Originally posted Chuckie's Site by akachuckie
This is my guide on securing a Windows 2000 computer.
Written by chuckie
2. Installing windows 2000 securely
2. Networking section
3. Creating the users and
A. Creating the users
B. A little about the user access levels
C. Securing rest of users
4. Changing folder access and securing your drives
5. Administrative Tools
A. Local Security Policy
1. Working with Account policies
2. Working with Local Policies Settings
B. Event Viewer
6. Registry Editing
A. How do you edit your registry?
B. Some Security Tweaks
7. Programs to disable
8. Working with default shares.
9. Other stuff
I have set it up as a single user, non-server computer. These tricks might not work on all computers. Some will say this is to extreme, but better safe then sorry. Be careful when doing anything to your computer. If you do not know what it will do… Look it up on the internet first or ask a friend.
I assume you know a little about your computer. If you are brand new to computers, I would wait before trying any of this.
2: Installing windows 2000 securely
When I start, I make sure there is no virus’s on the drive. I use a program called clean1k. You can find these types of programs on the internet. It wipes all partitions on the drive. Usually you insert the disk into your A: drive. Then restart your computer. When your screen comes back on your bios starts up.
You have to edit your bois to boot from A: drive and you will have to hit a key to access the bios. It will usually tell you somewhere on that first screen. However, some of the Common ones are F5, F1-F3, and F10. If any of these should not work, I would search the internet for your motherboard key. Somewhere in the menus is “boot menu”. Make sure that A: drive and a cd drive are selected. Save and exit. Do not put your install cd yet. When it comes back up follow the instructions on screen. Then I would restart to save it to the MBR. Next Put in your bootable floppy and when it gets to the A: prompt. Type “fdisk”. Answer yes to any questions. Hit “1” then “1”. Partition the whole drive. Hit esc and restart the computer. When you are A: prompt comes up type “format c:” After this finishes, shutdown your computer.
Put your install cd into your drive and take out the boot disk. Start your computer and hit any key to boot from cd. Delete the partition that we created above because it is just making sure there is nothing left on the drive. When it asks you how much of the drive you want to format. I usually set it for like 75% of the drive so I can have a second partition to install my swap file and any back-up stuff. The second partition should be at least 2 gigs. Install 2000 on your first partition. It will give you an option NTFS or FAT. Choose to install on a NTFS file format. It allows more security and advanced feathers to many to list in this text file. Also during the install when it ask what dir to install Windows NT click on other and change the dir to something like C:\Mydrive That will change the default dir from \winnt to \Mydrive. I will explain more later if it does not give you the option. This will prevent some hacker tools from running and will make it harder for hacker programs to find your programs.
For your computer name make sure you use a unique name. When you put the password for your administrator account, use numbers and letters together. Try to not use words because they can be brute forced. Also, you might want to use alt characters. You can find these by going to Start=>programs=>accessories=> system tools=>character map. Click on the ones you want to use and at the bottom right corner is the code. Write it down. IF it does not have anything there they will not work for this. To use hold down the “ALT” key and press the number sequence. Then release “alt”. This makes your password VERY hard to brute force.
Uncheck “file and printer sharing”. Do not do this if you plan to share stuff. You can reinstall it if you want later. Click on TCP/IP=>properties. Under the DHCP tab, select “advanced”. Select the “WINS” tab, select “disable NetBIOS over TCP/IP”. Then click on the “Options tab”. Go to IP security=>properties. Click on “Use this IP security Policy” and change it to “server (request security). Then hit ok. “TCP/IP filtering” is fun to mess with but be careful because you can cause some of your programs to not be able to connect to the internet. Only add the ports you will use (80, 8080, etc...). You can change these later by going to start=>settings=>network and dial up connections=>your network device. OK now workgroup name. Make sure it is unique and it cannot be traced to you. Example, Do not use your name, location, etc… Then it will restart and install all of the programs it needs. After it is done, it will ask you to remove your cd and restart. When it starts up again, make sure you disable booting from anything BUT your hard drive. When you restart the “network Identification Wizard” will come up. Make sure you select “User’s must enter password”. You do not want someone being able to sit down in front of you computer and log on without a password.
