to back-up systems (e.g. ArcServe, BackupExec, Networker, NTBackup, Norton Ghost, etc.)

  • Determine which administrators will have primary and secondary backup responsibilities.

Back-Up Procedures

  • Schedule back-ups to run regularly.

  • Run full back-ups at least once a week.

  • Document back-up procedures.

  • Verify and log that back-ups were completed successfully.

  • Maintain a written log of tape usage and properly label tapes.

  • Write protect tapes as appropriate.

  • Check every tape before usage.

  • Determine length of time tapes will be saved and if they will be reused.

  • Keep recovery media safe (off-site).

  • Practice, or test, system restorations (files, directories, systems) before you actually need to perform a real restoration.

  • Seek training in use of back-up software if appropriate.

  • Review manufacturer recommendations for tape and tape drive maintenance.

  • Back-up the windows registry in addition to other files.