Securing Windows 2000: tiny tips

By Seán Boran


  1. Remove or do not install the following Windows components
  2. Disable DNS updating when Windows attaches to the network.
    Windows tries to update the DNS database with it's IP address when starting, which is insecure, wastes network bandwidth and will fill your DNS server's error log with junk.
  3. Control Panel -> Network, select adaptor and select properties. Select TCP/IP-> properties -> advanced -> DNS and unclick "Register this connection's addresses in DNS"

  4. Disable the telnet server and simple TCP/IP services

Control Panel -> Telnet server administration or Control Panel -> Services


  1. Run the patchwork tool to check for well known weaknesses/patches, especially on IIS servers. This tool runs on NT and Win2k.  
  2. DumpACL is still a great tool for auditing.
  3. Windows 2000, Explorer & IIS security - Georgi Guninski Security Research
  4. IIS

References and further reading (some of which I've not yet read!)

Windows 2000 domain controller hardening

Microsoft security site: patch search, search too faq, new bulletins:

Windows 2000 patches

IIS Lockdown, Microsoft Personal Security Advisory, Cleaner for Code Red II, Improved Cipher Security Tool, Qchain, Security Screen Savers, Windows 2000 Internet Server Security Tool, Security Planning Tool for IIS, and HFNetChk.

Hardening Windows 2000, Part One: Seeing the Forest In Spite of the Trees
Timothy M. Mullen

Extract of the chapter "Hardening Windows 2000" from the "Windows 2000 Security handbook":
Phil Cox

An Audit of Active Directory Security, Part One

System Administration Guidance for Windows 2000 Professional


Other tools to check out [I've not looked at them in detail yet]


Win2k hotfix installation

 IT Security Cookbook,  Last Update: 06 févr. 2002