WINDOWS 2000 SECURITY -- Working Copy May 31, 2001
This is mainly for individual workstations (Win2000 Professional) that are not running a server, and not in a network, although many of these hints will work for both. Be careful with the "Services" section though.
If you can, do a clean install of Win2000. An upgrade will leave all sorts of files behind that could potentially be exploited.
For purposes of this document, it is assumed you will be performing these steps with an Administrator account.
I don't take any responsibility for anything that happens to your system as a result of this guide.
If you do everything here, it is in the range of extremely paranoid (which is not necessarily a bad thing). If you are looking for just the simplest but most important things to do, look at how to Disable Network Bindings, update windows, and install a firewall and an antivirus scanner.
CREATE A RECOVERY DISK
Let's go a bit off-topic before we begin. You should always create a recovery disk before messing with system settings. Get a blank diskette. Start -> Programs -> Accessories -> System Tools -> Backup. Select Backup Tab, go to Tools, and select "Create an Emergency Repair Disk".
If for some reason you don't have the Backup program in your system tools (it happens sometimes), you can access it by creating a shortcut. Right-click on the desktop -> New -> Shortcut. In the box type in:
%SystemRoot%\system32\NTBACKUP.EXE
Under the name, type in "Backup", or whatever.
You should update your Emergency Repair Disk (ERD) everytime you install a new program or change important settings. Really. Another reason to create a handy Backup shortcut (I put mine on my desktop), as you can update the ERD more easily. Someday your computer won't start, especially if you are the type that messes around with it a lot (like most of you that are reading this). To use your ERD, you need to boot your computer using the four startup floppies that came with Windows 2000. There is an option that asks if you want to install or repair; choose repair and follow directions. It will ask you to insert your ERD. Many versions of Windows 2000 (mainly OEMs and upgrade disks) don't include the startup floppies. You can make them by running /bootdisk/makeboot.exe off of your Windows 2000 CD. Either do it before problems occur, or make sure you have an old DOS boot disk around to access the CD so you can do it later (many Windows 2000 CDs do NOT autoboot).
Another handy tool that can be used in the event of an emergency is the Recovery Console. This lets you fix disks when you can't boot into Windows, create/format partitions, and disable/enable services, among other things. It's a useful second step, usually AFTER you try your ERD. While you can run it many ways, the easiest is to load it as a boot-time option (when you press F8 while Windows is loading). To do this, put in your Windows 2000 CD, go to Start -> Run and type in X:\i386\winnt32.exe /cmdcons where "X" is the CD-ROM drive letter (note there is a space between "winnt32.exe" and "/cmdcons"
. I won't go into how to use it here (it's a lot like DOS, and uses some of the same commands). The following article describes it in more detail:
http://support.microsoft.com/support/kb/articles/Q229/7/16.asp
Nervous now? Good. While this guide is intended to instruct your way through each system change step-by-step, and might seem easy, you are actually changing some pretty serious system settings. If something goes wrong (power goes out converting your drives to NTFS, for example), you will be very very happy you made an ERT and pre-loaded the Recovery Console.
ACCOUNTS
The default Win2000 installation will come with two accounts: "Administrator", and "Guest". You should disable "Guest", rename "Administrator", and create at least one account that you will use as your main account.
The Guest account should be disabled by default (it wasn't under some versions of NT), but it's good to check anyway. Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab -> Advanced Button -> click on "Users" group. The Guest Account should have a little red circle with a white "x" over it. If it doesn't, right-click on "Guest", go to Properties, go to General Tab, and click on the box "Account is disabled".
While you are in "Users and Passwords" we can change a few other things. Rename the Administrator account by right-clicking on it and going to "Rename". Make it something you can remember, but avoid having "Administrator" or "Admin" as part of the name. Right-click on the new name, go to Properties, and clear out the "Full Name" and "Description" boxes. (A lot of people argue this step is like "putting tape on a safe", in that it does not increase security all that much. In a regular network system this is probably true. In fact NSA guidelines for hardening an NT workstation even leave this step out. There are so many ways to get a list of user names that it isn't worth it, and could be counter-productive in that it gives you a false sense of security. However, on a non-networked workstation, there are just a few ways you can get user names off the net, and we will be patching the known ones up for the most part, so this step is still useful for this type of setup).
Make a dummy Administrator account going to "Action" and selecting "New User". Name it Administrator. Right-click on it, go to Properties, and go to the "Member Of" tab. Make sure it is not a member of anything. If it is, highlight them and hit "Remove". Right-click on the dummy Administrator account, select "Set Password", and give it a (very) strong password (see below).
Create an account you will use every day. Click on "Add" in the "Users" tab. Put in the name and password when prompted (ALWAYS use a password, see below). At this point, you need to select what type of account this is. The standard advice is for your main account to be a "Standard User (Power Users Group)". This setting will allow you to add/remove programs, but restricts a lot of system settings. This setting is necessary for many programs written for Windows NT. Note that Power Users cannot install many programs written for NT, as they change system registry settings which Power Users do not have access to.
For more security (but bigger headaches) you can also try the "Restricted User (User Group)" setting for more security. This type of user can't even install or remove programs, and so are very safe from trojans. They should be able to run any program that was written to be compatible with Win2000.
If you need administrative rights to access a program (such as Regedit), you can use the "Run As" feature in Win2000. Just right click the program you want to run, and select "Run As". You can then type in the name and password of your renamed Administrator account.
Log in with Administrator access as rarely as possible. A trojan that is run by mistake, or a malicious ActiveX or Java component run by a webpage, will have access to anything the account has access to. Many bugs that let hostile web pages damage your system have already been found, more are most likely out there. If a dangerous program runs as an Administrator, it will have access to your system files, such as the registry. Running as a Restricted User can mean the difference between having your individual User profile wiped out, versus having your entire system wiped out as an Administrator. Note that running a trojan as a Standard User can affect some system-wide settings, but not all.
PASSWORDS
Always put in passwords, strong passwords. Meaning a combination of lower-case, upper-case, numerals, and special characters like !@#$%.
How many characters should you use? In Win2000, you can have up to 127 characters, which is obviously not going to be used that often. The method in which passwords are stored means that a 7-character password is probably the best for most people. If you want to get into the specifics of why, see http://www.microsoft.com/technet/security/au042400.asp?a=printable
There are some utilities that can crack your passwords, like L0phtCrack. To defeat these programs, there are certain ASCII characters accessed with the numeric keypad ALT key that you can include in your passwords. These will make an extremely hard password. These are shown at:
http://sysopt.earthweb.com/articles/win2kpass/index.html
Next, go to Local Security Policy. Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> Account Policy -> Account Lockout Policy
Some recommended settings are listed below.
Account lockout duration: (45 minutes)
Account lockout threshold: (5 invalid login attempts)
Reset account lockout counter after: (45 minutes)
Note the "account lockout" setting has no affect on the Administrator account. This is because MS doesn't want the administrator to be inadvertently locked out (and force a potential reinstall). It's bad in that this will allow a cracker to brute force the Administrator's password without ever being locked out. This is one reason to make the administrator password as strong as possible.
Examine the Password Policies settings too. Settings may be needed if have other users on your system. Generally, these settings can be a real pain to use (as they require users to make new passwords at predefined times), but do help security.
UPDATE WINDOWS
Go to Start -> Windows Update. If you don't have a Windows Update icon in your start menu (some installs don't do this, I don't know why), you can make one. Do it as shown in the section above for creating a shortcut to the Backup program, but the path this time is:
%SystemRoot%\system32\wupdmgr.exe
Under the name, type in "Windows Update", or whatever. Drag it to the Start button, when it shows the menu release. It will be put into the upper menu.
Make sure you get the latest Service Pack (SP2 is out at time of this writing), as well as any critical updates.
Note that Windows Update does not show all the updates available. It also takes a few weeks from the time that updates are created until they are posted on Windows Update. For details on how to receive email updates when new patches are available, and locations to download them immediately, see:
http://www.microsoft.com/TechNet/security/secpatch.asp
AUDITING
If someone does break in, you may not know it unless you have auditing enabled and actually check your logs.
