This tip was submitted to the SearchWin2000.com Tip Exchange by member Robert Shahon. Let other users know how useful it is by rating the tip below.
You've taken an important step, security-wise, by upgrading to an NT-based operating system. Windows NT, 2000, and XP are built on a kernel (the core operating system code) that's very different from that of the 9x family. Because they're designed for the corporate environment, they include the features most valued by business customers, and security is definitely a top priority in today's business world. However, just because W2K includes more security features, that doesn't mean you're taking advantage of them just because you've installed the OS. To make your Win2k (or XP) machine really secure, you should be sure to address the following issues:
- Make sure you've formatted all partitions in NTFS. While Win2k and XP will support FAT
partitions, you lose many of the security features such as file level permissions and EFS
encryption when you use FAT.
- Disable services you don't need (for example, the Web server service if you don't intend to use
the machine as a Web server) and unneeded user accounts, such as the built in guest account.
- Set strong passwords -- especially on administrative accounts. This means passwords of at least 8 characters in length that use a combination of alpha (upper and lower case), numeric,
- and symbol
characters, that are easy for the user to remember but hard for others to guess (not words that are
in the dictionary). Also, change these passwords on a regular basis.
- Use password policies (set through Group Policy) to enforce strong password rules.
- Change the name of the built in "master" administrator account and create a "decoy" account
named Administrator that has minimal permissions.
- Remove all unnecessary shares; disable file and print sharing completely if you don't need to
share resources on the machine with anyone across the network.
- Set NTFS (file level) permissions on files and folders in addition to share permissions on
shared resources. Be aware that the default share and NTFS permissions give the Everyone group full
control; this should usually be changed on each resource.
- Set an account lockout policy (in Group Policy) that will lock out a user account after a
specified number of incorrect password entries.
- Use Group Policy to set up security auditing so you will be aware of failed or successful logon
attempts and other security events.
- Be sure to install and update antivirus software and apply the latest security fixes and service packs.
This was first published in September 2002