aaed.co.uk   "We're more of a drinking association than a clan so to join AAed buy Pom a pint in the Ashley Arms - or in his garage :) in Bristol, UK"
 

updated: October 9, 2007
Home Forums Tech articles Members LAN Room BF2 Stats Links Downloads Webmail login

       
Articles    

WINDOWS

Add ftp server service to windows xp/2k/2k3

Exchange 2000 and 5.5 Disk Space

Private TCP/IP addresses

Windows 2000 & XP Messenger pop ups

Windows 2000, XP & 2003 using netsh to change ip settings from cmd line

Windows 2000 Pro Security Checklist

Windows 2000 Well Known Ports

Windows XP Home - How to fix CTRL+ALT+DEL

Windows XP TCP/IP stack reset

Windows XP - To display the security tab in explorer

IE Keyboard Shortcuts

GAMES

Call of Duty coloured names

Call of Duty demos

Call of Duty name binds

Call of Duty Server Admin

Call of Duty Server - how to create a win32 service

Counterstrike Source Getting Started Guide

Counterstrike Source Buy Script

Counterstrike Source custom spray set up

Counterstrike Source and HL2 steam backups

Counterstrike 1.6 Buy Script

Counterstrike 1.6 Custom Maps

Counterstrike 1.6 custom spray set up

Counterstrike 1.6 MP3 Playback

Counterstrike 1.6 Server List not working

Counterstrike 1.6 - how to set up a win32 server

Enemy Territory Getting Started Guide

HL2 weapons and chapters

OTHER

IRC How To

  

Windows 2000 Professional Security Checklist

This is based on one of the MS articles, however I feel that some of their steps were not particularly relevant to non-domain users and they also seemed to have some fairly important omissions. I believe that anyone who carries out these steps before connecting their machine to an untrusted network (such as the internet) will survive the most common types of security attack and would at least create a reasonable challenge for anyone making a concerted attempt to either investigate or attack you. BTW. I believe these steps are all pertinent for both 2000 Server and XP too, but I focussed on W2k Pro.

Steps
Verify that all disk partitions are formatted with NTFS
Verify that the Administrator account has a strong password
Disable unnecessary services
Make sure the Guest account is disabled
Protect the registry from anonymous access
Restrict access to public Local Security Authority (LSA) information
Set stronger password policies
Configure the Administrator account
Remove all unnecessary file shares
Set appropriate ACLs on all necessary file shares
Enable security event auditing
Install anti-virus software and updates
Install service packs and critical patches
Automate patch deployment
Install the Appropriate Post-Service Pack Security Hotfixes

Verify that all Disk Partitions are Formatted with NTFS

NTFS partitions offer access controls and protections that aren't available with the FAT, FAT32, or FAT32x file systems. Make sure that all partitions on your computer are formatted using NTFS.

Verify that the Administrator Account has a Strong Password
In general, longer passwords are stronger than shorter ones, and passwords with several character types (letters, numbers, punctuation marks, and nonprinting ASCII characters generated by using the ALT key and three-digit key codes on the numeric keypad) are stronger than alphabetic or alphanumeric-only passwords. For maximum protection, make sure the Administrator account password is at least nine characters long and that it includes at least one punctuation mark or nonprinting ASCII character in the first seven characters.

Disable Unnecessary Services
After installing Windows 2000 Professional, you should disable any network services not required for the computer. In particular, you should consider disabling the following services if possible (and if they’ve been installed):

Internet Information Server (IIS) services: FTP Publishing Service, IIS Admin Service, Network News Transport Protocol (NNTP), Simple Mail Transport Protocol (SMTP), and the World Wide Web Publishing Service.
Server service. Disable if server is not being used for file and print sharing.
SNMP service. Disable if SNMP monitoring is not required.
Disable or Delete Unnecessary Accounts
You should review the list of active accounts (for both users and applications) on the system in the Computer Management snap-in and disable any non-active accounts and delete accounts which are no longer required.

Make Sure the Guest Account is Disabled
By default, the Guest account is disabled on systems running Windows 2000. If the Guest account is enabled, disable it.

Protect the Registry from Anonymous Access
The default permissions do not restrict remote access to the registry. Only administrators should have remote access to the registry, because the Windows 2000 registry editing tools support remote access by default. To restrict network access to the registry:

Add the following key to the registry:
Hive HKEY_LOCAL_MACHINE \SYSTEM
Key \CurrentControlSet\Control\SecurePipeServers
Value Name \winreg

Select winreg, click the Security menu, and then click Permissions.
Set the Administrators permission to Full Control, make sure no other users or groups are listed, and then click OK.
The security permissions (ACLs) set on this key define which users or groups can connect to the system for remote registry access. In addition, the AllowedPaths subkey contains a list of keys to which members of the Everyone group have access, notwithstanding the ACLs on the winreg key. This allows specific system functions, such as checking printer status, to work correctly regardless of how access is restricted via the winreg registry key. The default security on the AllowedPaths registry key grants only Administrators the ability to manage these paths. The AllowedPaths key, and its proper use, is documented in Microsoft Knowledge Base article 153183.