Start -> Programs -> Administrative Tools -> Local Security Policies -> Local Policies -> Audit Policy
Under ?Audit account logon events records logons? select ?Audit success? (to see if someone stole a password) and failure (for random password hacks).
?Audit policy changes tracks security policy changes? - ?Audit success and failure?.
?Audit privilege use can identify when a user tries to use a right not assigned to them? - ?Audit failure?.
?Audit system events can monitor if someone clears the event log? - ?Audit success and failure?.
Learn how to use Event Viewer, which lets you examine the logs.
SOFTWARE FIREWALLS
Download and install a Firewall. There are three good free ones: ZoneAlarm, Sygate Personal Firewall, and Tiny Firewall.
ZoneAlarm is at www.zonelabs.com. Go into Security, and set security at "High" for both Local and Internet. Under the "MailSafe e-mail protection" section, click on the box labeled "Enable MailSafe protection to quarantine e-mail script attachments". Under "Lock", Enable "Automatic Lock", and "Engage Internet Lock when screen saver activates." To set up a screen saver, right-click on the desktop, select "Properties", go into Screen Saver and set one up. If you need to have some programs access the internet while the Automatic Lock is enabled (like email programs that check for new messages), you need to select the "Pass Lock" box next to the program in the "Programs" directory of ZoneAlarm.
If you have ZoneAlarm, you can try out ZoneLog Analyzer to figure out what the logs mean. This will read in your ZoneAlarm log file and sort your alerts by type (such as trojan and DOS attacks) and date. This is shareware, with registering cost if you like it. Please DON'T assume that everything is an attack, even if this program says it is. It is at: http://www.zonelog.co.uk
Yet another good free firewall is Sygate Personal Firewall. Some people think it is simpler than ZoneAlarm, and just or more effective. It is at: http://www.sygate.com/products/shield_ov.htm
Many people think Tiny Firewall is superior to both Sygate or ZoneAlarm. However, it is not as easy to set up, and requires you to actually read the instructions. It is available at: http://www.tinysoftware.com/pwall.php
With add-ons like an analyzer at: http://server47.hypermart.net/tinyfirewall/
A software firewall, while useful, is no replacement for a real hardware firewall. However, real hardware firewalls are expensive. You might consider getting a Router with NAT and/or Stateful Packet Inspection (SPI), which provides a very good level of safety. While they don?t have all the features of a ?real? firewall, they are extremely good for preventing outside attacks, and at a greatly reduced price (you can get them for under US$100). While Routers are designed for networks where you have multiple computers linked together, there is nothing stopping you from setting up one for a single computer.
VIRUS SCANNERS / BEHAVIOR BLOCKERS / SANDBOXES / TROJAN DETECTORS
If you don't already have a virus scanner, you need one. While many are available for sale, a good free one is Inoculate IT Personal Edition, at http://antivirus.cai.com provided you are using it on your personal computer (business copies are NOT free). It is ICSA Certified and consistently rates extremely high in detection rates. It has good user support too, and also update automatically.
Note that virus scanners only detect certain patterns. If the virus/trojan/worm/woozle is zipped up, it probably won't detect it. If it is a new virus/trojan/worm/woozle that isn't in the database yet, it won't detect it. Some virii change their code to fool virus scanners (polymorphic virii). One way to detect these types of malicious programs is to install a behavior blocker / sandbox. Behavior blockers restrict the rights of code accessing parts of your computer. For example, if a Java applet on a web page attempts to access your registry, a warning box can pop up asking if you really want to do this. Sandboxes can allow you to run code in a safe environment that will not affect system resources, to see what it actually does.
One free combination behavior blocker / sandbox is SurfinGuard Pro at http://www.finjan.com/surfinguard This program can be configured to simply block certain types of access, or to prompt you to run the code / stop the code / run the code in a sandbox. Note this is in beta now, and so is not perfect. You may want to wait until release before trying it.
You can also consider a Trojan Detector (similar to a Virus Detector, but more specialized). Most are not free. If you are interested, just do a search for Trojan Detectors, or look at: http://www.wilders.org/anti_trojans.htm
DISABLE NETWORK BINDINGS / NetBIOS
Network bindings allows your computer to share files and printer services (among other things). If you are not in a network you don't need most of them (even though you might have a network card connected to your Cable/DSL line, this doesn't count as a network connection).
Start -> Settings -> Control Panel -> Network and Dial-Up Connections. In here you will have your network information -- you need to go into everything except for "Make New Connection". If you have DSL or Cable, you will probably have one that says "Local Area Connection". Hit "Properties". If there are tabs, select the one that says "Networking". Uncheck every box that does not say "TCP/IP" somewhere in it (TCP/IP is the binding used to talk to the internet, which you obviously want to keep). The most important category that should be UNchecked is "File and Print Sharing for Microsoft Networks", which can allow other computers to access your files.
(NOTE: if you have a home network, you probably want to be able to share files and print sharing. In this case, you should set up the computers in your network to talk to each using a protocol called NetBEUI instead of TCP/IP (TCP/IP is the protocol the Internet uses, and is less secure). To do this, see: http://cable-dsl.home.att.net/#Security for instructions; see steps B-D).
NetBIOS controls share names, user names and host names within a network (and is how Network Neighborhood runs). If you are not in a network, you should disable it. Note this can create problems with some internet connections. Check out your connection after disabling it. It is easily reversed.
Under "Local Area Connection" described above, go into Internet Protocol (TCP/IP) -> Advanced -> WINS tab -> and Disable NetBIOS or TCP/IP. If you have a dial up connection, you will need to go into that as well after "Network and Dial-up Connections" and follow the same procedure.
CONVERT YOUR DRIVES TO NTFS
If you didn't set up your disks as "NTFS", you need to do that now. Go into Windows Explorer, expand "My Computer", right-click on your hard drive(s), and select "Properties". It should say somewhere in there "File System: NTFS". If it says "File System: FAT" or "File System: FAT32", you need to change it. IMPORTANT NOTE: you NEED to have your disks in FAT if you have Win95, Win98 or WinME installed, as they can only read FAT disks. If you convert your disks to NTFS, they will not be able to read the data. You can convert only the hard drive/partition you have Win2000 on, but your older Windows will not be able to read any files on it. If you convert the disk/partition that your older Windows is on, the older Windows won't even start.
If you need to change to NTFS, go to Start -> Run (or just type the Windows key + "r". At the command line, type in:
convert c: /fs:ntfs
Replace "c:" with every drive you wish to convert. Follow instructions, which will probably include restarting your computer. Make sure you do this at a time the power will not go out. It will take a few seconds to a few minutes, depending on how much stuff is on the drive. After converting, you should run Disk Defragger (Start -> Programs -> Accessories -> System Tools).
DRIVE PERMISSIONS
You can set up NTFS drives to allow read/write/edit permissions for different users/files. This is another way to ensure protection of your system in case an anonymous user gets access.
First, we need to replace the default permission for "Everyone" or anonymous users to access your drives (including anonymous users/guests), and set it up so only real users that have logged in have access. Go into Windows Explorer, expand "My Computer", right-click on your hard drive(s), and select "Properties". Go into the "Security" tab. Click Advanced. Under the Permissions Tab, select "Everyone". Hit View/Edit. Hit Change. Select "Authenticated Users". Hit OK, and OK again.
Next, we need to deny access to our dummy Administrator account, in case someone actually manages to log on with it. If you have not created a dummy Administrator account, don't follow the rest of these instructions or you may lock yourself out of your computer. Hit the "Add" button, and select "Administrator". IMPORTANT: Do NOT hit "Administrators", as this is the entire GROUP of (real) Administrators. You want the USER "Administrator" . It will have an entry in the "In Folder" section next to the name; the "Administrators" GROUP will NOT. Hit "OK". Back in the main Security Tab, hit Advanced. Select Administrator. Hit View/Edit. For "Apply Onto:", make sure "This folder, subfolder and files" is selected. Then click all boxes under "Deny". Hit OK three times.
