Even though using Windows Server 2003 is in vogue, a lot of shops are still running Windows 2000 Server -- and with good reason. It was a pretty solid release, with a lot of useful features, and the improvements in Windows Server 2003, while nice, weren't compelling enough for some companies to make the jump. However, as with any older operating system, security is a concern that grows with each passing day. Here are some tips on to help you lock down Windows 2000 Server machines.
- Update to Windows 2000 Server Service Pack 4. This is a well-tested, simple installation that will fill many holes that have been discovered by Microsoft and others during the lifespan of Windows 2000. After installation, then apply the Update Rollup package to finish off your updates. Note that Service Pack 4, combined with the rollup application, constitutes the final release of Windows 2000 that Microsoft will make. Windows 2000 is now a deprecated product, and while support still exists and security updates will continue to be made, no more service packs will be issued.
- Download and use HFNetChk to scan and inventory your network for security-patch installations. This tool, which incidentally is the basis for the Microsoft Baseline Security Analyzer, is a lightweight scanner that scans client computers for installed updates and patches. The comparison is based on an XML file of all available updates and the criteria for those updates, and Microsoft constantly updates the list. You can find the tool, and instructions for its use, at Microsoft.
- Set restrictions on Windows passwords. They should be at least six characters long, they shouldn't be based on a dictionary word, and they shouldn't last longer than 90 days. To configure this, within Group Policy or local policy, navigate through Security Settings, to Password Policy, and apply the appropriate settings.
- Configure Windows to disable or "lock out" accounts for at least 15 minutes after three unsuccessful authentication attempts. This inhibits password-cracking programs from breaking simple passwords in a short amount of time. Most automated programs will move on to different targets after a short period of inaccessibility, so 15 minutes is a sweet spot between user inconvenience and healthy paranoia. To configure this, within Group Policy or local policy, navigate through Security Settings, to Account Policy, and apply the appropriate settings.
Windows server hardening
- (If you're not a fan of the lockout suggestion,) Use passphrases on user accounts. Passphrases are sentence-long passwords with punctuation, mixed cases, and spaces that are very difficult to break through a cracker. If you use these more secure phrases, the lockout feature becomes unnecessary as the probability these phrases will be broken is low. Tell your users to create passphrases that express an idea, and enter it into the password dialog box exactly as they would type it in Word or your company word processor.
- Disable all anonymous access except where explicitly allowed in file-system permissions. Windows allows access by an anonymous user to many shares and files through the use of a null user account; this is a security hazard, of course. You can still enable anonymous access to files and directories by explicitly granting rights to the ANONYMOUS USER account in Windows inside the appropriate access control list (ACL). This setting merely disables it by default, so you know exactly where connections are being made. To fix this hazard, set the Additional Restrictions for Anonymous Connections selection to No Access Without Explicit Anonymous Permissions within Security Settings/Local Policy/Security Options in Local Computer Policy.
- Enable automatic logoff upon logon time expiration, and set up at least one half hour each night during which no user is permitted to log on. Some users log on to the network and then don't log off for months. This is a prominent security hole, because when that user leaves her desk, she is still authenticated to the network with her credentials. These can be used to do destructive things: file deletion and transfer, planting of a "root kit" or backdoor program, or password changing. The way to make this work is twofold: First, each valid user needs to have a time when he isn't permitted to log on. This can be somewhere in the morning for a standard 9 AM to 5 PM office, perhaps at 3 AM to 3:30 AM. Then, you need to make a change to the local security policy so that when the user's logon time expires, he isn't permitted to log on.
- Require digitally signed communications when possible, but not always. I recommend requiring the signatures when possible on both ends of a connection (the remote procedure call, or RPC) protocol refers to the requesting end as the "client" and the responding end as the "server," no matter the systems' usual roles). Unsigned transmissions should only occur when signatures aren't available, supported, or possible. (For future reference, in Windows Server 2003, the default is to require signed communications for all transmissions.) To require digitally signed communication when possible, enable the Digitally Sign Client Communication (When Possible) and Digitally Sign Server Communication (When Possible) options in Local Computer Policy.
- Require the user to press Ctrl-Alt-Del before logging on, a key sequence recognized only by the Windows operating system. The logon screen is one of the most trusted aspects of a computer to a normal user. She trusts it enough that she gives her password and username, and then the computer trusts her, too, if all of that is correct and verified. A cracker can take advantage of this mutual trust by writing a program that runs as a system service -- that is, it doesn't need user privileges. The program will mimic the logon box, grab the user's input, and do something with it. "It" could be e-mailing the password to the cracker, saving the credentials to a backdoor program data file, or any number of other nefarious things. However, pressing Ctrl-Alt-Del brings Windows itself to attention, and you get the authentic Windows logon instead of a shell of one that a cracker creates. This is an easy step that makes your system much more secure. To require this keystroke, disable the Disable Ctrl-Alt-Del Requirement for Logon option in Local Computer Policy.
About the author: Jonathan Hassell is author of Hardening Windows (Apress LP) and is a SearchWindowsSecurity.com site expert. Hassell is a systems administrator and IT consultant residing in Raleigh, N.C., who has extensive experience in networking technologies and Internet connectivity. He runs his own Web-hosting business, Enable Hosting. His previous book, RADIUS (O'Reilly & Associates), is a guide to implementing the RADIUS authentication protocol and overall network security.