Windows 2000 security

[Runes911]

Ok heres the story, I am about to colocate a box I have and want to know what else I need to do to keep it secure. I am running windows 2000 with service pack 3, fresh install I put norton antivirus on it. I will use it as a file/game server. Anyone know of anything else I should do? Do I need firewall software on it? I am new to colocation is there anything else I should know? Also I am running Remote Administrator so I can control it remotely. RA website Forgive me if this should be in the software group instead of OS.

 

[NogginBoink]

Start with basic measures:

-change the Administrator's username
-disable the Guest account
-choose a strong password for your renamed administrator account
-disable any services you don't need
-visit Windows Update and apply the latest fixes
-uninstall anything not needed on the machine

Cover the basics before you get into the more detailed stuff.

Securing any machine is not an easy task, and the price you have to pay is eternal vigilance. But your best bet is to shut everything off that you don't need. If you're running IIS, edit your site properties to be as restrictive as possible. Etc.

 

[DAM]

sp3? wtf? wth did that come from? hmm, i would say your first mistake was installing sp3 (specially since it's not official)



dam()

 

[NogginBoink]

I agree with DAM.

Why anyone would install beta/prerelease software on a production box is beyond me.

 

[bignick]

read up on securing windows 2000 -

Center for Internet Security
NSA securing Windows 2000


i would also look into implementing IPSec for your remote admin connection, and filesharing. Of course this requires that all those connecting for filesharing have IPsec. Win2k and XP have IPSec by default. You can download a free IPsec client from SSH.com

 

[Poontos]

Originally posted by: Runes911
Ok heres the story, I am about to colocate a box I have and want to know what else I need to do to keep it secure. I am running windows 2000 with service pack 3, fresh install I put norton antivirus on it. I will use it as a file/game server. Anyone know of anything else I should do? Do I need firewall software on it? I am new to colocation is there anything else I should know? Also I am running Remote Administrator so I can control it remotely. RA website Forgive me if this should be in the software group instead of OS.

Here is a decent start. http://www.labmice.net/articles/securingwin2000.htm

Much more to just checklists and white papers though. Keep on reading, lots of good stuff out there.

 

[Runes911]

I got the install from a friend and SP 3 was part of it (was not optional) so I figured it was the official.....

Start with basic measures:

1. change the Administrator's username
2. disable the Guest account
3. choose a strong password for your renamed administrator account
4. disable any services you don't need
5. visit Windows Update and apply the latest fixes
6. uninstall anything not needed on the machine

Cover the basics before you get into the more detailed stuff.

Securing any machine is not an easy task, and the price you have to pay is eternal vigilance. But your best bet is to shut everything off that you don't need. If you're running IIS, edit your site properties to be as restrictive as possible. Etc.

1. How? I use an account that is an admin as my primary login and I set win200 to assume that user is always logged in
2. Did that
3. yep
4. Which services wouldnt I need?
6. It was a clean install nothing on it but essentials

I have a website so I wont be running IIS

i would also look into implementing IPSec for your remote admin connection, and filesharing. Of course this requires that all those connecting for filesharing have IPsec. Win2k and XP have IPSec by default. You can download a free IPsec client from SSH.com

Im not sure what you mean...Radmin can transfer files, control the pc w/screen view, and telenet. All transmissions are 128 encrypted.

 

[StattlichPassat]

Originally posted by: DAM
sp3? wtf? wth did that come from? hmm, i would say your first mistake was installing sp3 (specially since it's not official)

dam()

I've been running an SP3 beta for 3 months now and Windows2000 has never been more stable. It rocks. Official release is due from Microsoft in 2 weeks.

 

[Woodie]

1. How? I use an account that is an admin as my primary login and I set win200 to assume that user is always logged in

Buzztt. Wrong answer.
This is a server, there should be NOONE logged in except when doing admin things. IIS runs as a service, and the service should be configured to run with the least permissions necessary to serve up the site.