(If you have any other Names in the top box besides "Administrator" and "Authenticated Users", remove them unless you know they belong for some reason. There should not be anything else in a clean install.)
You have to repeat this for every drive / partition.
SERVICES
Services are background programs your computer uses to run correctly. Many services are unnecessary, and some are actually dangerous. A secure system needs to disable certain services. Many services are included by default as Microsoft expects your system to be operated in a network. This includes allowing remote users to access your registry, view your clipbook, browse your directory, or connect to it via Telnet. These can open large holes in your system, and should be removed. This also has the advantage of improving system performance, as each service can take up megabytes of RAM. I cleared up over 20 MB of memory simply by disabling services I never used.
Rather than repeating basic info on services, as well as lengthy descriptions of what each service does, this guide recommends you read the following. The "Windows 2000 Services tweak guide" is a good introduction to services, and also describes what to do if you accidentally disable a service that you actually need to run your computer.
http://www.3dspotlight.com/tweaks/win2k_services/index.shtml
The following article (broken into parts) is more focused on the security aspect of services:
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16301
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16363
Services that I have disabled include:
Clipbook
Computer Browser
DHCP Client (Warning: some internet connections need this service)
Fax Service
Indexing Service
Internet Connection Sharing
IPSEC Policy Agent
Net Logon
Netmeeting Remote Desktop Sharing
Remote Registry Service
Routing and Remote Access
Server
SNMP Service
SNMP Trap Service
Task Scheduler
TCP/IP NETBIOS Helper Service
Telnet
If you are running an IIS server, see the following on what services are required/not required:
http://support.microsoft.com/support/kb/articles/q189/2/71.asp
(Also see the following article on securing an IIS 5 server: http://www.microsoft.com/technet/security/iis5chk.asp )
SHARING
Windows 2000 uses hidden directories for use by the system account, but these can also be abused to break into your system. You can disable the "Server" service as described above to stop people from using these hidden directories, but you should also manually edit the registry as well.
Run or create a shortcut to Regedit (the path is X:\WINNT\regedit.exe, where X is your Win2000 drive) Go into Regedit. Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters, select Edit -> New -> Dword Value. As the name, put in "AutoShareWks" if you have Windows 2000 Pro and "AutoShareServer" if you have Windows2000 Server. The value should come out to "REG_DWORD : 0" by default. If not, hit modify and change. Exit Regedit.
Note: disabling shares with Windows Explorer (as written in some other guides) will only work until the next reboot.
OTHER SECURITY SETTINGS
Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab -> under "Secure Boot Settings" enable the box marked "Require users to press Ctrl-Alt-Delete before logging in". This defeats trojans that attempt to intercept your password.
Start -> Programs -> Administrative Tools -> Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Netmeeting:
Enable "Disable remote desktop sharing." Of course, if you use Netmeeting you need this disabled.
Start -> Programs -> Administrative Tools -> Local Security Policy -> Security Setting -> Local Policies -> Security Options:
Set "Additional restrictions for anonymous connections" to "No access without explicit anonymous permissions." (By default, an anonymous user is considered part of the "Everyone" group. Even though we restricted access to the "Everyone" group earlier, this provides another layer of protection. Note that in NT, the highest setting was "Do not allow enumeration of SAM accounts and shares", which replaces "Everyone" with "Authenticated Users" in the security permissions for resources. Win2000 has added the "no access" setting to provide even more security - this will take out both Everyone and any network connections that don't have explicit permission. Both these settings will defeat programs (i.e. "Redbutton" that log anonymously and are designed to find the names of user accounts and/or the name of the renamed Administrator account.)
Enable "Do not display last name in logon screen."
Enable "Restrict CD-ROM access to locally logged-on user only". This will prevent users logged in over the internet from reading your CD-ROM.
Enable "Restrict floppy access to locally logged-on user only". This will prevent users logged in over the internet from deleting/stealing info in your floppy (or write a boot virus to your floppy that will run the next time you start up your computer).
Enable "Restrict users from installing printer drivers". This prevents others from installing bogus printer drivers. You will have to disable this if you replace or add a printer driver.
Disable "Disable CTRL+ALT+DEL requirement for logon". This will gray out the box marked "Require users to press Ctrl-Alt-Delete before logging in" in the Users and Passwords utility, adding another layer of protection as a trojan will have to disable both before trying to steal your passwords.
Think about enabling "Clear virtual memory pagefile when system shuts down". This is for the truly paranoid -- it wipes out the pagefile memory (the part of the harddrive that acts as RAM memory when you don't have enough RAM) on shutdown. This is mainly for those computers that have to be secure in case someone steals the harddrive, or laptops. Of course, there is the chance on a home system that a network user could gain control of your computer and mine this memory looking for stuff like admin passwords and credit cards. This option can add a long time to your shutdown time.
Start -> Programs -> Administrative Tools -> Local Security Settings -> Security Setting -> Local Policies -> User Rights Assignment:
Go into "Deny access to this computer from the network"; add "Everyone", "Guests", the "Administrators" group, and each separate individual account. Note this setting takes precedence over the "Access this computer from the network" right, so you don't have to modify both. This theoretically makes it so you can only log in from your local computer.
ENCRYPTING FILE SYSTEM (EFS)
You can set up your NTFS drives for automatic encryption of files. I don't go into this here as this is really only useful if you think someone is going to physically access your computer, such as booting up from a floppy and reading your files. If someone gets access to your Administrator account, it doesn't matter if the files are encrypted or not.
CONFIGURE WINDOWS EXPLORER TO SHOW EXTENSIONS
This helps prevent you from running dangerous programs that you might have downloaded by mistake, such as Registry files or .VBS files.
Go to Windows Explorer -> Tools -> Folder Options -> View
UNclick "Hide file extensions for known file types".
Select "Show hidden files and folders"
Hit the button called "Like Current Folder" to put these preferences in all directories/subdirectories.
This will prevent you running that file you downloaded that you think is called "xxxpicture.jpg" (or ?fluffybunny.jpg? or whatever you are into) but is really a trojan named "xxxpicture.jpg.exe" which will wipe out your hard drive.
EMAIL
You should turn off your e-mail?s ability to automatically run programs ("scripting". Some can run just by viewing the mail, without opening any attachments (although the latest patches to Express are designed to avoid this from happening by giving you a warning box). To do this in Outlook or Outlook Express, refer to:
http://www.microsoft.com/technet/security/crsstQS.asp
This will tell you how to set your Email up to use the "Restricted Sites" zone. While you are in the "Security Settings" portion of "Restricted Sites" (when you follow the instructions above), you can take this time to make it even more secure. Make sure the following is checked:
- "Disable" under "Download signed ActiveX controls"
- "Disable" under "Download unsigned ActiveX controls"
- "Disable" under "Initialize and script ActiveX controls not marked as safe"
- "Disable" under "Run ActiveX controls and plug-ins"
- "Disable" under "Script ActiveX controls marked safe for scripting"
- "Disable" under "Allow cookies that are stored on your computer"
- "Disable" under "Allow per-session cookies (not stored)"
- "Disable" under "File Download"
- "Disable" under "Font Download"
- "Disable Java" under "Java permissions"
- "Disable" under "Access data sources across domains"
- "Disable" under "Don't prompt for client certification selection..."
- "Disable" under "Drag and drop or copy and paste files"
- "Disable" under "Installation of desktop items"
- "Disable" under "Launching programs and files in an IFRAME"
- "Disable" under "Navigate sub-frames across different domains"
- "High Safety" under "Software channel permissions"
- "Disable" under "Submit non-encrypted form data"
- "Disable" under "Userdata persistence"
- "Disable" under "Active scripting" (this is what the Microsoft fix mentioned above changes)
- "Disable" under "Allow paste operations via script"
- "Disable" under "Installation of desktop items"
- "Disable" under "Scripting of Java applets"
This turns off everything "extra" in the email. The safest email is plain-text email with nothing added. It will still work too.
