Bulletproof your Windows installation

This tip was submitted to the SearchWin2000.com Tip Exchange by member Robert Shahon. Let other users know how useful it is by rating the tip below.

You've taken an important step, security-wise, by upgrading to an NT-based operating system. Windows NT, 2000, and XP are built on a kernel (the core operating system code) that's very different from that of the 9x family. Because they're designed for the corporate environment, they include the features most valued by business customers, and security is definitely a top priority in today's business world. However, just because W2K includes more security features, that doesn't mean you're taking advantage of them just because you've installed the OS. To make your Win2k (or XP) machine really secure, you should be sure to address the following issues:

  1. Make sure you've formatted all partitions in NTFS. While Win2k and XP will support FAT partitions, you lose many of the security features such as file level permissions and EFS encryption when you use FAT.


  2. Disable services you don't need (for example, the Web server service if you don't intend to use the machine as a Web server) and unneeded user accounts, such as the built in guest account.


  3. Set strong passwords -- especially on administrative accounts. This means passwords of at least 8 characters

Requires Free Membership to View

  1. in length that use a combination of alpha (upper and lower case), numeric, and symbol characters, that are easy for the user to remember but hard for others to guess (not words that are in the dictionary). Also, change these passwords on a regular basis.


  2. Use password policies (set through Group Policy) to enforce strong password rules.


  3. Change the name of the built in "master" administrator account and create a "decoy" account named Administrator that has minimal permissions.


  4. Remove all unnecessary shares; disable file and print sharing completely if you don't need to share resources on the machine with anyone across the network.


  5. Set NTFS (file level) permissions on files and folders in addition to share permissions on shared resources. Be aware that the default share and NTFS permissions give the Everyone group full control; this should usually be changed on each resource.


  6. Set an account lockout policy (in Group Policy) that will lock out a user account after a specified number of incorrect password entries.


  7. Use Group Policy to set up security auditing so you will be aware of failed or successful logon attempts and other security events.


  8. Be sure to install and update antivirus software and apply the latest security fixes and service packs.

This was first published in September 2002

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

Disclaimer: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.