2. Stuff you shouldn't need:
IIS Sample site/pages/asps/manuals/reference docs and SDK
Any resource kits or additional admin tools
DNS services
Universal plug & play
Terminal Services (unless you're using it)
WINS
DHCP server
ftp server
compter browser
DFS
Distributed Link Tracking
License Logging
Messenger
Microsoft Search
Print Spooler
Remote Registry Service <-- Depends on how your remote access works
SNMP
Task Scheduler
TCP/IP Netbios helper
Telphony
Telnet
...

 

[Runes911]

Ok I created a user account and will use that for the server things as for as IIS thats for web servers correct? I'm not gonna run a webserver on this machine so can/should I disable IIS? So the only things I will be running is HLDS (halflife server), an FTP program to let it act as an FTP server, and maby a Q3, UT '03 (when its out), or NWN dedicated server.

BTW thanks everyone for the input!

 

[n0cmonkey]

Originally posted by: Runes911
Ok I created a user account and will use that for the server things as for as IIS thats for web servers correct? I'm not gonna run a webserver on this machine so can/should I disable IIS? So the only things I will be running is HLDS (halflife server), an FTP program to let it act as an FTP server, and maby a Q3, UT '03 (when its out), or NWN dedicated server.

BTW thanks everyone for the input!

Uninstall IIS.

 

[Poontos]

Originally posted by: n0cmonkey

Originally posted by: Runes911
Ok I created a user account and will use that for the server things as for as IIS thats for web servers correct? I'm not gonna run a webserver on this machine so can/should I disable IIS? So the only things I will be running is HLDS (halflife server), an FTP program to let it act as an FTP server, and maby a Q3, UT '03 (when its out), or NWN dedicated server.

BTW thanks everyone for the input!

Uninstall IIS.

Call me selfish, call me a prick, but in this case, I would recommend uninstalling IIS until you have an advanced understanding of how IIS needs to be securely setup. Reference a dozen white papers, checklists, etc. and follow through with them and test your web applications until your security is so tight, they are busted, then you step back a bit and possibly turn on full auditing on the drive until you track down the problem.

Enjoy!

 

[n0cmonkey]

Originally posted by: Poontos

Originally posted by: n0cmonkey

Originally posted by: Runes911
Ok I created a user account and will use that for the server things as for as IIS thats for web servers correct? I'm not gonna run a webserver on this machine so can/should I disable IIS? So the only things I will be running is HLDS (halflife server), an FTP program to let it act as an FTP server, and maby a Q3, UT '03 (when its out), or NWN dedicated server.

BTW thanks everyone for the input!

Uninstall IIS.

Call me selfish, call me a prick, but in this case, I would recommend uninstalling IIS until you have an advanced understanding of how IIS needs to be securely setup. Reference a dozen white papers, checklists, etc. and follow through with them and test your web applications until your security is so tight, they are busted, then you step back a bit and possibly turn on full auditing on the drive until you track down the problem.

Enjoy!

He still doesnt need IIS, so he can uninstall it no matter what his level of understanding is.

 

[Poontos]

Originally posted by: n0cmonkey

Originally posted by: Poontos

Originally posted by: n0cmonkey

Originally posted by: Runes911
Ok I created a user account and will use that for the server things as for as IIS thats for web servers correct? I'm not gonna run a webserver on this machine so can/should I disable IIS? So the only things I will be running is HLDS (halflife server), an FTP program to let it act as an FTP server, and maby a Q3, UT '03 (when its out), or NWN dedicated server.

BTW thanks everyone for the input!

Uninstall IIS.

Call me selfish, call me a prick, but in this case, I would recommend uninstalling IIS until you have an advanced understanding of how IIS needs to be securely setup. Reference a dozen white papers, checklists, etc. and follow through with them and test your web applications until your security is so tight, they are busted, then you step back a bit and possibly turn on full auditing on the drive until you track down the problem.

Enjoy!

He still doesnt need IIS, so he can uninstall it no matter what his level of understanding is.

Just in case he wanted to and it was not behind a firewall/NAT box.