Securing a Windows 2000 Server

This document is provided to point out guidelines for maximizing security of a Windows 2000 Server installation. The information in this document is gathered from various Microsoft White Papers, Resource Kits and public FAQs. Recommendations made in this document may or may not be applicable to your particular environment.

If you run Internet Information Server, Exchange Server, or SQL Server on your Windows 2000 Server, you will want to look into specific security issues inherent in those services as they are not covered in this document.

Some of the suggested changes are applied by a Group Policy or a Registry change. Using the GPO method through START->Programs->"Aministrative Tools"->Local Security Policy is preferred. If you are in a Windows 2000 domain, they can also be applied to a GPO on the Site, Domain, or OU, affecting all of the contained machines at once. 

Details about the default security settings in Windows 2000 can be found in SecDefs.doc

Sections:

  1. Physical security
  2. File/Share access security
  3. Registry Security
  4. Network/Logon Security
  5. Account policies
  6. Auditing
  7. Misc. suggestions
  8. Denial of Service Protection
  9. Summary of GPOs
  10. Summary of Registry Keys
  11. Summary of concerns for servers with TCP/IP
  12. Special measures

Physical Security

The most basic and most important security measure for any operating system is regulating who has physical access to the machine. Software exists to read NTFS data if the drive is connected to a non-NT system (Linux or MS-DOS). It is also possible to reset the built-in administrator's password with a boot floppy. Since data and/or password lists can be extracted from them, physical security must also be provided for repair disks and any system backups.

The best physical security possible is a server room with limited access, but this is not always possible. A locked cabinet for the CPU is almost as good. Failing these, a computer case that can be locked should be used. In this case, you will also have to keep the case locked down and remove or disable booting from floppy or CD-ROM drives when you are not using them. If you choose to disable the drives in BIOS, set a configuration password.

Reminder: All Windows 2000 computers should be logged off when not in use, this goes especially for administrators and servers where access to the keyboard isn't strictly controlled.

File/Share Access permissions

The standard permissions on files and shares are very secure in Windows 2000. They do not allow a standard user to make any changes to the system. Some applications may need permissions opened up. For all permission changes, assure that "SYSTEM" and "Administrators" retain enough permissions. If in doubt, grant "Full Access" to these groups.

When adding data to the machine, review your access needs. It is recommended that you use groups instead of user accounts when granting permissions. If everyone is to have access, set the permission to "Authenticated Users"

Note here that Windows 2000 uses a concept of inherited permissions instead of explicitly changing the ACL of each Directory/File to propagate a security change.  In the GUI, an ACL inherited from a parent is shown greyed out. You cannot remove them without blocking inheritance. Be especially careful of this when setting permissions at a drive root.

When creating a share, you could just leave default permission of "Everyone" "Full Control", since disk ACLs are secure and the combined restrictions apply, but you should apply identical permissions to the share to prevent an unauthorized user from taking a client access license.

Registry Security

Windows 2000 registry permissions are very secure by default. Normal users do not have permission to change any registry settings. You may need to open up certain parts to make older programs work.

To restrict anonymous users from accessing your registry (and enumerating your account names) set:

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

1.      Do not allow enumeration of SAM accounts and shares

2.      No  access without explicit anonymous permissions

HKLM\System\CurrentControlSet\Control\LSA\RestrictAnonymous=1 or 2

This may cause problems with some network-based services that read remote registry entries. If this occurs, first try running the service with a named domain account. If that is not possible or does not solve the problem, add "winreg" to the "NullPipeSessions" value in:

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters

NOTE: This keeps accounts hidden, but reopens the rest of your registry.

If you have a NT-style trust relationship, RestrictAnonymous will also prevent the trusting domain from retrieving the user list in permission dialog boxes. Group and User names from the trusted domain will have to be entered manually.

Network/Logon Security

SMB Signing puts a digital signature on SMB messages on the network. This can prevent man-in-the-middle attacks and message DOS attacks. If you use this feature, performance will be affected (10-15% loss) and only Windows 98/NT/2000 clients will be able to connect to the Server. 

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

HKLM\System\CurrentControlSet\Services\LanManServer\Parameters
HKLM\System\CurrentControlSet\Services\LanManWorkstation\Parameters

Encryption of secure channels Member workstations and servers communicate with their domain controllers and domain controllers communicate with other domain controllers using secure channels. In addition to authentication, you can encrypt and check the integrity of these communications. The default is to use signing (integrity) and sealing (encryption) if negotiated. For more information, see Q183859.