In MS Express, go to "Tools -> Options -> Send" and select "Plain Text" for both Mail and News Sending Format. This will help prevent you from passing on any virus/worm you catch, and stop people from complaining to you for sending HTML mail/news (which can carry a whole bunch of nasty stuff).
In MS Express, you should turn off the preview pane (which automatically shows messages, and might automatically run them, which is how the Kak worm spreads for example). You can do this by going to: "View -> Layout" and unclicking the "Show preview pane" box.
In Eudora, go to Tools -> options -> Viewing Mail. Uncheck "Allow executables in html content".
In Netscape Navigator, go to "Edit -> Preferences -> Advanced". Deselect the option "Enable Javascript for mail and news".
MS INTERNET EXPLORER
In Microsoft Internet Explorer, go to "Tools -> Internet Options -> Security" and select "Internet" and then hit "Custom Level". You will get a long series of options that are already described under the email section above. While it was easy in email (we just disabled everything in the Restricted Zone), it won't be so easy for the Internet Zone. If we disable everything, your browser won't work for many sites. You have to be selective here. I usually eliminate Active X and Java and Cookies, although you might want to experiment a bit. For those sites that need Active X, Java, and Cookies, I list the site under "Trusted Sites". Go to "Trusted Sites", hit the "Sites" button, and add it in. This allows you to run trusted sites with less security.
DISABLE AUTOMATIC RUNNING OF .REG FILES
If a file with the extension .reg is run, the registry is changed (provided the user has access to the registry). This is a good way for trojans to do nasty things to your computer. A nifty trick is to change the file association for the .REG extension. This prevents (for example) a malicious Web site from inserting new keys into your registry while you are browsing the Web.
To do this, you need to have a reg file you can play with. If you don't, go into WordPad and save a sample file as sample.reg, or rename a file you don't need to *.reg. Right-click on the file in Windows Explorer, and select ?Properties?. In the section of the box that says "Type of file:? hit Change, select WordPad, and hit OK twice. WordPad is good because when *.reg files are run, it will run WordPad and actually show you the code that would have ran instead of running Regedit and executing it. The fastest way to actually run reg files is to right-click on the file, go to "Open With", choose "Other", go into the /WinNT folder, and choose Regedit.
This trick works with all sorts of extensions. If you don't use .vbs (visual basic) files, you might want to change that file association too, as most of the common email worms use vbs. (Of course, we won't go opening vbs files emailed to us anyway, will we?)
REMOVE THE OS/2 and POSIX SUBSYSTEMS
These systems are only installed so Microsoft can sell the OS to the government. Not many others really have a use for them (and if you do, you should know). There are no known security problems with having these installed, but as with any operation running on your computer, if you don't need it, it might be better not to have it run in case a future exploit is found. This will clear up a little bit of system resources too.
Start -> Run -> Regedt32 (NOT regedit) -> go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems key -> delete the Posix and OS2 values completely (do not just clear the data, or you might not be able to boot!).
CHANGE SYSTEM FAILURE SETTINGS
When Windows 2000 has a system crash, it automatically does a number of things, including creating a "dump file" and potentially rebooting the computer. The dump file can provide someone trying to break into your system with valuable information, such as passwords. Another trick is to crash the computer to have it automatically reboot, so someone can run a boot trojan or attempt to break into the Administrator account. Both should be disabled.
Start -> Settings -> Control Panel -> System Properties -> Advanced -> Startup and Recovery -> change the options for "Write Debugging Information to "None" and clear the box labeled "Automatically reboot". You can reenable the debugging information at a late date if you really need the dump files (to send to MS usually, as most people can't read them).
DISABLE DCOM
DCOM stands for "Distributed Component Object Model". The MS definition of DCOM is "an object protocol that enables ActiveX components to communicate directly with each other across a network." DCOM lets software communicate over a network, usually a secure corporate network. Home users don't usually need to have DCOM active, but there are some programs that require it (such as Windows Media Encoder and some "live update" type programs) . DCOM can be used by others to access programs on your computer. For example, someone can theoretically start telnet and issue commands to your computer through DCOM. More information about DCOM can be found here: http://accs-net.com/smallfish/dcom.htm
First, lets see what components of your computer support DCOM (remember "support" is different than "require".
Start -> Run -> (type in) winnt\system32\dcomcnfg.exe and look in the "Applications" tab. Many programs "support" DCOM but will hardly ever (if ever) actually use it. This includes such programs Windows Media Player and Wordpad, which are designed to be used across a network. What you are really looking for are third-party apps that might actually REQUIRE network support, as opposed to those that simply SUPPORT it. To really see if they do REQUIRE DCOM, we need to disable it, run the supported programs, and see what happens. Note that we are only looking at third-party (non-MS) programs here; Microsoft programs designed to run on a non-networked standalone computer (Office, etc.) are generally written to support but not require DCOM.
To disable DCOM, go to the "Default Properties" tab, and UNcheck the box labled "Enable Distributed COM on this computer".
Reboot, and try running the third-party programs that were listed. Chances are everything will run correctly. If not, you need to go back and enable it :-( If you DO enable it, go back into dcomcnfg.exe, go to the "Default Protocols" tab, and remove all protocols except for "Connection-oriented TCP/IP." This won't make your system much safer, but it will cut down the number of connection methods you have to keep yours eyes on.
HARDEN TCP/IP STACK
Windows 2000 is designed to be run on a network, and in a best case situation behind a dedicated firewall. However, most of you reading this probably have Win2k professional directly connected to the internet, a situation that is pretty rare (or should be) in corporate environments. While the default TCP/IP stack (the part that communicates with the internet) is somewhat secure, it is not really optimized for use directly connected to the internet. Any computer directly connected to the internet can be subject to certain attacks, for example overloading your connection with fake requests, which your computer will attempt to answer (slowing performance and potentially crashing it). You can change your TCP/IP defaults to somewhat resist these attacks. If you are interested, the following paper by Microsoft describes how:
http://www.microsoft.com/technet/security/dosrv.asp?a=printable
Note that while hardening the stack might protect your computer from crashing (especially if you have a slow one), it won't stop attackers from filling up your bandwidth and effectively shutting off your connection to the internet.
ENABLE TCP/IP FILTERING
I'll add this in for completeness sake, but it's enabling TCP/IP filtering is often a pain if you don't know what you are doing (and even when you are). Basically, you are instructing Windows to let some connections in based on what ports they are accessing, and denying the rest. (Outgoing connections are not affected; neither are most incoming connections that are responding to a connection you have already established). This is part of what a firewall does, and what the free firewalls mentioned above already do. This is just another layer of protection (in case, for example, a malicious program shuts down your primary firewall). The problem here is that if you don't know what ports are necessary, your computer might stop responding. For example, if you filter out tcp port 80, you won't be able to access web pages (http protocol).
Filtering is usually best when the computer is used for a specific purpose and you know it will only access certain ports (i.e. web or ftp server), and is much harder to accomplish when the computer is used for a variety of purposes (i.e. a general-purpose home computer) as the number and types of ports you need to access are much more numerous and varied. If you do want to play around with this, go to:
Start -> Settings -> Control Panel -> Network and Dial-up Connections
You need to go into all the connections listed here ("Local Area Connection" if you use DSL/Cable for example), then hit "Properties", double-click "Internet Protocol (TCP/IP)" -> Advanced -> Options, double-click "TCP/IP Filtering".
To enable filtering, click the "Enable TCP/IP Filtering (all adapters)" button. By default, "Permit All" is selected. To filter, select the box called "Permit Only".
Ports used by MS services (if you are using a network) are described in part here: http://support.microsoft.com/support/kb/articles/q150/5/43.asp
Third-party applications could use different ports, which you might need to find out. A partial list is at:
http://www.iana.org/assignments/port-numbers
TESTING
It is a good idea to probe your ports when you are done setting up your system, to make sure you didn't miss anything (such as misconfiguring your firewall). You can do this at: http://www.sdesign.com/securitytest/index.html and also at http://www.hackerwhacker.com:4000/
Another good site full of useful tests is at: http://www.staff.uiuc.edu/~ehowes/info17.htm
This is mainly for individual workstations (Win2000 Professional) that are not running a server, and not in a network, although many of these hints will work for both. Be careful with the "Services" section though.
