Windows 2000 Security (Page 1 of 6 )
Sysadmins dealing with Microsoft products know that securing Windows can be enough to bring on a migraine. Jonathan Hassell helps take the headache out of security by explaining several ways to secure Windows 2000, Windows XP, and Windows Server 2003. This exerpt is from chapter three of
Hardening Windows by Jonathan Hassell (Apress, 2004, ISBN: 1590592662)
WINDOWS SUFFERS FROM THE WOOB syndrome: It’s wide open out of the box so that the user has all features and capabilities accessible to him automatically if he wants them. Unfortunately, the undesirables on the Internet have decided to take advantage of this unguarded default state and use it as a basis for staging attacks, hack attempts, and general computing mayhem.
This chapter focuses on protecting a Windows 2000 Professional and Server, Windows XP Professional, and Windows Server 2003 through the use of system updates and update audits, password policies, user-account protection, and basic local computer-security policies.
System Updates The first step to configuring any new Windows system is to update it with the latest service pack. Service packs are updates to critical Windows system files based on bug reports, security vulnerabilities, and (rarely) new features. Windows operating system service packs are normally cumulative, in that they contain all fixes and service packs previous to the current level.
As of this writing, the latest pack level available for the Windows 2000 platform is Service Pack 4. The Windows XP client platform also has Service Pack 1 available. Both of these update packs are offered in two distinct versions:
- Windows Update service: With this option, the Windows Update website downloads an ActiveX control to your computer and searches your installed operating system for updates that are needed. It then custom-delivers a service pack to you based on the update level of your current system. For example, you may have downloaded five of nine critical security updates. The version of the service pack you receive will be built to deliver the remaining four updates and anything else that hasn’t already been updated. Surf to http://www.windowsupdate.com to get started using this version.
- Network Download version. This is the complete service pack executable file designed to be stored on a file server and installed from a central location, either manually by a system administrator or automatically using automated tools like Systems Management Server or Microsoft Operations Manager. These files are usually hundreds of megabytes in size, so they’re apt to be burned on CD and stored for easy distribution. The network download version of Windows 2000 Service Pack 3 is available from http://download.microsoft.com/download/win2000platform/SP/
SP3/NT5/EN-US/W2Ksp3.exe. The network download version of Windows XP Service Pack 1 is available from http://download.microsoft.com/download/whistler/SP/SP1/
WXP/en-us/xpsp1_en_x86.exe.
The “Slipstreaming” Process Many administrators complain that as they receive new systems to deploy on the corporate network, it takes an increasing amount of time, relative to the age of the operating system (and therefore the number and complexity of updates released for that OS) to get said systems prepared for everyday usage. Even if the systems come with an operating system preinstalled and updated, it’s likely that you have your own way of initially configuring a system and its applications, and you probably wipe the system clean and reinstall the system.
You may have an image file to aid in new system deployment, created using a tool like Symantec’s Ghost or the Altiris line of network management and deployment tools, but you still must keep your master image updated. Hence, a real need is created for a standard Windows distribution CD-ROM with the latest service pack completely integrated, or “slipstreamed.”
Fortunately, Microsoft has made it easy to create this handy tool. You’ll need the network/administrative (in other words, the full) version of the service pack for your respective platform. To create the slipstreamed CD do the following:
- Copy a stock Windows distribution CD into a directory on your hard drive. For the remainder of this example, let’s use c:\windist. You’ll likely need to create this directory.
- Create a directory called c:\winsp, and copy the downloaded service pack file there. Let’s assume the service pack file is named w2ksp3.exe.
- Extract the service pack to that directory by executing the following command from the command line or by selecting Start -> Run: w2ksp3.exe –x.
- Now, update the files from the regular Windows distribution CD with the new service pack files by executing the following command from the command line or from Start -> Run: D:\win2ksp3\i386\UPDATE\UPDATE.EXE -S:C:\windist.
The files are then updated, and the process is complete. At this point, you can create a new CD for your own purposes, or create an administrative share for use with Remote Installation Service (RIS) and other tools. Slipstreaming is an easy way to make sure new systems are updated before they’re ever put into production.
 This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.
Buy this book now. |
Next: Critical Updates and Security Hotfixes >>
More Windows Security Articles
More By Apress Publishing
/ 8 
