Whether you're looking for stronger security or greater reliability, you might be considering upgrading your Windows NT 4.0 servers to Windows 2000. The good news is that Win2K is inherently more secure than NT—but that doesn't mean you can simply deploy Win2K and expect to have a completely secure system. Keeping on top of your system security is as important in Win2K as it is in NT. However, in Win2K, you have much less up-front security work to do, and as long as you have a plan, good security is within your reach.
In this multipart series about security considerations for migrating from NT to Win2K, you'll discover the most important concerns to keep in mind during migration. In the first installment, you'll learn about the steps you take to initially configure Win2K: Patch the system, disable services, and enable basic security policies. In future installments, you'll learn about new features, such as Encrypted File System (EFS), Active Directory (AD), and IP Security (IPSec), and you'll learn how to approach and implement security with these new features.
Patch the System
The first task you perform after you install Win2K is to apply service packs and hotfixes. Shortly after Win2K's release, Microsoft released Service Pack 1 (SP1) for Win2K. SP1 fixes many security concerns, and you should install SP1 immediately after you install Win2K, before you do any system configuration. After installing SP1, consider installing the 20 or 30 hotfixes Microsoft has released since SP1. You might not need every hotfix, but reviewing them all to determine whether they apply to your installation is a good idea. The Web-exclusive sidebar "Where to Find Service Pack 1 and Hotfixes" gives you a few good starting points for finding SP1 and the hotfixes Microsoft has released since SP1.
After you patch your system, you need to disable any services you're not using. Disabling unused services is a general rule of securing NT and Win2K systems and, like closing ports, can go a long way toward securing your system. The top three services that you can typically disable with no repercussions are
- Telnet—Attackers can use this service's remote command-line access to run commands.
- Simple TCP/IP service—You typically need this service only when you have UNIX systems on your network.
- Remote Registry service—Attackers can use this service to fingerprint your system.
The top three services that I recommend disabling unless you need them are
- Microsoft IIS—Also disable its related services, such as FTP and Web hosting.
- TCP/IP NetBIOS Helper Service—NetBIOS support has been a concern previously because of several security vulnerabilities. Although the Win2K implementation has few reported problems, if you don't need the TCP/IP NetBIOS Helper Service, don't take the risk of leaving it enabled for intruders to exploit.
- Internet Authentication Service (IAS)—Although no known IAS vulnerabilities exist, if you don't have VPN access, enabling this service is pointless.
Many other services are good candidates for disabling. Take the time to review services and disable any that you're not using. For more information about services you can disable, see Randy Franklin Smith's Windows IT Security articles "Dangerous Services, Part 1," InstantDoc ID 16301, "Dangerous Services, Part 2," InstantDoc ID 16363, and "Dangerous Services, Part 3," InstantDoc ID 16476 at http://www.WindowsITsecurity.com. An added benefit of disabling unused services could be a minor increase in performance and faster boot times. Because Win2K includes Win2K Server Terminal Services, which was previously available only in a separate version of NT, you might want to look at this service in detail and decide whether you want to use it. The Web-exclusive sidebar "Terminal Services: Friend and Foe" discusses this service and the security considerations involved in using it.
Enable Basic Security Policies
The topic of AD configuration and security is too big for me to cover in this article. (For more information about AD, see "Related Articles." Also, a future installment in this series will cover AD.) Let's look at how you can increase Win2K security when you don't have AD installed. In NT, you enable auditing and security features in User Manager or in the individual user account settings. In Win2K, you use the Microsoft Management Console (MMC) Local Security Settings snap-in to configure auditing and security features. To open the Local Security Settings snap-in, click Start, Programs, Administrative Tools, Local Security Policy. With this tool, you can control many security settings, some for general security, some for Kerberos security, and some for AD security. Let's cover the few general security features you can set up quickly and without AD installed. In the left pane of the Local Security Settings window, which Figure 1 shows, you see four basic groups: Account Policies, Local Policies, Public Key Policies, and IP Security Policies. I discuss only Account Policies and Local Policies here because the other policies are dependent on Kerberos and IPSec, which are beyond the scope of this article and which I plan to cover later in this series.