If you can, do a clean install of Win2000. An upgrade will leave all sorts of files behind that could potentially be exploited.
For purposes of this document, it is assumed you will be performing these steps with an Administrator account.
I don't take any responsibility for anything that happens to your system as a result of this guide.
If you do everything here, it is in the range of extremely paranoid (which is not necessarily a bad thing). If you are looking for just the simplest but most important things to do, look at how to Disable Network Bindings, update windows, and install a firewall and an antivirus scanner.
CREATE A RECOVERY DISK
Let's go a bit off-topic before we begin. You should always create a recovery disk before messing with system settings. Get a blank diskette. Start -> Programs -> Accessories -> System Tools -> Backup. Select Backup Tab, go to Tools, and select "Create an Emergency Repair Disk".
If for some reason you don't have the Backup program in your system tools (it happens sometimes), you can access it by creating a shortcut. Right-click on the desktop -> New -> Shortcut. In the box type in:
%SystemRoot%\system32\NTBACKUP.EXE
Under the name, type in "Backup", or whatever.
You should update your Emergency Repair Disk (ERD) everytime you install a new program or change important settings. Really. Another reason to create a handy Backup shortcut (I put mine on my desktop), as you can update the ERD more easily. Someday your computer won't start, especially if you are the type that messes around with it a lot (like most of you that are reading this). To use your ERD, you need to boot your computer using the four startup floppies that came with Windows 2000. There is an option that asks if you want to install or repair; choose repair and follow directions. It will ask you to insert your ERD. Many versions of Windows 2000 (mainly OEMs and upgrade disks) don't include the startup floppies. You can make them by running /bootdisk/makeboot.exe off of your Windows 2000 CD. Either do it before problems occur, or make sure you have an old DOS boot disk around to access the CD so you can do it later (many Windows 2000 CDs do NOT autoboot).
Another handy tool that can be used in the event of an emergency is the Recovery Console. This lets you fix disks when you can't boot into Windows, create/format partitions, and disable/enable services, among other things. It's a useful second step, usually AFTER you try your ERD. While you can run it many ways, the easiest is to load it as a boot-time option (when you press F8 while Windows is loading). To do this, put in your Windows 2000 CD, go to Start -> Run and type in X:\i386\winnt32.exe /cmdcons where "X" is the CD-ROM drive letter (note there is a space between "winnt32.exe" and "/cmdcons"
. I won't go into how to use it here (it's a lot like DOS, and uses some of the same commands). The following article describes it in more detail:http://support.microsoft.com/support/kb/articles/Q229/7/16.asp
Nervous now? Good. While this guide is intended to instruct your way through each system change step-by-step, and might seem easy, you are actually changing some pretty serious system settings. If something goes wrong (power goes out converting your drives to NTFS, for example), you will be very very happy you made an ERT and pre-loaded the Recovery Console.
ACCOUNTS
The default Win2000 installation will come with two accounts: "Administrator", and "Guest". You should disable "Guest", rename "Administrator", and create at least one account that you will use as your main account.
The Guest account should be disabled by default (it wasn't under some versions of NT), but it's good to check anyway. Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab -> Advanced Button -> click on "Users" group. The Guest Account should have a little red circle with a white "x" over it. If it doesn't, right-click on "Guest", go to Properties, go to General Tab, and click on the box "Account is disabled".
While you are in "Users and Passwords" we can change a few other things. Rename the Administrator account by right-clicking on it and going to "Rename". Make it something you can remember, but avoid having "Administrator" or "Admin" as part of the name. Right-click on the new name, go to Properties, and clear out the "Full Name" and "Description" boxes. (A lot of people argue this step is like "putting tape on a safe", in that it does not increase security all that much. In a regular network system this is probably true. In fact NSA guidelines for hardening an NT workstation even leave this step out. There are so many ways to get a list of user names that it isn't worth it, and could be counter-productive in that it gives you a false sense of security. However, on a non-networked workstation, there are just a few ways you can get user names off the net, and we will be patching the known ones up for the most part, so this step is still useful for this type of setup).
Make a dummy Administrator account going to "Action" and selecting "New User". Name it Administrator. Right-click on it, go to Properties, and go to the "Member Of" tab. Make sure it is not a member of anything. If it is, highlight them and hit "Remove". Right-click on the dummy Administrator account, select "Set Password", and give it a (very) strong password (see below).
Create an account you will use every day. Click on "Add" in the "Users" tab. Put in the name and password when prompted (ALWAYS use a password, see below). At this point, you need to select what type of account this is. The standard advice is for your main account to be a "Standard User (Power Users Group)". This setting will allow you to add/remove programs, but restricts a lot of system settings. This setting is necessary for many programs written for Windows NT. Note that Power Users cannot install many programs written for NT, as they change system registry settings which Power Users do not have access to.
For more security (but bigger headaches) you can also try the "Restricted User (User Group)" setting for more security. This type of user can't even install or remove programs, and so are very safe from trojans. They should be able to run any program that was written to be compatible with Win2000.
If you need administrative rights to access a program (such as Regedit), you can use the "Run As" feature in Win2000. Just right click the program you want to run, and select "Run As". You can then type in the name and password of your renamed Administrator account.
Log in with Administrator access as rarely as possible. A trojan that is run by mistake, or a malicious ActiveX or Java component run by a webpage, will have access to anything the account has access to. Many bugs that let hostile web pages damage your system have already been found, more are most likely out there. If a dangerous program runs as an Administrator, it will have access to your system files, such as the registry. Running as a Restricted User can mean the difference between having your individual User profile wiped out, versus having your entire system wiped out as an Administrator. Note that running a trojan as a Standard User can affect some system-wide settings, but not all.
PASSWORDS
Always put in passwords, strong passwords. Meaning a combination of lower-case, upper-case, numerals, and special characters like !@#$%.
How many characters should you use? In Win2000, you can have up to 127 characters, which is obviously not going to be used that often. The method in which passwords are stored means that a 7-character password is probably the best for most people. If you want to get into the specifics of why, see http://www.microsoft.com/technet/security/au042400.asp?a=printable
There are some utilities that can crack your passwords, like L0phtCrack. To defeat these programs, there are certain ASCII characters accessed with the numeric keypad ALT key that you can include in your passwords. These will make an extremely hard password. These are shown at:
http://sysopt.earthweb.com/articles/win2kpass/index.html
Next, go to Local Security Policy. Start -> Settings -> Control Panel -> Administrative Tools -> Local Security Policy -> Account Policy -> Account Lockout Policy
Some recommended settings are listed below.
Account lockout duration: (45 minutes)
Account lockout threshold: (5 invalid login attempts)
Reset account lockout counter after: (45 minutes)
Note the "account lockout" setting has no affect on the Administrator account. This is because MS doesn't want the administrator to be inadvertently locked out (and force a potential reinstall). It's bad in that this will allow a cracker to brute force the Administrator's password without ever being locked out. This is one reason to make the administrator password as strong as possible.
Examine the Password Policies settings too. Settings may be needed if have other users on your system. Generally, these settings can be a real pain to use (as they require users to make new passwords at predefined times), but do help security.
UPDATE WINDOWS
Go to Start -> Windows Update. If you don't have a Windows Update icon in your start menu (some installs don't do this, I don't know why), you can make one. Do it as shown in the section above for creating a shortcut to the Backup program, but the path this time is:
%SystemRoot%\system32\wupdmgr.exe
Under the name, type in "Windows Update", or whatever. Drag it to the Start button, when it shows the menu release. It will be put into the upper menu.
Make sure you get the latest Service Pack (SP2 is out at time of this writing), as well as any critical updates.
Note that Windows Update does not show all the updates available. It also takes a few weeks from the time that updates are created until they are posted on Windows Update. For details on how to receive email updates when new patches are available, and locations to download them immediately, see:
http://www.microsoft.com/TechNet/security/secpatch.asp
AUDITING
If someone does break in, you may not know it unless you have auditing enabled and actually check your logs.
