Step by step Guide to Securing Win2k

This is how I secured my windows 2000 server. This is the easy systematic guide to secure your windows box. This is the easiest way to follow and implement until I come up with some thing better then this.

Installation

First and foremost is use the NTFS file system – especially for the boot partition. Yes, it is possible to secure a FAT partition from a remote users perspective, but the use of FAT increases risk considerably.

Another issue that needs to be corrected during installation is the default directory. Do not install system files in the \WINNT directory. Rename the directory anything else you like — \REDHAT and \MITNICK are two popular examples. I’ll refer to the system directory as \SIOUXSIE for the remainder of this paper. This step will prevent attacks hard coded to refer to files in the \WINNT directory.

NTFS Permissions

After the installation has completed you will need to correct the NTFS permissions. The primary goal is to get rid of all occurrences of “EVERYONE”. Try the following, in your test environment first of course:

  • Reset permissions at the logical drive level for all of your drives as shown below. Apply the settings to all child objects and enable propagation of inheritable permissions.

Administrators Full Control

Authenticated Users Modify

Read and Execute

List Folder Contents

Read

Write

CREATOR OWNER Full Control

SYSTEM Full Control

  • After this has been done remove all permissions for Authenticated Users from \SIOUXSIE (the system directory) and its child objects.
  • Allow Authenticated Users Modify, Read and Execute, List Folder Contents, Read and Write to the following directories and all of their child objects:

\Documents and Settings

\SIOUXSIE\Installer (Note: It’s hidden…)

\SIOUXSIE\System32\Spool

\SIOUXSIE\System32\Config

\SIOUXSIE\Repair

  • Allow Authenticated Users Read and Execute, List Folder Contents and Read to \SIOUXSIE\System32\Spool\Drivers. This is an important step as it prevents users from uploading trojaned drivers that would be distributed to other users.
  • Set the appropriate permissions on your user directories.

Share Permissions

We have already locked down the file system, but you should still check your share permissions if applicable. It is a little extra work, but I never turn down the opportunity to add a layer of security to my servers.

Services

Now is a good time to disable any unnecessary services. These are the ones I typically do not require to be running on a server:

DHCP Client

Fax Service

Internet Connection Sharing

Intersite Messaging

Remote Registry Service

RunAs Service

Simple TCP/IP Services

Telnet

Terminal Services

Utility Manager

If your server is destined to be an intrusion detection box it would be wise to disable services like Computer Browser and Server as well.

Protocols

Unbind protocols like IPX and NetBIOS from interfaces where they are not required. They love to broadcast, and broadcasts are evil.

User Accounts

Next we will secure the local user accounts.

  • Disable the Guest account and give it a very strong password.
  • Disable the TsInternetUser account and give it a very strong password. Create the account if it does not exist. Do not delete the account even if it is not being used, since when you later upgrade the OS the account will be created if it does not exist.
  • I am assuming you already created a very strong password for the Administrator account during the installation.

Registry

Now we will need to fire up REGEDT32 and add or edit the following values. Most of them are intended to defend against Denial of Service attacks, while the others help prevent such things as the enumeration of accounts by unauthenticated users.

Under HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Services add or modify the following values:

Key: Tcpip\Parameters
Value: SynAttackProtect
Value Type: REG_DWORD
Parameter: 2

Key: Tcpip\Parameters
Value: TcpMaxHalfOpen
Value Type: REG_DWORD
Parameter: 100

Key: Tcpip\Parameters
Value: TcpMaxHalfOpenRetried
Value Type: REG_DWORD
Parameter: 80

Key: Tcpip\Parameters
Value: EnablePMTUDiscovery
Value Type: REG_DWORD
Parameter: 0

Key: Tcpip\Parameters
Value: EnableDeadGWDetect
Value Type: REG_DWORD
Parameter: 0

Key: Tcpip\Parameters
Value: KeepAliveTime
Value Type: REG_DWORD
Parameter: 300000

Key: Tcpip\Parameters
Value: EnableICMPRedirect
Value Type: REG_DWORD
Parameter: 0

Key: Tcpip\Parameters\Interfaces\
Value: PerformRouterDiscovery
Value Type: REG_DWORD
Parameter: 0

Key: Netbt\Parameters
Value: NoNameReleaseOnDemand
Value Type: REG_DWORD
Parameter: 1

Under HKEY_LOCAL_MACHINE \SYSTEM \CurrentControlSet \Control add or modify the following value:

Key: Lsa
Value: RestrictAnonymous
Value Type: REG_DWORD
Parameter: 1

You may have noticed that I failed to have you fix the known flaws in the registry key permissions. Since we disabled the Remote Registry Service earlier it is not really necessary to do so.

If you’re like me and wear suspenders and a belt (even when wearing coveralls), another neat trick is changing the file association for the .REG extension to something like NOTEPAD.EXE. This will prevent malicious web sites from adding registry keys without your knowledge. But since we’re talking about servers here, the only site you are likely to visit from the console is a trusted one like http://windowsupdate.microsoft.com — so I guess we don’t really need to worry about that issue…

Console

Enable a screen saver, password protect it, and set it for some short interval like 5 minutes. This will protect you in the rare occurrence in which you forget to lock the computer before walking away from it.

Auditing

Next we will enable Auditing. This may be configured at the domain level, so you may not need to configure this for every server. I typically configure the Auditing settings as shown:

Audit Account Logon Events Success and Failure

Audit Account Management Success and Failure

Audit Directory Access No Auditing

Audit Logon Events Success and Failure

Audit Object Access Success

Audit Policy Change Success and Failure

Audit Privilege Use Success and Failure

Audit Process Tracking No Auditing

Audit System Events Success and Failure

Now we need to change the log settings so they have the potential to serve some purpose. Keeping the settings at their defaults may cause the server to crash when a log gets full. Increase the maximum size of the Application, Security and System logs to at least 10,048 KB each. Configure them to overwrite events as needed.

Security Policy

The local security policy is configured rather well in a default installation, but I usually change the following settings:

Clear virtual memory pagefile when system shuts down Enabled

Digitally sign server communication (when possible) Enabled

Shut down system immediately if unable to log security audits Enabled

Telnet

Now we have to worry about telnet to Windows boxes. Create a group named “TelnetClients”. Leave it empty if you are not using the service. If you are using the service, add your users to this group.

Trojans

This step is most helpful on workstations, but you will learn to like it on your servers as well.

Many, if not most of the trojans currently circulating take advantage of the Windows feature of hiding the extensions of known file types. This is what makes the executable script CLICKONME.BMP.VBS appear to be the bitmap file CLICKONME.BMP. This behavior makes it simple to trick people into executing files they believe are benign.

To fix the problem navigate to My Computer – Tools – Folder Options – View. Deselect “Hide file extensions for known file types”. While you are here, you might want to deselect “Hide protected operating system files” as well. Being able to see the protected OS files doesn’t benefit security much, but it will assist you in future troubleshooting.

If you have no need for Visual Basic or other scripts on your server, you can protect yourself further by preventing the scripts from executing by default. Simply change the file associations for some or all of the following file extensions to NOTEPAD.EXE:

.JS

.JSE

.VBE

.VBS

.WSF

Service Packs

You know the drill. New vulnerabilities are found in computing products every day. Keep an eye out for applicable Service Packs and Hotfixes and apply them as soon as possible.

After securing your Win2K server, consider looking into virtual private network services for a secure way of connecting to a private Local Area Network from a remote location.