Bulletproof your Windows installation

To make your Win2k (or XP,) machine really secure, you should be sure to address the following issues:

This tip was submitted to the SearchWin2000.com Tip Exchange by member Robert Shahon. Let other users know how useful it is by rating the tip below.


You've taken an important step, security-wise, by upgrading to an NT-based operating system. Windows NT, 2000, and XP are built on a kernel (the core operating system code) that's very different from that of the 9x family. Because they're designed for the corporate environment, they include the features most valued by business customers, and security is definitely a top priority in today's business world. However, just because W2K includes more security features, that doesn't mean you're taking advantage of them just because you've installed the OS. To make your Win2k (or XP) machine really secure, you should be sure to address the following issues:

  1. Make sure you've formatted all partitions in NTFS. While Win2k and XP will support FAT partitions, you lose many of the security features such as file level permissions and EFS encryption when you use FAT.

     

  2. Disable services you don't need (for example, the Web server service if you don't intend to use the machine as a Web server) and unneeded user accounts, such as the built in guest account.

     

  3. Set strong passwords -- especially on administrative accounts. This means passwords of at least 8 characters in length that use a combination of alpha (upper and lower case), numeric, and symbol characters, that are easy for the user to remember but hard for others to guess (not words that are in the dictionary). Also, change these passwords on a regular basis.

     

  4. Use password policies (set through Group Policy) to enforce strong password rules.

     

  5. Change the name of the built in "master" administrator account and create a "decoy" account named Administrator that has minimal permissions.

     

  6. Remove all unnecessary shares; disable file and print sharing completely if you don't need to share resources on the machine with anyone across the network.

     

  7. Set NTFS (file level) permissions on files and folders in addition to share permissions on shared resources. Be aware that the default share and NTFS permissions give the Everyone group full control; this should usually be changed on each resource.

     

  8. Set an account lockout policy (in Group Policy) that will lock out a user account after a specified number of incorrect password entries.

     

  9. Use Group Policy to set up security auditing so you will be aware of failed or successful logon attempts and other security events.

     

  10. Be sure to install and update antivirus software and apply the latest security fixes and service packs.


This was first published in September 2002

Dig deeper on Microsoft Active Directory Security

Pro+

Features

Enjoy the benefits of Pro+ membership, learn more and join.

0 comments

Oldest 

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to:

-ADS BY GOOGLE

SearchServerVirtualization

SearchCloudComputing

SearchExchange

SearchSQLServer

SearchWinIT

SearchEnterpriseDesktop

SearchVirtualDesktop

Close