Ok guys and gals, this is my first attempt at a tutorial. Most of this I have slapped together just through experience; however, the services, came mostly from an external source (and are referenced). I have not touched on a few topics and have mentioned these in errata at the end of the article (and I do plan on touching on these in a later tut). This is a work in progress, so if you have suggestions or inputs or just disagree entirely, please pass them on so that we can all learn. Also note, the original document used tables, which don't translate well. The attached file is a zip containing a purely html file with a formatted version of this doc without some corrections that are contained here.


Hardening Windows 2000
By Nebulus, September 10, 2002


Introduction

This checklist is geared around hardening a machine outside of a firewall or any
other protective filtering device. There are many services and features that are
disabled in this configuration that a normal user may or may not want to do,
depending on their setup; however, I have tried to indicate these where applicable.
A very good example of something this setup does that a user may not want to do is
to entirely disabled netbios. As with any normal tweaking of your system, it would
be wise to make backups before you proceed, it would be wise to only attempt a
few things at once and then verify that your system still functions normally, and it
would be wise to think about the explanations before proceeding. These changes
are largely my opinions that are a reflection of experience and patience playing
around with these settings and I therefore make no guarantees that your system will
function normally after making the changes. I also make no guarantees that
performing these system tweaks will make your system invulnerable to compromise,
only that it will make it significantly harder (after all, we are talking about windows
here...).

Patches, patches, patches, and more patches


At the time this article has been prepared, windows averages at least one new
vulnerability a week. Even a well configured box will still have problems if known
bugs and issues are not corrected, so with that in mind, remember,
http://windowsupdate.microsoft.com/ is your friend. Everything from the latest
security patches to service packs are available (assuming you don't mind M$
checking for you). It is essential that you stay on top of the latest available patches
and antivirus signatures.

Item Action

* Install/Upgrade to IE6 **Note
* Apply Latest Service Pack (SP3)
* Check for latest hot fixes
* Check Windows Update often
* Install a personal firewall
* Install a modern AV package with heuristic scanning capability and

up-to-date signatures

**: At this time, IE6 is the latest Microsoft browser. Please keep in mind that there are several
things you can do to secure your web browser and make surfing the web a little less
dangerous; however, this is a topic not covered by this tutorial. Yes, I know there are other
browsers out there (Netscape and Opera come to mind), but IE is required by Microsoft sites (how
clever...)

Can't overflow services that aren't running...


The most common type of attack at the time of this writing right now revolves around
buffer overflows. The attack usually works by targeting a specific program on the
victim machine that doesn't do proper bounds checking on the variable inputs it
accepts (thus leading to an overflow of the buffer storing the variable). A buffer
overflow can either be run locally (think a logged on user trying to escalate privilege)
or remotely (think of a hacker trying to attack say telnet through the Internet). Before
a remote attacker can successfully break into a system, they must first find a service
that is vulnerable. While there is nothing the common user can really do to fight
poorly written code (think M$ and IIS), a remote attacker cannot take advantage of a
service if it is not running.

In that light, we are going to focus on disabling as many services as possible and still
have a functioning box. The list of services here are split into two categories, one of
which is for the hardened setup needed for a machine outside of a firewall, the other is
for what might be considered a normal use box. I am going to be very brief in the
descriptions here, mainly because blkviper has done such a good job with his page (see
references). I recommend only disabling one service at a time if you are not sure, so
that if something breaks you will know which service caused the problem. Also note that
your list of services may differ from what you see here somewhat, depending on what
software you have installed, what version of Windows 2000 you are running, what vendor
supplied your computer, and what service packs have been installed.


Control Panel -> Administrative Tools -> Services

<EDITORIAL NOTE> Please see attached file, the cut and paste butchered this... /nebulus


Local Security Policies

Remember, if you log onto a domain, all bets are off because domain policies have precedence.
Also, these recommendations are my personal opinions, your employer, ISP, university, or
whomever, may require different settings, please see your Terms and Conditions of Use Policy.
Please note that most of this stuff is self-explanatory and is not commented; however, there
are a few spots that may have an effect on your ability to use netbios, that unlike other
sections, I have not noted (be careful and thoughtful).

Control Panel -> Administrative Tools -> Local Security Policy ->

Account Policies -> Password Policies

* Enforce Password History (at least 3)
Prevents users from using same password when prompted to change
* Maximum Password Age (180 days)
Sets the number of days until a password must change
* Minimum Password Age (0 days)
Sets the number of days after changing a password that must pass before it can be
changed again
* Minimum Password Length (7)
* Passwords must meet complexity requirements (Enabled)
Has to do with your password complexity (mix of uppercase/lowercase/numeric/symbols)
* Store Password using reversible encryption for all users on domain (Disabled)
Not sure of the implications...