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\netlogon\parameters

NTLMv2 Security NTLMv2 provides much better security for passwords traveling over the network than LANMAN or NTLMv1. For more information, see Q147706.  

Allowed values: 

Use 3 or 5 whenever possible (Requires DSClient installed on any 9x clients and Service Pack 3 on any Windows NT 4.0 clients). At this time Services for Macintosh can only support LANMAN logon, not NTLM or NTLMv2.

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA

Kerberos is now the default authentication protocol. To use Kerberos, all machines must be Windows 2000. Some older applications that do not use the Windows NT/2000 SSPI model will fall back to NTLM.

Account Policies

In user privileges, you may want to set who has access to the machine from the network. and who can log in interactively. This is especially true if your server participates in a domain or domain tree. Also, by default, any authenticated user can add computers to the domain. Access to these privileges can be set in:

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\User Rights Assignment\

In Group Policy\Computer Configuration\Windows Settings\Security Settings\Account Policies\, force users to have a minimum password length. Set accounts to lock out. Make lockout permanent, if possible, otherwise password guessing only takes longer. You can also make passwords expire and/or remember old passwords for uniqueness, but changing passwords may increase the risk of user's writing their passwords down where someone can find them. To enforce password complexity, you can set the complexity policy or install the SUNet Password Filter.

Also, rename your built-in "Administrator" account, if possible, and disable the built-in Guest account.  Also, you will need to apply the registry setting for RestrictAnonymous prevent anonymous clients from retrieving your "Administrator" account name. 

Interactive users should be configured in the the group "Users". This will grant enough permissions to execute installed programs. Create a user-level and an admin-level account for yourself. Only use the admin-level account when doing administrator work. Only use the user-level account to use an untrusted or Internet application.

Auditing

Note: You must use NTFS as your file system to implement auditing of objects on the system.

Auditing is one of the most effective security measures in any system. It is the only way you can track what an attacker (or errant user) is trying to do and make decisions on how to stop it. Auditing must first be turned on by Group Policy. Under Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy, select an audit policy event and indicate what type of events to log.

Suggested events are:

Event

Success

Failure

Account logon events

X

X

Account management

X

X

Directory service access

 

X

Logon Events

 

X

Object access

X

X

Policy change

X

 

Privilege use

X

 

Restart, Shutdown, and System

X

X

Process Tracking

 

 

You may wish to add the policy /Security Options/Audit use of Backup and Restore privilege or the registry key HKLM\SYSTEM\CurrentControlSet\Control\LSA FullPrivilegeAuditing=1 to enable more user rights events (Backup and Restore Files), but this can create a huge number of events. Also "Process Tracking" is usually for debugging only, it creates many events and will affect system performance.

To Audit file and object access, you will also have to set Auditing properties on the objects (files, printers, etc.) In Windows 2000, this can be done by selecting the object and right-clicking, entering "Properties" "Security" "Advanced", then selecting the Auditing tab. Auditing inherits from the parent folder, just like ACLs.

Some example settings are:

Event

Success

Failure

Traverse Folder / Execute File

 

X

List Folder/Read Data

 

X

Create Files / Write Data

 

X

Create Folders / Append Data

 

X

Delete

 

X

Set Value (Registry Key)

 

X

Print (Printers)

 

X

Change Permissions (Dirs and Printers)

X

X

Take Ownership (Dirs and Printers)

X

X

Also, make sure that all event logs are checked on a regular basis. This may be a large task if you have many servers. You may want to adjust what you are auditing after evaluating the number of events collected. If you have multiple servers, looking into an event log watcher program would be a good idea.

Misc. Suggestions

Apply Windows Service Packs and Hotfixes Microsoft is very responsive about releasing fixes whenever an exploit is found. Download the fixes or run Windows Update on a regular basis. Watch the Windows at Stanford Information  or Technet security page for security bulletins

Use NTFS for all drives This allows the most flexibility in setting a security policy and prevents other operating systems from being loaded on your Windows 2000 system.

Remove Unneeded Services, In particular: WINS, DNS, FTP, WWW, SNMP and Simple TCP/IP services. These can fall victim of Denial Of Service attacks or allow easier access into your server.

Remove OS/2 and Posix. These subsystems are fairly limited and are less secure than the Win32 systems. Delete os2.exe and posix.exe.

