Some hints for securing Microsoft Windows NT and Windows 2000

Each administrator should absolutely know, which Services are active on his system - and why. So at least the administrator knows, which Services are active and which vulnerabilities might affect this system.

Only the services really needed for the operation of the system should be active. Each needless Service might result in a vulnerability or a security risk. The Services beeing active should be documented as well as their configuration.

A starting rule should be:
Everything not allowed explicitely, is forbidden!
Only with this approach it can be made sure that when configuring the system no interdiction is forgotten. So with this aproach the administrator is on the 'safe side'. It's much better when internal users can't use a service than attackers (and the whole Internet) knowing, that the administrator has forgotten to forbid a specific service.

Naturally, the latest Service Packs for Microsoft Windows should be installed. But even if it's installed, there is no guarantee that the system is save against attacks in the technical area. Since the publishing date of Service Packs, some (or many) Hotfixes have been published - and these Hotfixes should also be installed. Sometimes, Hotfixes are published for the US-Version of Microsoft Windows quite fast after the detection of a vulnerability. The Hotfixes for country specific versions (e.g. Germany) sometimes take a longer time, so it's recommended to use for Servers the US-Version only. This is esp. true when the IIS is used in the Internet. There is hardly any month without a Patch or Hotfix for this Server.

This Service Pack is the latest for Microsoft Windows NT 4:

• Windows NT 4.0 Service Pack 6a
• Security Update (Post SP6a)

When using Microsoft Windows 2000 you should have installed these Service Packs:

• Windows 2000 Service Pack 4
  (Please don't forget to read the EULA (End User License Aggreement) carefully. There were some discussions about the latest version of the EULA.
• After having this Service Pack installed, please use the function "Windows Update" to get the latest Hotfixes.

A more detailed (and recommended) search for Hotfixes and Patches is possible here: Microsoft/Downloads/Search

When using Microsoft Windows the user accounts are protected against 'password guessing' since they can be locked after a number of authentication failures. This is not true for the account 'Administrator'. Usually, it can't be deleted, disabled or locked due to authentication failures. So this account, beeing active on all systems, can't be secured against brute force attacks (e.g. guessing of passwords with an encyclopedia).
So it's recommended to rename this account: An attacker doesn't only need the password (e.g. 8Hkm§kH&Vr!), but also the name of the account with administrative rights. To rename this account, you can use the User Manager (User > Rename).
When using the Resource Kit for Microsoft Windows, it's possible to block the Administrator's account also, if there are too many authentication failures. But, in this case, the Administrator can log in from the Console only.

Due to the mentioned problems with passwords, every account which isn't necessary might result in a security risk. This is esp. important for systems beeing in a public network like the Internet. In this case, no other than the administrative Account should be configured - not even the account 'GUEST'. This account is usually configured during the default installation, just like the administrative account.

Besides the File Sharing, which is possible with FAT also, NTFS provides the possibility to configure ACLs (Access Control Lists). Using these ACLs, individual rights for Read, Write and Access can be configured, as it's possible in Unix, too. These rights can be defined for each file or directories. So it's possible not to allow even reading a file.
If you deploy FAT until now, you can convert it to NTFS. But, be sure to make a complete backup before.
Quite important to know is, that you must not rely on this protection only: There are media for booting a system, so access to the file system is possible. This works even with booting DOS and using a 'special' tool.

Due to security reasons, the system files of Windows NT/2k should not be on the same partition as your data or the files beeing published on a Web-Server. The same should be valid for data offered for FTP or the CGI scripts of your Web-Server.
If, against all odds, an attacker has compromised the system, it's quite easy for him to access all data on the same partition. A little bit more difficult is to change to another partition or harddisk.

The use of NetBIOS, also over TCP/IP, might be dangerous - esp. if your system is connected to the Internet. If you aren't using a Firewall, all services of this system is accessible from remote, and maybe also from the whole Internet. So, if you have to use TCP/IP as well as NetBIOS, be sure to use a Firewall to filter at least the Ports 137/udp, 138/udp, 139/tcp, and 445/tcp. Additionally, the internal TCP/IP network should be obscured by using a Proxy.
If you don't really need NetBIOS you should remove this service completely from the system. Besides deleting the concerning services you should also remove the WINS client and the TCP/IP NetBIOS Helper. Don't be worried, if you select 'Control Panel - Network' and the computer tells you, that there is no network installed - this means NetBIOS only. If you select 'no' when you're asked, if a Network should be installed, you will be able to configure TCP/IP.

An FTP server might be a security risk for your system. When using a default installation, the greeting to a user gives information about the system and the software used. So known attacks (which are maybe not known to you) can be started, resulting in a system compromise. Many FTP servers also don't restrict the number of login failures, so an attacker might test passwords as long as he or she likes. If a correct password is found, the system is open for the attacker - with all consequences.
If you really need to offer an FTP server on a system, it should be configured on a special partition of the harddisk. In the Root-directory of the FTP server no user should have the right to write anything. The best solution is to have a separate machine for the FTP server, which is nt directly connected to the internal network.

Running a Web server might involve some security risks. If a system acting as a Web server and as a Fileserver is compromised, not only the (public) data of the Web server, but also interal data might be public. A machine with a public Web server should be run in a public network which is separated from the internal network by a Firewall or at least a Router with packet filters.

This is quite important, esp. when using the IIS. For this software, again and again security risks are published. Even malicious code is exploiting these vulnerabilities.

Every service offered might result in security problems. Even if the system is safe today, it might show new detectected vulnerabilities. Such a vulnerability might be detected minutes later. So only the really necessary services should be offered and the administrator should follow security related discussions in the Internet.

Several examples, sometimes installed automatically, show vulnerabilities which can be used to compromise the system. An example for this is the IIS: If there are examples for asp's installed, an attacker might leave the public area of the Web server and might have read access to all data on the machine.

With the help of an extensive logging the administrator has the possibility to document all relevant events on the system. The logs should be checked on a regular basis. Attackers often try to modify logs to obscure their actions. So it's recommended to make backups of the logs quite often. Due to attackers possibly changing the system's data and the logs, they shouldn't be kept on the original system.

Exploits are published in the Internet. In the Internet, but also in book stores, tools can be found to use them quite easily - even for dummies. The number of 'interested employees', not knowing what they do when using these tools, must not be neglected. So also in the Intranet, systems should be as safe as possible. As an administrator, use these tools by yourself and attack your own systems - and fix the vulnerabilities found. You should do this before a collegue or even an attacker from the Internet does it! If you want, our experts will help you.

Microsoft has published a document describing how to harden Microsoft Windows Terminal Services.