Account Lockout Policy

* Account Lockout Duration (30 min)
How long the account remains locked after x failed logon attempts
* Account Lockout Threshold (3)
Number of failed logon attempts before a user is locked out
* Reset Account Lockout... (at least 30 min)
Allows the account lock to rest after an elapsed time period

Local Policies -> Audit Policy


* Audit Account Logon Events (success, failure)
* Audit Account Management (success, failure)
* Audit Directory Service Access (failure)
* Audit Logon Events (failure)
* Audit Object Access (failure)
* Audit Policy Change (success, failure)
* Audit Privilege Use (failure)
* Audit Process Tracking (failure)
* Audit System Events (failure)

User Rights Assignment

* Access this computer from network (none)
* Act as part of the OS (none)
* Add workstations to domain (none)
* Backup files and directories (Admin)
* Bypass traverse checking??? (everyone)
* Change the system time (admin)
* Create a pagefile (admin)
* Create a token object (none)
* Create permanent shared objects (none)
* Debug Programs (admin)
* Deny access to this computer over network (guest, guests)
* Deny logon as batch job (none)
* Deny logon as service (none)
* Deny logon locally (guest, guests)
* Enable computer and user accounts...(none)
* Force shutdown from remote system (none)
* Generate Security Audits (none)
* Increase quotas (admin)
* Increase scheduling Priority (admin)
* Load and Unload Device Drivers (admin)
* Lock pages in memory (none)
* Logon as batch job (none)
* Logon as service (none)
* Logon locally (Administrators, users)
* Manage Auditing and Security Log (admin)
* Modify firmware environment values (admin)
* Profile Single Process (admin)
* Profile System Performance (admin)
* Remove computer from docking station (users,admin)
* Replace process level token (none)
* Restore files and directories (admin)
* Shutdown the system (admin)
* Synchronize directory service data (none)
* Take Ownership of other Objects (none)

Security Options

* Additional restrictions for anonymous (no access without explicit permission)
* Allow server operators to schedule tasks (disabled)
* Allow system to be shutdown without having to logon (disabled)
* Allowed to eject removable NTFS media (admin)
* Amount of idle time required before ... (15 min)
* Audit the access of global system objects (disabled)
* Audit use of Backup and Restore Privileges (enabled)
* Automatically log off users when logon time expires (enabled)
* Clear virtual memory pagefile when system...(disabled)
* Digitally sign client communication (always)...(disabled)
* Digitally sign client communication (when possible)...(enabled)
* Digitally sign server communication (always)...(disabled)
* Digitally sign server communication (when possible)...(enabled)
* Disable CTRL+ALT+DEL requirement for logon (disabled)
* Do not display last user name in logon (disabled)
* LAN Manager Authentication Level (Send LM &NTLM)
* Message Text for Users Attempting to Logon ( A legal use message would be good here)
* Message title for Users Attempting to Logon (Logon Banner)
* Number of Previous Logons to cache (0)
* Prevent system maintenance of computer...(disabled)
* Prevent users from installing printer drivers (enabled)
* Prompt user to change password before ... (14 days)
* Recovery Console: Allow automatic adm...(disabled)
* Recovery Console: Allow floppy copy and...(disabled)
* Rename administrator account (new admin name)
* Rename guest account (new guest name)
* Restrict CD-ROM access to locally logged...(enabled)
* Restrict floppy access to locally logged...(enabled)
* Secure Channel: Digitally encrypt or sign...(disabled)
* Secure Channel: Digitally encrypt or secure...(enabled)
* Secure Channel: Digitally encrypt or secure cahnnel...(enabled)
* Secure Channel: Require strong (windows ... (enabled)
* Smart card removal behaviour (no action)
* Strengthen default permissions of global...(enabled)
* Unsigned driver installation behaviour (not defined)
* Unsigned non-driver installation behaviour (not defined)

Miscellaneous Settings

Note: You must have Netbios on to use the baseline security analyzer...

* Use NTFS file system (TODO: File PERMS)
* Download and install Mibsa from Microsoft (Microsoft Baseline Security Analyzer)

Network Settings

* Disable all protocols EXCEPT TCP/IP
* Disable Netbios over TCP/IP
* Uncheck Register this connection's address in DNS
* Enter DNS Suffix for connection (not if you are using dialup)
* Ensure IP Forwarding is off

References/Sources:

? BLK Viper Win2k Services Page

Provides a complete list of services, what the services are, what they do, and
whether or not it is safe to turn off (my list differs somewhat due to experience,
differences in setup, and programs we use)


Errata:
? Still need a section on File Permissions (I have been hesitant to mess
with this other than restricting down IIS directories)
? Still need a section on Internet Explorer Security (Many vulnerabilities
are possible through this)
? Still need to research registry hacks (have avoided so far)