3: Creating the users
Creating the users
Ok first off you need to create a user other then the default Administrator. I will call it user-one for this text. Create user-one by going to Start => settings => control panel. Then click on Administrative Tools. Go to Computer Management =>Local users and groups and hit the +. Click on Users and at the top under the menu Action selection select "new user". Create the user "user1" and under description put nothing so if Hackers are able to view the users they cannot figure out what the user has access to make sure to make the password at least 8 characters long and numbers and letters. It is always best if you do not use words as they can be brute forced. Click on the box next to “User must...” and then click “user cannot change the password”. (Because you can always change it with Administrator account) After you are done, hit create and close that window. Now click on the user that you just created, click on Member of tab. Hit ADD, and add Administrators to the list. Then hit ok. Then hit apply and hit ok. Now your new user will be created and has Administrator access. You can repeat this for as many users as you want. But I would only create as many users as you absolutely need.
A little about the user access levels
Administrators: Administrators have complete and unrestricted access to the computer/domain. Can create, delete users; change the passwords on user accounts. Change ownership on folders/files.
Power Users: Power Users possess most administrative powers with some restrictions. Can create, delete users, and change the passwords on user accounts. Cannot edit the administrator account. Able to use the Administrative Tools. Can edit file/folder permissions.
Users: Users are prevented from making accidental or intentional system-wide changes. Cannot even view, edit, or change the Administrative Tools by default. Cannot edit file/folder permissions.
Guests: Guests have the same access as members of the Users group by default,
Except for the Guest account which is further restricted. Cannot even view, edit, or change the Administrative Tools by default.
Securing rest of users
Ok now on the user account screen select the Administrator account by right clicking on the Administrator name and hitting "Rename" Change the name to something like user2. Then hit enter. After changing the name, you need to double click on the name so that the properties come up. Delete everything in the full name and description box. Then hit apply and ok. Now create a user with the name Administrator and the description "Built-in account for administering the computer/" Make them a Member of "Guest". Ok now we do the guest account. Rename it to user3. Delete everything in the full name and description box. Then hit apply and ok. Also disable this account by double clicking on the user3 and clicking in the box Account is disabled and user cannot change the password. If you want, you can create a fake guest account but make sure you put "Built-in account for guest access to the computer/domain" in the description box. Ok you have now fixed you member access. What this does is make it harder for an attacker to figure out which account is the administrator. They will waste time brute forcing the wrong account. Make sure that only your user1 and the built in administrator has Administrator as its group. Make sure you do not give to much access to your users. They will use it to mess things up.
4: Changing folder access and securing your drives
Changing folder access and securing your drives
Go to my computer. Open your c: drive. Select all the folders in there BUT WINNT and the programs. If you select them to change access, it may cause programs not to run. Right click on one of them making sure the ones you want are still selected. Select properties. Select the security tab. At the bottom un-check the box that says, "Allow inheritable..." when the box pops up select "copy". Then select everyone and hit remove. Then hit "ADD". The names with two heads are user groups and the ones with one head are users. Add your user that you created user1 (1head), System (2heads), and what ever you named your administrator account. That will only allow you, administrator, and the system to access those folders. Don’t add administrators (2heads). So that even if the attacker gets Administrator access they will have to change all the permissions. When you hit ok you will come back to the security menu. You need to give all of these "Full Control". Then hit apply and ok. If you add a program that writes to the root dir (C:), you need to add these properties to it. Unless you have them set up to inherit permission from the parent folder. You can also change whole drive settings. We will call it E: for this example. Go to my computer=> then right click on E: and select the security tab. Then ADD user1, System, what ever you named you administrator account, and any other accounts you want to access that drive. After you add all the accounts then you can adjust how much access you want them to have. After that, you will want to click on "advanced" click the box that says, "Replace permission entries..." What that does is change all the security settings on all folders under that drive. If you double click on any user/group on that screen, you can change more security options. You can do this to other folders BUT be careful it can mess up your system. Also, you will want to delete all files in the C:WINNT\repair\. These are the back-ups you system creates at install. The file “Sam” and “Security” stores your passwords and can be decrypted and used to get the passwords, or used to replace the files and reset your passwords back to what they were at install.
Always back up :)
5: Administrative Tools
Ok first off I would have to warn you BE CAREFULL. Ok first go to =>start =>settings =>control panel =>Administrative Tools
Local Security Policy
Working with Account policies
Click on Password policy.
Ok we will start with password Policies. Click on Account Policies and then click on Password Policy. On the right side click on Enforce Password history and make sure it says zero passwords remembered. This will not store any passwords. Always a good idea.
Ok now we will move on to Minimum password length. You can set what you want the min. number of characters you want them to use. You do not have to mess with this one. This can be handy if you want to let your users to set there own passwords. Remember the longer the better.
Next, we have Passwords must meet... That is to make sure all your passwords meet the complexity requirements like letters, numbers, and no words. This is also a good idea if you want your users to set there own passwords. Ok on to Store passwords using reversible... This is a very good idea. Make sure you enable this one. It makes it a lot harder to use a program to decrypt your passwords.