Click the plus sign next to the Account Policies folder to see the Password Policy folder and the Account Lockout Policy folder. Click each folder to see its options, many of which are probably familiar to you from NT. Options for password age and account lockouts are old standbys, but a new option is password complexity. To configure an option, double-click it to open a dialog box. Some options might not let you change the settings because of dependency on another security feature, such as IPSec. In the Password Policy folder, settings to consider enabling immediately include
- Enforce password history. Enabling this setting forces users to choose unique passwords.
- Minimum Password Length. If you use NT LAN Manager (NTLM) authentication, limit passwords to seven characters. Because of the way NTLM hashes passwords, seven-character passwords are harder to crack than eight-character passwords. If you have no legacy or non-Windows clients (e.g., Windows 9x, Windows 3.x, DOS, OS/2) in your organization, disable NTLM authentication. For more information about NTLM, see Jan De Clercq, "NT Gatekeeper," March 2001.
- Passwords must meet complexity requirements. Enabling this setting forces users to choose passwords that contain characters from at least three of the following categories: A-Z, a-z, 0-9, and nonalphanumeric characters (e.g., !, $, #, %).
For more information about protecting passwords, see Randy Franklin Smith's Windows 2000 Magazine articles "Protect Your Passwords," October 1998 and "Win2K Password Protection," Winter 2000.
Set the options in the Account Lockout Policy folder with care. Attackers can use brute-force password cracking software, such as NetBIOS Auditing Tool (NAT), and effectively create a Denial of Service (DoS) attack by locking out many of the accounts on a target.
In the Local Policies folder, click Audit Policy. Here you can set the auditing features you want to track. Setting the auditing options in Win2K is similar to the way you set them in NT. Simply double-click the item and select Success, Failure, or both to have Win2K start to audit that event or resource.
In the User Rights Assignment folder, you can set policy on various administrative and system-related events and resources, including network access, system shutdown, device driver management, and more. To set these options, double-click the item and add or remove users from the settings window.
The last folder I discuss here is Security Options, which contains many security options that, in NT, you couldn't set without changing a key in the registry or using an aftermarket software package. For example, Figure 1 shows the Additional restrictions for anonymous connections dialog box. In NT, you manipulate these options only in the registry. I recommend the following settings for some of the key options in the Security Options folder:
- Disable Allow system to be shut down without having to log on (good for physical security).
- Enable Do not display last user name in logon screen (good for physical security).
- Enable Rename administrator account (good for hiding the administrator account from attacks).
- Double-click Additional restrictions for anonymous connections, then select Do not allow enumeration of SAM accounts and shares from the drop-down list. This option, which Figure 1 shows, can minimize an intruder's ability to use active anonymous FTP, Web, or Telnet services to fingerprint the server.
The options I've outlined are only a few that you should consider. I recommend putting time and effort into studying each policy and deciding whether it will help or hamper your system's security or users' access to your system.
Onward and Upward
As you've seen here, Microsoft has taken some large leaps forward in Win2K and has provided better security features. However, if you don't use these features, they won't do you any good. A good security plan is a must. Before you migrate from NT to Win2K, review Win2K's available security features, decide which ones will be useful or necessary for your scenario, and include them in your plan. Join me in the next installment of this series, when I'll delve into the backbone of Win2K security, AD.
|Related Articles in Previous Issues|
Windows 2000 Magazine Network|
You can obtain the following articles from the Windows 2000 Magazine Web site at http://www.win2000mag.com.
Forefront, "Preparing for Active Directory,"
January 2000, InstantDoc ID 7761
Tricks & Traps, "The ADSI Edit Utility,"
March 2001, InstantDoc ID 19626
February 2001, InstantDoc ID 16447
"Windows 2000, One Year Later,"
February 2001 Web Exclusive, InstantDoc ID 20037
Scripting Solutions, "Easy Active Directory Scripting for Systems Administrators, Part 2," November 2000, InstantDoc ID 15734
Scripting Solutions, "Easy Active Directory Scripting for Systems Administrators, Part 1," September 2000, InstantDoc ID 9168
FAQ Windows NT/2000
"What Is Active Directory?"