Securing Windows 2000: tiny tips

By Seán Boran

Hardening

1. Remove or do not install the following Windows components

• Management and monitoring tools (SNMP)
• Indexing service
• Internet Information Service (IIS)
• Network services: RIP; simple TCP/IP services.

2. Disable DNS updating when Windows attaches to the network.
   Windows tries to update the DNS database with it's IP address when starting, which is insecure, wastes network bandwidth and will fill your DNS server's error log with junk.

Control Panel -> Network, select adaptor and select properties. Select TCP/IP-> properties -> advanced -> DNS and unclick "Register this connection's addresses in DNS"

3. Disable the telnet server and simple TCP/IP services

Control Panel -> Telnet server administration or Control Panel -> Services

Auditing

1. Run the patchwork tool to check for well known weaknesses/patches, especially on IIS servers. This tool runs on NT and Win2k.
   http://www.cisecurity.org/patchwork.html  
   
2. DumpACL is still a great tool for auditing.
   http://www.systemtools.com/somarsoft
   
3. Windows 2000, Explorer & IIS security - Georgi Guninski Security Research
   http://www.guninski.com/win2k.html
   
4. IIS
   • Run Microsoft's HFCheck tool on IIS5/win2k servers
     http://www.microsoft.com/Downloads/Release.asp?ReleaseID=24168
     
   • URLScan, screens all incoming requests to the server, and filters them based on rules set by the administrator. This significantly improves the security of the server by helping ensure that it only responds to valid requests.
     http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/URLScan.asp  

References and further reading (some of which I've not yet read!)

Windows 2000 domain controller hardening
http://www.microsoft.com/TechNet/security/auas0301.asp

Microsoft security site: patch search, search too faq, new bulletins:
http://www.microsoft.com/technet/security/current.asp
http://www.microsoft.com/technet/security/srchfaq.asp
http://www.microsoft.com/technet/security/search/bulletins_new.xml

Windows 2000 patches
http://www.microsoft.com/windows2000/downloads/critical/default.asp

IIS Lockdown, Microsoft Personal Security Advisory, Cleaner for Code Red II, Improved Cipher Security Tool, Qchain, Security Screen Savers, Windows 2000 Internet Server Security Tool, Security Planning Tool for IIS, and HFNetChk.
http://www.microsoft.com/technet/security/tools/tools.asp
http://www.ntbugtraq.com/nimdachk.asp

Hardening Windows 2000, Part One: Seeing the Forest In Spite of the Trees
Timothy M. Mullen
http://www.securityfocus.com/frames/?focus=microsoft&content=/focus/microsoft/2k/harden2k.html

Extract of the chapter "Hardening Windows 2000" from the "Windows 2000 Security handbook":
Phil Cox
http://www.systemexperts.com/win2k.shtml

An Audit of Active Directory Security, Part One
http://www.securityfocus.com/focus/ms/2k/adaudit1.html

System Administration Guidance for Windows 2000 Professional
http://csrc.nist.gov/itsec/guidance_W2Kpro.html 

 

Other tools to check out [I've not looked at them in detail yet]

QUICKinspector
Shavlik
http://www.shavlik.com/security/QI4WproV.asp

Win2k hotfix installation
sozni@XATO.NET
http://archives.neohapsis.com/archives/win2ksecadvice/2001-q1/0124.html