Windows 2000 Security - Other Security Considerations
(Page 6 of 6 )
Although the earlier sections discussed policy modifications that will harden a Windows 2000 installation, there are other facets of the operating system that do require attention. Although simply making the policy modifications takes you partially on the journey to a hardened system, it’s only a portion of the full process. This section presents some areas that deserve your consideration.
Windows Component Selection and Installation Security is a minimalist attitude: That is to say, when you harden a system, you want as few basic entry points as possible. This in effect shortens the length of the playing field for an intruder: She has fewer processes and fewer software products whose flaws she can exploit, and there’s less chance that you, the administrator, will configure something improperly or forget it entirely. Windows 2000 makes this a little more difficult, especially at install time, when it isn’t possible to select components that you would like not to be installed.
If I might offer a slight editorial aside, this is a serious flaw in Windows and a HUGE mistake on Microsoft’s part. It would have been bad enough if Microsoft decided that none of their operating systems should ever present the user with component installation options. But this functionality remains available in the Windows 9x line and even in Windows NT! And yet mysteriously, it isn’t present in Windows 2000 or Server 2003. It’s baffling to me why these options were removed at the point of installation. If anyone from Microsoft is reading this, please return the power of choice to me, the user!
Tightening Running Services Continuing with the minimalist approach, you need to ensure that the only services or processes running on your system are those that (a) you know about and (b) are critical to the functioning of a particular system or resource. This seems like a simple task initially, but Microsoft has made life a bit more difficult than it should be by failing to properly document which services are dependent on others. Therefore, it’s foolhardy to open the Services console and simply begin turning off services at random, hoping to tighten the network through broad, sweeping motions. It just won’t work. Instead, peruse the following list, making note of the bare minimum of services required to run Windows 2000:
- DNS Client
- Event Log
- File Replication (only on a domain controller)
- Kerberos Key Distribution Center (only on a domain controller)
- Logical Disk Manager
- Net Logon (only on a domain controller)
- NT LM Service Provider (only on a domain controller)
- Plug & Play
- Protected Storage
- RPC Locator (only on a domain controller)
- Security Accounts Manager
- Server (only on machines hosting resources to be shared)
- Windows Time (only on a domain controller)
- Workstation (only on machines connecting to other machines’ shared resources)
Checkpoints In this chapter, I’ve discussed updating your Windows 2000, XP, or .NET machine to the latest levels available and securing your system through password, account, and computer policies. Use the following quick-reference checkpoints to ensure that you’ve covered each step in the chapter appropriately.
- Update to the latest service-pack level for your platform.
- Create a “slipstreamed” distribution CD to deploy the latest service-pack update to any new OS installs.
- Use the latest hotfix file patches from Microsoft to relieve your system of vulnerabilities.
- Download and use HFNetChk to scan and inventory your network for security-patch installations.
- Set restrictions on Windows passwords. They should be at least six characters long, they shouldn’t be based on a dictionary word, and they shouldn’t last longer than 90 days.
- Configure Windows to disable or “lock out” accounts for at least 15 minutes after three unsuccessful authentication attempts.
- Disable all anonymous access except where explicitly allowed in file-system permissions.
- Disable the ability to shut down a system without first logging in to it.
- Enable automatic logoff upon logon time expiration, and set up at least one half hour each night during which no user is permitted to log on.
- Require digitally signed communications when possible, but not always.
- Require the user to press Ctrl-Alt-Del before logging on, a key sequence recognized only by the Windows operating system.
- Do not permit the username of the last user to be displayed at logon.
- Remind users to change their password automatically at least 14 days before its expiration.
 This chapter is from Hardening Windows, by Jonathan Hassell (Apress, 2004, ISBN: 1-59059-266-2). Check it out at your favorite bookstore today.
Buy this book now. |
| DISCLAIMER: The content provided in this article is not warranted or guaranteed by Developer Shed, Inc. The content provided is intended for entertainment and/or educational purposes in order to introduce to the reader key ideas, concepts, and/or product reviews. As such it is incumbent upon the reader to employ real-world tactics for security and implementation of best practices. We are not liable for any negative consequences that may result from implementing any information covered in our articles or tutorials. If this is a hardware review, it is not recommended to open and/or modify your hardware. |
/ 8 
