Some hints for securing Microsoft Windows NT and Windows 2000
for use in the Internet and Intranet:
This information is provided 'as is' - no warranty at all.
Before testing these hints on a productive system, please test them in your test-lab!
Each administrator should absolutely know, which
Services are active on his system - and why.
So at least the administrator knows, which Services are active and which vulnerabilities
might affect this system.
Keep your system up to date
Only the services really needed for the operation of the system should be active.
Each needless Service might result in a vulnerability or a security risk.
The Services beeing active should be documented as well as their configuration.
Naturally, the latest Service Packs for Microsoft Windows should be installed.
But even if it's installed, there is no guarantee that the system is save against
attacks in the technical area. Since the publishing date of Service Packs, some
(or many) Hotfixes have been published - and these Hotfixes should also be installed.
Sometimes, Hotfixes are published for the US-Version of Microsoft Windows quite fast
after the detection of a vulnerability. The Hotfixes for country specific versions (e.g. Germany)
sometimes take a longer time, so it's
recommended to use for Servers the US-Version only.
This is esp. true when the IIS is used in the Internet. There is hardly any month
without a Patch or Hotfix for this Server.
This Service Pack is the latest for Microsoft Windows NT 4:
When using Microsoft Windows 2000 you should have installed these Service Packs:
- Windows 2000 Service Pack 4
(Please don't forget to read the EULA (End User License Aggreement) carefully.
There were some discussions about the latest version of the EULA.
- After having this Service Pack installed, please use the function "Windows Update" to
get the latest Hotfixes.
A more detailed (and recommended) search for Hotfixes and Patches is possible here:
Rename the Account of the Administrator
When using Microsoft Windows the user accounts are protected against
'password guessing' since they can be locked after a number of authentication failures.
This is not true for the account 'Administrator'.
Usually, it can't be deleted, disabled or locked due to authentication failures.
So this account, beeing active on all systems, can't be secured against brute force attacks
(e.g. guessing of passwords with an encyclopedia).
So it's recommended to rename this account: An attacker doesn't only need the
password (e.g. 8Hkm§kH&Vr!), but also the name of the account with administrative rights.
To rename this account, you can use the User Manager (User > Rename).
When using the Resource Kit for Microsoft Windows, it's possible to block
the Administrator's account also, if there are too many authentication failures.
But, in this case, the Administrator can log in from the Console only.
Delete all accounts that are not necessary
Due to the mentioned problems with passwords, every account which isn't necessary
might result in a security risk. This is esp. important for systems beeing
in a public network like the Internet. In this case, no other than the administrative
Account should be configured - not even the account 'GUEST'.
This account is usually configured during the default installation, just like the
Use the NTFS File system and not FAT
Besides the File Sharing, which is possible with FAT also, NTFS provides
the possibility to configure ACLs (Access Control Lists).
Using these ACLs, individual rights for Read, Write and Access can be configured, as
it's possible in Unix, too.
These rights can be defined for each file or directories. So it's possible not to
allow even reading a file.
If you deploy FAT until now, you can convert it to NTFS. But, be sure to make
a complete backup before.
Quite important to know is, that you must not rely on this protection only:
There are media for booting a system, so access to the file system is possible.
This works even with booting DOS and using a 'special' tool.
Configure different NTFS partions on your harddisk
Due to security reasons, the system files of Windows NT/2k should
not be on the same partition as your data or the files beeing published on
a Web-Server. The same should be valid for data offered for FTP or the
CGI scripts of your Web-Server.
If, against all odds, an attacker has compromised the system, it's quite
easy for him to access all data on the same partition. A little bit more difficult
is to change to another partition or harddisk.
Use pure TCP/IP network and turn off NetBIOS, if possible
The use of NetBIOS, also over TCP/IP, might be dangerous - esp. if your
system is connected to the Internet.
If you aren't using a Firewall, all services of this system is accessible from
remote, and maybe also from the whole Internet.
So, if you have to use TCP/IP as well as NetBIOS, be sure to use a Firewall
to filter at least the Ports 137/udp, 138/udp, 139/tcp, and 445/tcp.
Additionally, the internal TCP/IP network should be obscured by using a Proxy.
If you don't really need NetBIOS you should remove this service completely from the system.
Besides deleting the concerning services you should also remove the WINS client and
the TCP/IP NetBIOS Helper.
Don't be worried, if you select 'Control Panel - Network' and the computer tells you,
that there is no network installed - this means NetBIOS only.
If you select 'no' when you're asked, if a Network should be installed, you will
be able to configure TCP/IP.
If possible, avoid offering an FTP server
An FTP server might be a security risk for your system.
When using a default installation, the greeting to a user gives information about
the system and the software used. So known attacks (which are maybe not known to you)
can be started, resulting in a system compromise.
Many FTP servers also don't restrict the number of login failures, so an attacker might
test passwords as long as he or she likes. If a correct password is found, the system
is open for the attacker - with all consequences.
If you really need to offer an FTP server on a system, it should be configured on a special
partition of the harddisk. In the Root-directory of the FTP server no user should have
the right to write anything. The best solution is to have a separate machine for the FTP
server, which is nt directly connected to the internal network.
Don't use your Web server as Fileserver
Running a Web server might involve some security risks.
If a system acting as a Web server and as a Fileserver is compromised, not only the
(public) data of the Web server, but also interal data might be public.
A machine with a public Web server should be run in a public network which is
separated from the internal network by a Firewall or at least a Router with packet filters.
Turn off the mapping for .bat and .cmd files and don't use them in CGI scripts
This is quite important, esp. when using the IIS. For this software, again and again
security risks are published. Even malicious code is exploiting these vulnerabilities.
Remove potential dangerous programs, e.g. rasdial.exe, telnet.exe, ftp.exe
Every service offered might result in security problems. Even if the system is
safe today, it might show new detectected vulnerabilities. Such a vulnerability might be
detected minutes later. So only the really necessary services should be offered and
the administrator should follow security related discussions in the Internet.
Never ever install example programs on a productive system
Several examples, sometimes installed automatically, show vulnerabilities which
can be used to compromise the system. An example for this is the IIS: If there are
examples for asp's installed, an attacker might leave the public area of the
Web server and might have read access to all data on the machine.
Keep an eye on your system
With the help of an extensive logging the administrator has the possibility
to document all relevant events on the system.
The logs should be checked on a regular basis. Attackers often try to modify logs to
obscure their actions. So it's recommended to make backups of the logs quite often.
Due to attackers possibly changing the system's data and the logs, they shouldn't be
kept on the original system.
Don't rely on the 'truth' attacks coming from the Internet only
Exploits are published in the Internet. In the Internet, but also in book stores,
tools can be found to use them quite easily - even for dummies.
The number of 'interested employees', not knowing what they do when using these tools,
must not be neglected. So also in the Intranet, systems should be as safe as possible.
As an administrator, use these tools by yourself and attack your own systems - and
fix the vulnerabilities found. You should do this before a collegue or even an
attacker from the Internet does it! If you want, our experts will help you.
Hardening Windows 2000 Terminal Services
Microsoft has published a
describing how to harden Microsoft Windows Terminal Services.
We are looking forward
to your comments, additions and your opinion, thanks a lot.