Then click on Account Lockout...
Change Account lockout duration to 60 minutes by double clicking on Account lockout duration. Then change it to 60 in the box. When the box comes up just hit ok. Then change Account lockout threshold to 3 invalid... and change Reset account... to 60 minutes. That will make it if someone tries 4 times to guess your password it will lock them out for 60 min. This will prevent brute forcing the password from the logon.
Working with Local Policies Settings.
Click on Local Policies on the left side menu.
Click on Audit Policy. Click on each one so you can change it to a check on the box next to success and failures. Do it to all of them. That way you can log all failures and success. That way to can track what your users are doing.
Now on to User Rights Assignment.
Make sure that none of the "local settings" has anyone But Administrators, user1, and system. If they do double click on the policy and uncheck the ones you do not want and add any that you do want. Make sure you add the Group (2 heads) Administrators. Remember you want to prevent anyone from accessing anything with out your permission. I will point out some that are important to edit. Ok the one that is called Log on remotely make sure you ONLY add the user you want to logon (Administrator, user1) from the network. I would allow NO ONE to log on from the network. You can still connect to other computers. Be very careful whom you give access to because they can be used to get into a box from the network/internet. Also, check out what is under log on locally... Make sure only necessary accounts can log on locally. This is the simplest way to get on to a computer and cause damage. Uncheck anyone you do not want to be able to sit down in front of your computer and log-on. That will prevent people from login on and running exploits. If you do not add a user, THEY WILL NOT BE ABLE TO LOG ON AT ALL. Manage auditing...log make sure, only your Administrator can access the logs so that someone cannot edit or delete the logs used to track your users. Load and unload device drivers. Make sure that only Administrators can add drivers. Bad or hacked drivers are an easy way for someone to hack you box.
Force shutdown...system. Remove everyone from this. It makes it way to easy for someone to shut down your system
This is going to be a long one.
"Additional restrictions for....". Change local policy settings to "No access without explicit anonymous permissions" This will stop people from accessing your computer as an anonymous user.
"Allow system to be… log on" change it to Disable by clicking on the circle by "disable". What this does is allow you to log on and do stuff then log off but let your computer still run. Now no one can shut down your computer without pushing the power button or logging on.
"Audit..." there are two of them. You want to Enable both of them as it can also help you track what your users are up to.
"Disable CTRL+ALT+DEL requirement for logon" to "disable" This will require you to hit CTRL+ALT+DEL to log on. Very good security option. This prevents a program from running during or before you log-on.
"Do not display last user name in logon screen" to "enable". This way someone trying to log on to your computer will not have a user name to brute force.
The next one is not really a security option but it is fun to play with. "Message title for...." change it to what you want it to say in the message title. Then change "Message text.." to what you want to be the text for the message. It will be displayed after they hit CTRL+ALT+DEL and before the logon screen.
"Prevent users from...drivers" Like above you do not want to allow users to install drivers because they could cause you computer to become unstable or hacked.
"Recovery Console: Allow automatic administrative logon" change it to "Disable". You do not want anyone to be able to get on the computer with out a password.
"Recovery Console: Allow Floppy copy..." to "Disable". This will prevent any exploits that might be out there.
“Rename administrator account” Change it to what ever you named your administrator account above.
“Rename guest account” Change it to what ever you named your guest account above.
"Restrict CD-ROM access..." Change it to "enable".
"Restrict Floppy access..." to "Enable" That will stop a NT password disk from being able to get the passwords or change them. It also stops most boot-up programs from reading the NTFS volume.
Ok that is all for the Local Security Settings.
After you are done working on these, you will have to restart to have to changes take effect.
First thing is click on event viewer. Right click on “Application Log”=> Properties. Then change “Log Size” to a higher setting. The max is 4194240 kb. You will also want to make sure “Do not overwrite events” is selected. The reason is you want to make sure you record as much information as you can.
Next is some registry tweaks. If you don’t know how to edit your registry. Please skip forward to Chapter 6.
This registry tweak allows you to restrict access to the event log to administrators and system accounts only.
6. Registry Editing
How do you edit your registry?
First thing I have to do is warn you modifying the registry can cause serious problems that may require you to reinstall your operating system. Be very very careful.
What is the Registry? The Registry is a database used to store settings and options for your programs and Operating System.
You can get to the registry by going to start=>run=> and type ”Regedit” or “regedit32”.
Here are what the keys you see are for.
