Windows Security
  Home arrow Windows Security arrow Page 4 - Windows 2000 Security
ASP Free Forums 
.NET  
ASP  
ASP Code  
ASP.NET  
ASP.NET Code  
BrainDump  
C#  
Code Examples  
Database  
Database Code  
IIS  
Microsoft Access  
MS SQL Server  
Visual Basic.NET  
Windows Scripting  
Windows Security  
XML  
ASP Web Hosting  
ASP.NET Web Hosting 
Dedicated Servers 
Actuate Whitepapers 
VeriSign Whitepapers 
Windows Web Hosting
 
IBM® developerWorks 
Sun Developer Network 
Weekly Newsletter
 
Developer Updates  
Free Website Content 
 RSS  Articles
 RSS  Forums
 RSS  All Feeds
Write For Us Get Paid 
Request Media Kit
Contact Us 
Site Map 
Privacy Policy 
Support 
 USERNAME
 
 PASSWORD
 
 
  >>> SIGN UP!  
  Lost Password? 
WINDOWS SECURITY

Windows 2000 Security
By: Apress Publishing
  • Search For More Articles!
  • Disclaimer
  • Author Terms
    		•
    Rating: 4 stars4 stars4 stars4 stars4 stars / 8
    2004-12-01

    Table of Contents:
  • Windows 2000 Security
  • Critical Updates and Security Hotfixes
  • Security Templates
  • Recommended Security Policy Settings
  • Shut Down Without Logon
  • Other Security Considerations
    		•

    Rate this Article: Poor Best 
      ADD THIS ARTICLE TO:
      Del.ici.ous Digg
      Blink Simpy
      Google Spurl
      Y! MyWeb Furl
    Email Me Similar Content When Posted
    Add Developer Shed Article Feed To Your Site
    Email Article To Friend
    Print Version Of Article
    PDF Version Of Article
    		 
     
    ADVERTISEMENT

    Stay one step ahead of the competition. Evaluate and give feedback on some of the hottest web development tools on the market today. Make your opinion heard! Click Here

    Windows 2000 Security - Recommended Security Policy Settings
    (Page 4 of 6 )

    In the following subsections, I’ll discuss the security-policy settings that I recommend for a hardened Windows 2000 installation, regardless of whether you use the predefined security templates covered earlier in the chapter or not. I’ve broken these down into two sections: user accounts that cover ways to harden multiuser environments against attacks from both the outside and the inside, and local options, which give you ways to configure the operating system to protect itself against data hijacking, hacked transmissions, and unauthorized logons.

    User Accounts

    Multiuser systems are security holes in and of themselves. If you recall, the Windows NT operating system achieved government C2-level (orange book) security accreditation back in the mid-1990s. Although this seemed impressive initially, the joke was that the OS was only C2-certifiable in a nonnetworked, standalone environment. Given that NT was billed as a network operating system that would be used by many people, it was effectively a nonstarter to use C2 as a selling point.

    Unfortunately, everyone needs multiple user accounts, so this section focuses on hardening these accounts as much as possible.

    Password Requirements

    Long passwords are more secure, period. The mathematics of the issue are fairly obvious: There are more permutations and combinations to try when brute-force cracking a longer password. Additionally, common English words (on which a dictionary attack can be based) are usually shorter than eight characters, making them easy to crack. Finally, aging passwords are insecure. Though most users tend to change their passwords on a regular basis when encouraged by administrators, some accounts—namely the Administrator and Guest accounts—often have the same password for life, which makes them an easy target for attack. To set these restrictions, do the following:

    1. Open the Microsoft Management Console and navigate to the Local Computer Policy snap-in. This is normally under Start -> Programs -> Administrative Tools.

    2. Navigate down the tree, through Security Settings, to Account Policies.

    3. Click Password Policy.

    4. Enable the Passwords Must Meet Complexity Requirements setting.

    5. Change the Minimum Password Length to 8 characters.

    6. Change the Maximum Password Age setting to 90 days.

    Account Lockout Policies

    An old-fashioned method for gaining unauthorized access to a system is to attempt authentication using a known username, or an unknown username that’s derived logically along with a different password on each attempt. Windows can thwart this attack using an account lockout policy, which will disable an account for a specified period of time after a certain number of unsuccessful logon attempts.

    To set the account lockout policy, do the following:

    1. Open the Microsoft Management Console and navigate to the Local Computer Policy snap-in. This is normally under Start -> Programs -> Administrative Tools.

    2. Navigate down the tree, through Security Settings, to Account Policies.

    3. Click Account Lockout Policy.

    4. Set the Account Lockout Threshold to 3 for the maximum number of bad login attempts.

    5. Set both the Account Lockout Duration and Reset Account Lockout After options to 15 minutes.

    Local Options

    In addition to securing local accounts, the newer Windows platforms give you the ability to lock down certain rights and configurations on the local computer, beyond any domain security policy that might be configured. Several of the options available do little to thwart attacks, so in this section I’ve covered the seven most effective changes you can make to your local security policy.

    NOTE You can enable all of the hardening suggestions in this sec tion in the Security Options section of the Microsoft Management Console’s Local Computer Policy snap-in. You can find this snap-in normally by selecting Start -> Programs -> Administrative Tools. To get to the appropriate section, navigate to the snap-in tree by selecting Computer Configuration -> Windows Settings -> Security Settings -> Local Policies. Then click Security Options, and the dif ferent configuration switches will appear in the right-hand pane.

    The instructions in this section assume that you’ve already loaded the snap-in and navigated to the appropriate section.

    Anonymous Access

    Windows allows access by an anonymous user to many shares and files through the use of a null user account; this is a security hazard, of course. You can still enable anonymous access to files and directories by explicitly granting rights to the ANONYMOUS USER account in Windows inside the appropriate access control list (ACL). This setting merely disables it by default, so you know exactly where connections are being made.

    To fix this hazard, set the Additional Restrictions for Anonymous Connections selection to No Access Without Explicit Anonymous Permissions.  

    This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.

    Buy this book now.

    Next: Shut Down Without Logon >>
     

    More Windows Security Articles
    More By Apress Publishing


     
    >>> Be the FIRST to comment on this article!

    WINDOWS SECURITY ARTICLES

    - Advanced Data Protection in Windows
    - Basic Data Protection in Windows
    - Windows XP Security
    - Lucky You, Microsoft has Sent You an Email! ...
    - Implementing a PKI, Part III: Managing Micro...
    - Windows 2000 Security
    - A Security Roadmap
    - Implementing a Public Key Infrastructure (PK...
    - Hardening Communications
    - Windows Host Security: Network Security Hacks
    - Hardening Wireless LAN Connections, Part 2
    - Hardening Wireless LAN Connections Part 1
    - Windows Reverse Engineering
    - Microsoft's Latest Security Updates -- The G...
    - Cross Site Scripting (XSS): An Overview
    Find More Windows Security Articles




    © 2003-2008 by Developer Shed. All rights reserved. DS Cluster 5 hosted by Hostway