Start -> Programs -> Administrative Tools -> Local Security Policies -> Local Policies -> Audit Policy
Under ?Audit account logon events records logons? select ?Audit success? (to see if someone stole a password) and failure (for random password hacks).
?Audit policy changes tracks security policy changes? - ?Audit success and failure?.
?Audit privilege use can identify when a user tries to use a right not assigned to them? - ?Audit failure?.
?Audit system events can monitor if someone clears the event log? - ?Audit success and failure?.
Learn how to use Event Viewer, which lets you examine the logs.
SOFTWARE FIREWALLS
Download and install a Firewall. There are three good free ones: ZoneAlarm, Sygate Personal Firewall, and Tiny Firewall.
ZoneAlarm is at www.zonelabs.com. Go into Security, and set security at "High" for both Local and Internet. Under the "MailSafe e-mail protection" section, click on the box labeled "Enable MailSafe protection to quarantine e-mail script attachments". Under "Lock", Enable "Automatic Lock", and "Engage Internet Lock when screen saver activates." To set up a screen saver, right-click on the desktop, select "Properties", go into Screen Saver and set one up. If you need to have some programs access the internet while the Automatic Lock is enabled (like email programs that check for new messages), you need to select the "Pass Lock" box next to the program in the "Programs" directory of ZoneAlarm.
If you have ZoneAlarm, you can try out ZoneLog Analyzer to figure out what the logs mean. This will read in your ZoneAlarm log file and sort your alerts by type (such as trojan and DOS attacks) and date. This is shareware, with registering cost if you like it. Please DON'T assume that everything is an attack, even if this program says it is. It is at: http://www.zonelog.co.uk
Yet another good free firewall is Sygate Personal Firewall. Some people think it is simpler than ZoneAlarm, and just or more effective. It is at: http://www.sygate.com/products/shield_ov.htm
Many people think Tiny Firewall is superior to both Sygate or ZoneAlarm. However, it is not as easy to set up, and requires you to actually read the instructions. It is available at: http://www.tinysoftware.com/pwall.php
With add-ons like an analyzer at: http://server47.hypermart.net/tinyfirewall/
A software firewall, while useful, is no replacement for a real hardware firewall. However, real hardware firewalls are expensive. You might consider getting a Router with NAT and/or Stateful Packet Inspection (SPI), which provides a very good level of safety. While they don?t have all the features of a ?real? firewall, they are extremely good for preventing outside attacks, and at a greatly reduced price (you can get them for under US$100). While Routers are designed for networks where you have multiple computers linked together, there is nothing stopping you from setting up one for a single computer.
VIRUS SCANNERS / BEHAVIOR BLOCKERS / SANDBOXES / TROJAN DETECTORS
If you don't already have a virus scanner, you need one. While many are available for sale, a good free one is Inoculate IT Personal Edition, at http://antivirus.cai.com provided you are using it on your personal computer (business copies are NOT free). It is ICSA Certified and consistently rates extremely high in detection rates. It has good user support too, and also update automatically.
Note that virus scanners only detect certain patterns. If the virus/trojan/worm/woozle is zipped up, it probably won't detect it. If it is a new virus/trojan/worm/woozle that isn't in the database yet, it won't detect it. Some virii change their code to fool virus scanners (polymorphic virii). One way to detect these types of malicious programs is to install a behavior blocker / sandbox. Behavior blockers restrict the rights of code accessing parts of your computer. For example, if a Java applet on a web page attempts to access your registry, a warning box can pop up asking if you really want to do this. Sandboxes can allow you to run code in a safe environment that will not affect system resources, to see what it actually does.
One free combination behavior blocker / sandbox is SurfinGuard Pro at http://www.finjan.com/surfinguard This program can be configured to simply block certain types of access, or to prompt you to run the code / stop the code / run the code in a sandbox. Note this is in beta now, and so is not perfect. You may want to wait until release before trying it.
You can also consider a Trojan Detector (similar to a Virus Detector, but more specialized). Most are not free. If you are interested, just do a search for Trojan Detectors, or look at: http://www.wilders.org/anti_trojans.htm
DISABLE NETWORK BINDINGS / NetBIOS
Network bindings allows your computer to share files and printer services (among other things). If you are not in a network you don't need most of them (even though you might have a network card connected to your Cable/DSL line, this doesn't count as a network connection).
Start -> Settings -> Control Panel -> Network and Dial-Up Connections. In here you will have your network information -- you need to go into everything except for "Make New Connection". If you have DSL or Cable, you will probably have one that says "Local Area Connection". Hit "Properties". If there are tabs, select the one that says "Networking". Uncheck every box that does not say "TCP/IP" somewhere in it (TCP/IP is the binding used to talk to the internet, which you obviously want to keep). The most important category that should be UNchecked is "File and Print Sharing for Microsoft Networks", which can allow other computers to access your files.
(NOTE: if you have a home network, you probably want to be able to share files and print sharing. In this case, you should set up the computers in your network to talk to each using a protocol called NetBEUI instead of TCP/IP (TCP/IP is the protocol the Internet uses, and is less secure). To do this, see: http://cable-dsl.home.att.net/#Security for instructions; see steps B-D).
NetBIOS controls share names, user names and host names within a network (and is how Network Neighborhood runs). If you are not in a network, you should disable it. Note this can create problems with some internet connections. Check out your connection after disabling it. It is easily reversed.
Under "Local Area Connection" described above, go into Internet Protocol (TCP/IP) -> Advanced -> WINS tab -> and Disable NetBIOS or TCP/IP. If you have a dial up connection, you will need to go into that as well after "Network and Dial-up Connections" and follow the same procedure.
CONVERT YOUR DRIVES TO NTFS
If you didn't set up your disks as "NTFS", you need to do that now. Go into Windows Explorer, expand "My Computer", right-click on your hard drive(s), and select "Properties". It should say somewhere in there "File System: NTFS". If it says "File System: FAT" or "File System: FAT32", you need to change it. IMPORTANT NOTE: you NEED to have your disks in FAT if you have Win95, Win98 or WinME installed, as they can only read FAT disks. If you convert your disks to NTFS, they will not be able to read the data. You can convert only the hard drive/partition you have Win2000 on, but your older Windows will not be able to read any files on it. If you convert the disk/partition that your older Windows is on, the older Windows won't even start.
If you need to change to NTFS, go to Start -> Run (or just type the Windows key + "r"
. At the command line, type in:convert c: /fs:ntfs
Replace "c:" with every drive you wish to convert. Follow instructions, which will probably include restarting your computer. Make sure you do this at a time the power will not go out. It will take a few seconds to a few minutes, depending on how much stuff is on the drive. After converting, you should run Disk Defragger (Start -> Programs -> Accessories -> System Tools).
DRIVE PERMISSIONS
You can set up NTFS drives to allow read/write/edit permissions for different users/files. This is another way to ensure protection of your system in case an anonymous user gets access.
First, we need to replace the default permission for "Everyone" or anonymous users to access your drives (including anonymous users/guests), and set it up so only real users that have logged in have access. Go into Windows Explorer, expand "My Computer", right-click on your hard drive(s), and select "Properties". Go into the "Security" tab. Click Advanced. Under the Permissions Tab, select "Everyone". Hit View/Edit. Hit Change. Select "Authenticated Users". Hit OK, and OK again.
Next, we need to deny access to our dummy Administrator account, in case someone actually manages to log on with it. If you have not created a dummy Administrator account, don't follow the rest of these instructions or you may lock yourself out of your computer. Hit the "Add" button, and select "Administrator". IMPORTANT: Do NOT hit "Administrators", as this is the entire GROUP of (real) Administrators. You want the USER "Administrator" . It will have an entry in the "In Folder" section next to the name; the "Administrators" GROUP will NOT. Hit "OK". Back in the main Security Tab, hit Advanced. Select Administrator. Hit View/Edit. For "Apply Onto:", make sure "This folder, subfolder and files" is selected. Then click all boxes under "Deny". Hit OK three times.