HKEY_CLASSES_ROOT - This branch contains all of your file association mappings to support the drag-and-drop feature, OLE information, Windows shortcuts, and core aspects of the Windows user interface.
HKEY_CURRENT_USER - This branch links to the section of HKEY_USERS appropriate for the user currently logged onto the PC and contains information such as logon names, desktop settings, and Start menu settings.
HKEY_LOCAL_MACHINE - This branch contains computer specific information about the type of hardware, software, and other preferences on a given PC, this information is used for all users who log onto this computer.
HKEY_USERS - This branch contains individual preferences for each user of the computer, each user is represented by a SID sub-key located under the main branch.
HKEY_CURRENT_CONFIG - This branch links to the section of HKEY_LOCAL_MACHINE appropriate for the current hardware configuration.
HKEY_DYN_DATA - This branch points to the part of HKEY_LOCAL_MACHINE, for use with the Plug-&-Play features of Windows, this section is dynamic and will change as devices are added and removed from the system.
Here is how to edit it using the vales I use.
Click on the + next to each key till you get to the last value.
The next part you click on the last value “Application”. On the right side are the values stored in that key. Look for the value “RestrictGuestAccess”. If it isn’t there do not worry just create the value. Double click on “RestrictGuestAccess” and change to value to whatever. In this case “0”.
If you have to create the value you will be given the choices of String, Binary, and Dword. Here is what they are used for.
REG_BINARY - This type stores the value as raw binary data. Most hardware component information is stored as binary data, and can be displayed in an editor in hexadecimal format.
REG_DWORD - This type represents the data by a four byte number and is commonly used for Boolean values, such as "0" is disabled and "1" is enabled. Additionally many parameters for device driver and services are this type, and can be displayed in REGEDT32 in binary, hexadecimal and decimal format, or in REGEDIT in hexadecimal and decimal format.
REG_SZ - This type is a standard string, used to represent human readable text values.
Some Security Tweaks
1. Empty cache after closing window
2. Disable Caching of Secure Web Pages
3. Change the Internet Explorer User Agent String
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\5.0\User Agent]
“(Default), Compatible, Version, Platform”=”Whatever” (String Value)
This tweak may affect some online services that read this information to detect the operating system such as Microsoft Windows Update
4. Change the Number of Simultaneous HTTP Sessions
”MaxConnectionsPerServer, MaxConnectionsPer1_0Server”=” Number of Simultaneous Connections”
1. Configure Remote Access Client Account Lockout
”MaxDenials, ResetTime (mins)”=”some number in min.”
2. Number of Remote Access Authentication Attempts
3. Restrict Anonymous User Access
”RestrictAnonymous”=”0 = allowed, 1 = restricted, 2 = require anonymous permissions”
7: Programs to disable
You can disable these programs by going to =>start =>settings =>control panel =>Administrative Tools=>Services
To disable them double click on the program, under service status hit stop. Wait for it to stop. Then under start-up type change it to disabled.
Messenger= you want to stop all those annoying netsend messages, disable this program. Warning you will not get your alert messages either.
Telnet= for remote accessing your computer. Disable
Remote registry service= um... like it says. Disable
Also, disable any programs that you are not using or it could be used for an exploit.
8: Working with default shares.
Windows has some default shares. You can disable them by going to start => settings => control panel => Administrative Tools. Click on Computer Management and select "shared folders" on the left. Then click on "Shares" And just right click on each one and select "end share" then hit ok. If you restart your computer, the shares will be back so you will have to disable them each time. You can stop them from reappearing by using REGEDIT. Go to
These are some default shares IPC$, c$, e$, etc. They can be used on a network to gain full access to your computer.
8: Other stuff.
Next, you need to make sure you get a good firewall because winnt does have some default programs running that can be exploited. And there are ALOT of exploits out there for windows. It is best if you keep up on the exploits out there. And how to protect your self from them.
9: Security Programs.
Baseline scanner from Microsoft. It scan’s you computer for updates, exploits, and security issue’s.
I will keep working on this and add more... If you have any ideas send me some E-Mail.
Chuckie at ickielf.C0M
First, we are going to move the swap file to a different place and make it a little bigger. Right click on "my computer", "Advanced" tab. Click on "performance options" under performance title. Under Virtual memory click on "change". I use between 1000 to 1500 swap size on new drive.
Viewing Hidden files
Open c: drive, TOOLS=>FOLDER OPTIONS...=>"View" Tab=>Check mark all under
"Files and Folders", "Hidden files and folders" Select "Show hidden Files and folders", DE-select "Hide file extension for known file types" and
"Hide protected operating system files"