Create as few privileged accounts as possible

Do not use a privileged account for day-to-day work. This will prevent harm to the system should you fall victim to a trojan horse or other virus attack

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Authenticated Users is a builtin group that contains all user accounts. This does not contain anonymous connections, as Everyone does. Use "Authenticated Users" instead of "Everyone" for better protection.

Security Configuration Tool Set Security Configuration Tool Set is an integrated security system that gives administrators the ability to define and apply security configurations for Windows NT and Windows 2000 installations. It also has the capability to perform inspections of the installed systems to locate any degradation in the system's security.

Denial of Service Protection

HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters contains keys that control the behavior of the TCP/IP stack. By changing some parameters, you can make your system less vulnerable to common DOS profiles.

SynAttackProtect: REG_DWORD = 0, 1, 2
Determines how multiple SYN packets are handled

Default: 0 (False)
Recommendation: 2

EnablePMTUDiscovery: REG_DWORD = 0, 1 (False, True)
Determines whether TCP/IP will try to discover the path MTU. 0 sets MTU to 576
Default: 1 (True)
Recommendation: 0

Netbt\Parameters\NoNameReleaseOnDemand: REG_DWORD = 0, 1 (False, True)
Determines whether the computer releases its NetBIOS name when it receives a name-release request from the network.
Default: 0 (False)
Recommendation: 1

EnableDeadGWDetect: REG_DWORD = 0, 1 (False, True)
Allows TCP/IP to detect a dead gateway and redirect packets to an alternate
Default: 1 (True)
Recommendation: 0

KeepAliveTime: REG_DWORD = 1–0xFFFFFFFF (milliseconds)
How long to keep trying disconnected IP sessions
Default: 7,200,000 (two hours)
Recommendation: 300,000

Tcpip\Parameters\Interfaces\PerformRouterDiscovey: REG_DWORD = 0,1,2
Determines if TCPIP is allowed to perform router discovery.

Default: 2, DHCP-controlled but off by default.
Recommendation: 0

EnableICMPRedirects: REG_DWORD = 0, 1 (False, True)
Determines whether Windows 2000 will modify it's route table when it recieves an ICMP Redirect message
Default: 1 (True)
Recommendation: 0 (False)

Summary of GPOs

NOTE: Local Computer Security Policy and Domain Controller Security Policy are shortcuts to Group Policy\Computer Configuration\Windows Settings\ with only Security Settings displayed.

\Account Policies\

    Review policies for account lockout and password strength

\Local Policies\Audit Policy\

    Set desired event auditing

\Local Policies\User Rights Assignment\

    Review Log on Locally and Add servers to Domain

\Local Policies\Security Options\

Summary of Registry Keys

Accounts:

To restrict anonymous connection to the registry and SAM database:

HKLM\System\CurrentControlSet\Control\LSA\RestrictAnonymous=1 or 2

To reopen the registry, if applications fail, add "winreg" to:

HKLM\System\CurrentControlSet\Services\LanmanServer\Parameters\NullPipeSessions:

To set permissions to remotely access the registry, set permission on:

HLKM\System\CurrentControlSet\Control\SecurePipeServers\winreg

To set auditing of Backup and Restore:

HKLM\SYSTEM\CurrentControlSet\Control\LSA\FullPrivilegeAuditing=1

To set a password filter: (remove FPNWCLNT, if not using File/Print for NW)

HKLM\SYSTEM\CurrentControlSet\Control\LSA\Notification Packages=

Misc.:

To hide last logon:

HKLM\SOFTWARE\Microsoft\CurrentVersion\Winlogon\DontDisplayLastUserName=1

To display a Legal Notice:

HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeCaption=
HKLM\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\Winlogon\LegalNoticeText=

Summary of additional concerns if TCP/IP installed

Special Measures

Additional measures can be taken to prevent accidental or deliberate damage to a Windows Server system. Those listed here could make your system unusable by or inconvenient for valid clients.

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Bind Server Service to a non-routable protocol or do not use TCP/IP at all. Binding server to NetBEUI or IPX/SPX limits your exposure to machines on the physical subnet with your own.

Use IPSec. This encrypts all communications and forces an encrypted authentication for even the most basic communication to your servers. This will limit access to only machines with Windows 2000. It also cannot be used to encrypt Authentication traffic from a client to the DC because authentication is required to set up the IPSec session.

Return to WWW-NT home page
Last modified 10/12/00 by Ross Wilper
©2000 Trustees of the Leland Stanford Junior University