(If you have any other Names in the top box besides "Administrator" and "Authenticated Users", remove them unless you know they belong for some reason. There should not be anything else in a clean install.)
You have to repeat this for every drive / partition.
SERVICES
Services are background programs your computer uses to run correctly. Many services are unnecessary, and some are actually dangerous. A secure system needs to disable certain services. Many services are included by default as Microsoft expects your system to be operated in a network. This includes allowing remote users to access your registry, view your clipbook, browse your directory, or connect to it via Telnet. These can open large holes in your system, and should be removed. This also has the advantage of improving system performance, as each service can take up megabytes of RAM. I cleared up over 20 MB of memory simply by disabling services I never used.
Rather than repeating basic info on services, as well as lengthy descriptions of what each service does, this guide recommends you read the following. The "Windows 2000 Services tweak guide" is a good introduction to services, and also describes what to do if you accidentally disable a service that you actually need to run your computer.
http://www.3dspotlight.com/tweaks/win2k_services/index.shtml
The following article (broken into parts) is more focused on the security aspect of services:
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16301
http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16363
Services that I have disabled include:
Clipbook
Computer Browser
DHCP Client (Warning: some internet connections need this service)
Fax Service
Indexing Service
Internet Connection Sharing
IPSEC Policy Agent
Net Logon
Netmeeting Remote Desktop Sharing
Remote Registry Service
Routing and Remote Access
Server
SNMP Service
SNMP Trap Service
Task Scheduler
TCP/IP NETBIOS Helper Service
Telnet
If you are running an IIS server, see the following on what services are required/not required:
http://support.microsoft.com/support/kb/articles/q189/2/71.asp
(Also see the following article on securing an IIS 5 server: http://www.microsoft.com/technet/security/iis5chk.asp )
SHARING
Windows 2000 uses hidden directories for use by the system account, but these can also be abused to break into your system. You can disable the "Server" service as described above to stop people from using these hidden directories, but you should also manually edit the registry as well.
Run or create a shortcut to Regedit (the path is X:\WINNT\regedit.exe, where X is your Win2000 drive) Go into Regedit. Under HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanManServer\Parameters, select Edit -> New -> Dword Value. As the name, put in "AutoShareWks" if you have Windows 2000 Pro and "AutoShareServer" if you have Windows2000 Server. The value should come out to "REG_DWORD : 0" by default. If not, hit modify and change. Exit Regedit.
Note: disabling shares with Windows Explorer (as written in some other guides) will only work until the next reboot.
OTHER SECURITY SETTINGS
Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab -> under "Secure Boot Settings" enable the box marked "Require users to press Ctrl-Alt-Delete before logging in". This defeats trojans that attempt to intercept your password.
Start -> Programs -> Administrative Tools -> Group Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> Netmeeting:
Enable "Disable remote desktop sharing." Of course, if you use Netmeeting you need this disabled.
Start -> Programs -> Administrative Tools -> Local Security Policy -> Security Setting -> Local Policies -> Security Options:
Set "Additional restrictions for anonymous connections" to "No access without explicit anonymous permissions." (By default, an anonymous user is considered part of the "Everyone" group. Even though we restricted access to the "Everyone" group earlier, this provides another layer of protection. Note that in NT, the highest setting was "Do not allow enumeration of SAM accounts and shares", which replaces "Everyone" with "Authenticated Users" in the security permissions for resources. Win2000 has added the "no access" setting to provide even more security - this will take out both Everyone and any network connections that don't have explicit permission. Both these settings will defeat programs (i.e. "Redbutton"
that log anonymously and are designed to find the names of user accounts and/or the name of the renamed Administrator account.)Enable "Do not display last name in logon screen."
Enable "Restrict CD-ROM access to locally logged-on user only". This will prevent users logged in over the internet from reading your CD-ROM.
Enable "Restrict floppy access to locally logged-on user only". This will prevent users logged in over the internet from deleting/stealing info in your floppy (or write a boot virus to your floppy that will run the next time you start up your computer).
Enable "Restrict users from installing printer drivers". This prevents others from installing bogus printer drivers. You will have to disable this if you replace or add a printer driver.
Disable "Disable CTRL+ALT+DEL requirement for logon". This will gray out the box marked "Require users to press Ctrl-Alt-Delete before logging in" in the Users and Passwords utility, adding another layer of protection as a trojan will have to disable both before trying to steal your passwords.
Think about enabling "Clear virtual memory pagefile when system shuts down". This is for the truly paranoid -- it wipes out the pagefile memory (the part of the harddrive that acts as RAM memory when you don't have enough RAM) on shutdown. This is mainly for those computers that have to be secure in case someone steals the harddrive, or laptops. Of course, there is the chance on a home system that a network user could gain control of your computer and mine this memory looking for stuff like admin passwords and credit cards. This option can add a long time to your shutdown time.
Start -> Programs -> Administrative Tools -> Local Security Settings -> Security Setting -> Local Policies -> User Rights Assignment:
Go into "Deny access to this computer from the network"; add "Everyone", "Guests", the "Administrators" group, and each separate individual account. Note this setting takes precedence over the "Access this computer from the network" right, so you don't have to modify both. This theoretically makes it so you can only log in from your local computer.
ENCRYPTING FILE SYSTEM (EFS)
You can set up your NTFS drives for automatic encryption of files. I don't go into this here as this is really only useful if you think someone is going to physically access your computer, such as booting up from a floppy and reading your files. If someone gets access to your Administrator account, it doesn't matter if the files are encrypted or not.
CONFIGURE WINDOWS EXPLORER TO SHOW EXTENSIONS
This helps prevent you from running dangerous programs that you might have downloaded by mistake, such as Registry files or .VBS files.
Go to Windows Explorer -> Tools -> Folder Options -> View
UNclick "Hide file extensions for known file types".
Select "Show hidden files and folders"
Hit the button called "Like Current Folder" to put these preferences in all directories/subdirectories.
This will prevent you running that file you downloaded that you think is called "xxxpicture.jpg" (or ?fluffybunny.jpg? or whatever you are into) but is really a trojan named "xxxpicture.jpg.exe" which will wipe out your hard drive.
You should turn off your e-mail?s ability to automatically run programs ("scripting"
. Some can run just by viewing the mail, without opening any attachments (although the latest patches to Express are designed to avoid this from happening by giving you a warning box). To do this in Outlook or Outlook Express, refer to:http://www.microsoft.com/technet/security/crsstQS.asp
This will tell you how to set your Email up to use the "Restricted Sites" zone. While you are in the "Security Settings" portion of "Restricted Sites" (when you follow the instructions above), you can take this time to make it even more secure. Make sure the following is checked:
- "Disable" under "Download signed ActiveX controls"
- "Disable" under "Download unsigned ActiveX controls"
- "Disable" under "Initialize and script ActiveX controls not marked as safe"
- "Disable" under "Run ActiveX controls and plug-ins"
- "Disable" under "Script ActiveX controls marked safe for scripting"
- "Disable" under "Allow cookies that are stored on your computer"
- "Disable" under "Allow per-session cookies (not stored)"
- "Disable" under "File Download"
- "Disable" under "Font Download"
- "Disable Java" under "Java permissions"
- "Disable" under "Access data sources across domains"
- "Disable" under "Don't prompt for client certification selection..."
- "Disable" under "Drag and drop or copy and paste files"
- "Disable" under "Installation of desktop items"
- "Disable" under "Launching programs and files in an IFRAME"
- "Disable" under "Navigate sub-frames across different domains"
- "High Safety" under "Software channel permissions"
- "Disable" under "Submit non-encrypted form data"
- "Disable" under "Userdata persistence"
- "Disable" under "Active scripting" (this is what the Microsoft fix mentioned above changes)
- "Disable" under "Allow paste operations via script"
- "Disable" under "Installation of desktop items"
- "Disable" under "Scripting of Java applets"
This turns off everything "extra" in the email. The safest email is plain-text email with nothing added. It will still work too.
