Problem solve Get help with specific problems with your technologies, process and projects.

Bulletproof your Windows installation

To make your Win2k (or XP,) machine really secure, you should be sure to address the following issues:

This tip was submitted to the Tip Exchange by member Robert Shahon. Let other users know how useful it is by rating the tip below.

You've taken an important step, security-wise, by upgrading to an NT-based operating system. Windows NT, 2000, and XP are built on a kernel (the core operating system code) that's very different from that of the 9x family. Because they're designed for the corporate environment, they include the features most valued by business customers, and security is definitely a top priority in today's business world. However, just because W2K includes more security features, that doesn't mean you're taking advantage of them just because you've installed the OS. To make your Win2k (or XP) machine really secure, you should be sure to address the following issues:

  1. Make sure you've formatted all partitions in NTFS. While Win2k and XP will support FAT partitions, you lose many of the security features such as file level permissions and EFS encryption when you use FAT.


  2. Disable services you don't need (for example, the Web server service if you don't intend to use the machine as a Web server) and unneeded user accounts, such as the built in guest account.


  3. Set strong passwords -- especially on administrative accounts. This means passwords of at least 8 characters in length that use a combination of alpha (upper and lower case), numeric, and symbol characters, that are easy for the user to remember but hard for others to guess (not words that are in the dictionary). Also, change these passwords on a regular basis.


  4. Use password policies (set through Group Policy) to enforce strong password rules.


  5. Change the name of the built in "master" administrator account and create a "decoy" account named Administrator that has minimal permissions.


  6. Remove all unnecessary shares; disable file and print sharing completely if you don't need to share resources on the machine with anyone across the network.


  7. Set NTFS (file level) permissions on files and folders in addition to share permissions on shared resources. Be aware that the default share and NTFS permissions give the Everyone group full control; this should usually be changed on each resource.


  8. Set an account lockout policy (in Group Policy) that will lock out a user account after a specified number of incorrect password entries.


  9. Use Group Policy to set up security auditing so you will be aware of failed or successful logon attempts and other security events.


  10. Be sure to install and update antivirus software and apply the latest security fixes and service packs.

Dig Deeper on Windows systems and network management

Start the conversation

Send me notifications when other members comment.

Please create a username to comment.