In MS Express, go to "Tools -> Options -> Send" and select "Plain Text" for both Mail and News Sending Format. This will help prevent you from passing on any virus/worm you catch, and stop people from complaining to you for sending HTML mail/news (which can carry a whole bunch of nasty stuff).
In MS Express, you should turn off the preview pane (which automatically shows messages, and might automatically run them, which is how the Kak worm spreads for example). You can do this by going to: "View -> Layout" and unclicking the "Show preview pane" box.
In Eudora, go to Tools -> options -> Viewing Mail. Uncheck "Allow executables in html content".
In Netscape Navigator, go to "Edit -> Preferences -> Advanced". Deselect the option "Enable Javascript for mail and news".
MS INTERNET EXPLORER
In Microsoft Internet Explorer, go to "Tools -> Internet Options -> Security" and select "Internet" and then hit "Custom Level". You will get a long series of options that are already described under the email section above. While it was easy in email (we just disabled everything in the Restricted Zone), it won't be so easy for the Internet Zone. If we disable everything, your browser won't work for many sites. You have to be selective here. I usually eliminate Active X and Java and Cookies, although you might want to experiment a bit. For those sites that need Active X, Java, and Cookies, I list the site under "Trusted Sites". Go to "Trusted Sites", hit the "Sites" button, and add it in. This allows you to run trusted sites with less security.
DISABLE AUTOMATIC RUNNING OF .REG FILES
If a file with the extension .reg is run, the registry is changed (provided the user has access to the registry). This is a good way for trojans to do nasty things to your computer. A nifty trick is to change the file association for the .REG extension. This prevents (for example) a malicious Web site from inserting new keys into your registry while you are browsing the Web.
To do this, you need to have a reg file you can play with. If you don't, go into WordPad and save a sample file as sample.reg, or rename a file you don't need to *.reg. Right-click on the file in Windows Explorer, and select ?Properties?. In the section of the box that says "Type of file:? hit Change, select WordPad, and hit OK twice. WordPad is good because when *.reg files are run, it will run WordPad and actually show you the code that would have ran instead of running Regedit and executing it. The fastest way to actually run reg files is to right-click on the file, go to "Open With", choose "Other", go into the /WinNT folder, and choose Regedit.
This trick works with all sorts of extensions. If you don't use .vbs (visual basic) files, you might want to change that file association too, as most of the common email worms use vbs. (Of course, we won't go opening vbs files emailed to us anyway, will we?)
REMOVE THE OS/2 and POSIX SUBSYSTEMS
These systems are only installed so Microsoft can sell the OS to the government. Not many others really have a use for them (and if you do, you should know). There are no known security problems with having these installed, but as with any operation running on your computer, if you don't need it, it might be better not to have it run in case a future exploit is found. This will clear up a little bit of system resources too.
Start -> Run -> Regedt32 (NOT regedit) -> go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Session Manager\SubSystems key -> delete the Posix and OS2 values completely (do not just clear the data, or you might not be able to boot!).
CHANGE SYSTEM FAILURE SETTINGS
When Windows 2000 has a system crash, it automatically does a number of things, including creating a "dump file" and potentially rebooting the computer. The dump file can provide someone trying to break into your system with valuable information, such as passwords. Another trick is to crash the computer to have it automatically reboot, so someone can run a boot trojan or attempt to break into the Administrator account. Both should be disabled.
Start -> Settings -> Control Panel -> System Properties -> Advanced -> Startup and Recovery -> change the options for "Write Debugging Information to "None" and clear the box labeled "Automatically reboot". You can reenable the debugging information at a late date if you really need the dump files (to send to MS usually, as most people can't read them).
DISABLE DCOM
DCOM stands for "Distributed Component Object Model". The MS definition of DCOM is "an object protocol that enables ActiveX components to communicate directly with each other across a network." DCOM lets software communicate over a network, usually a secure corporate network. Home users don't usually need to have DCOM active, but there are some programs that require it (such as Windows Media Encoder and some "live update" type programs) . DCOM can be used by others to access programs on your computer. For example, someone can theoretically start telnet and issue commands to your computer through DCOM. More information about DCOM can be found here: http://accs-net.com/smallfish/dcom.htm
First, lets see what components of your computer support DCOM (remember "support" is different than "require"
.Start -> Run -> (type in) winnt\system32\dcomcnfg.exe and look in the "Applications" tab. Many programs "support" DCOM but will hardly ever (if ever) actually use it. This includes such programs Windows Media Player and Wordpad, which are designed to be used across a network. What you are really looking for are third-party apps that might actually REQUIRE network support, as opposed to those that simply SUPPORT it. To really see if they do REQUIRE DCOM, we need to disable it, run the supported programs, and see what happens. Note that we are only looking at third-party (non-MS) programs here; Microsoft programs designed to run on a non-networked standalone computer (Office, etc.) are generally written to support but not require DCOM.
To disable DCOM, go to the "Default Properties" tab, and UNcheck the box labled "Enable Distributed COM on this computer".
Reboot, and try running the third-party programs that were listed. Chances are everything will run correctly. If not, you need to go back and enable it :-( If you DO enable it, go back into dcomcnfg.exe, go to the "Default Protocols" tab, and remove all protocols except for "Connection-oriented TCP/IP." This won't make your system much safer, but it will cut down the number of connection methods you have to keep yours eyes on.
HARDEN TCP/IP STACK
Windows 2000 is designed to be run on a network, and in a best case situation behind a dedicated firewall. However, most of you reading this probably have Win2k professional directly connected to the internet, a situation that is pretty rare (or should be) in corporate environments. While the default TCP/IP stack (the part that communicates with the internet) is somewhat secure, it is not really optimized for use directly connected to the internet. Any computer directly connected to the internet can be subject to certain attacks, for example overloading your connection with fake requests, which your computer will attempt to answer (slowing performance and potentially crashing it). You can change your TCP/IP defaults to somewhat resist these attacks. If you are interested, the following paper by Microsoft describes how:
http://www.microsoft.com/technet/security/dosrv.asp?a=printable
Note that while hardening the stack might protect your computer from crashing (especially if you have a slow one), it won't stop attackers from filling up your bandwidth and effectively shutting off your connection to the internet.
ENABLE TCP/IP FILTERING
I'll add this in for completeness sake, but it's enabling TCP/IP filtering is often a pain if you don't know what you are doing (and even when you are). Basically, you are instructing Windows to let some connections in based on what ports they are accessing, and denying the rest. (Outgoing connections are not affected; neither are most incoming connections that are responding to a connection you have already established). This is part of what a firewall does, and what the free firewalls mentioned above already do. This is just another layer of protection (in case, for example, a malicious program shuts down your primary firewall). The problem here is that if you don't know what ports are necessary, your computer might stop responding. For example, if you filter out tcp port 80, you won't be able to access web pages (http protocol).
Filtering is usually best when the computer is used for a specific purpose and you know it will only access certain ports (i.e. web or ftp server), and is much harder to accomplish when the computer is used for a variety of purposes (i.e. a general-purpose home computer) as the number and types of ports you need to access are much more numerous and varied. If you do want to play around with this, go to:
Start -> Settings -> Control Panel -> Network and Dial-up Connections
You need to go into all the connections listed here ("Local Area Connection" if you use DSL/Cable for example), then hit "Properties", double-click "Internet Protocol (TCP/IP)" -> Advanced -> Options, double-click "TCP/IP Filtering".
To enable filtering, click the "Enable TCP/IP Filtering (all adapters)" button. By default, "Permit All" is selected. To filter, select the box called "Permit Only".
Ports used by MS services (if you are using a network) are described in part here: http://support.microsoft.com/support/kb/articles/q150/5/43.asp
Third-party applications could use different ports, which you might need to find out. A partial list is at:
http://www.iana.org/assignments/port-numbers
TESTING
It is a good idea to probe your ports when you are done setting up your system, to make sure you didn't miss anything (such as misconfiguring your firewall). You can do this at: http://www.sdesign.com/securitytest/index.html and also at http://www.hackerwhacker.com:4000/
Another good site full of useful tests is at: http://www.staff.uiuc.edu/~ehowes/info17.htm
Facebook
Twitter