Restrict Access to Public Local Security Authority (LSA) Information
You need to be able to identify all users on your system. Therefore, you need to restrict anonymous users so that the amount of public information they can obtain about the LSA component of the Windows NT Security Subsystem is reduced. The LSA handles aspects of security administration on the local computer, including access and permissions. To implement this restriction, create and set the following registry entry:

Hive HKEY_LOCAL_MACHINE \SYSTEM
Key CurrentControlSet\Control\LSA
Value Name RestrictAnonymous
Type REG_DWORD
Value 1

Set Stronger Password Policies
Use the Local Security Policy snap-in to strengthen the system policies for password acceptance. Microsoft suggests that you make the following changes:

Set the minimum password length to at least 8 characters. Recommended value: 8.
Set a minimum password age appropriate to your network (typically between 1 and 7 days). Recommended value: 2.
Set a maximum password age appropriate to your network (typically no more than 42 days). Recommended value: 42.
Set a password history maintenance (using the Remember passwords option) of at least 6. Recommended value: 24.
Set a password complexity requirement (using the Passwords must meet complexity requirements option).
Disable the Store passwords using reversible encryption option (disabled by default).
Set Account Lockout Policy
Windows 2000 includes an account lockout feature that will disable an account after an administrator-specified number of logon failures. This decreases the risk of an attacker using a brute-force method to identify valid login credentials by trying a large number of possible passwords. However, it creates a denial-of-service vulnerability: an attacker could cause accounts to be locked out, causing legitimate users to be denied access.

The recommended configuration settings for maximum security against brute force attacks that compromise user credentials are: enable lockout after three to five failed attempts, reset the count after not less than 30 minutes, and set the lockout duration to 30 minutes. The recommended configuration for maximum security against denial of service attacks is to disable account lockout entirely.

Configure the Administrator Account
Because the Administrator account is built in to every copy of Windows 2000, it presents a well-known objective for attackers. To make it more difficult to attack the Administrator account, do the following for the local Administrator account on each computer:

Rename the account to a nonobvious name (e.g., not "admin," "root," etc.).
Establish a decoy account named "Administrator" with no privileges. Scan the event log regularly looking for attempts to use this account.
Enable account lockout on the real Administrator accounts by using the passprop utility
Disable the local computer's Administrator account.
Revoke the Debug Programs User Right
By default, Windows 2000 grants administrators the Debug programs user right. This right can be exploited by trojans to capture sensitive system information from the system memory, such as hashed passwords. Microsoft suggests that you revoke this right for all users except specific user accounts that require debug privileges.

Remove All Unnecessary File Shares
All unnecessary file shares on the system should be removed to prevent possible information disclosure and to prevent malicious users from leveraging the shares as an entry to the local system.

Set Appropriate ACLs on all Necessary File Shares
By default, all users have Full Control permissions on newly created file shares. All shares that are required on the system should have the ACL restricted such that users have the appropriate share-level access (e.g., Everyone = Read).

Note The NTFS file system must be used to set ACLs on individual files in addition to share-level permissions.

Enable Security Event Auditing
By default, Windows 2000 does not log successful or failed login attempts. Logging these attempts is useful for proactively determining that an attack is occurring and reactively determining how and when an attack took place. It is tempting to enable all types of auditing; however, that configuration results in unmanageable log files and a performance impact. Microsoft recommends enabling only Success and Failure auditing for the Audit account logon events policy.

With auditing enabled, event log size and retention policies should be adjusted. The size of all event logs should be set so that they can retain several weeks of events. Microsoft recommends the maximum security log size be set to a value of 184,320 KB; the maximum application log size be set to 10,240 KB; and the maximum system log size to 10,240 KB. For all event logs, set the retention method for event logs to Overwrite events as needed.

Install Antivirus Software and Updates
It is imperative to install antivirus software and keep up-to-date on the latest virus signatures on all Internet and intranet systems.

More security antivirus information is available on the Microsoft TechNet Security Web site.

Install Service Packs and Critical Patches
From time to time, Microsoft releases service packs and critical updates to resolve newly discovered security vulnerabilities in components included with Windows 2000. The Windows Update site is a tool for identifying critical updates not specifically identified in this document.

Apply all service packs and critical updates listed for your system at the Windows Update site. Windows Update may not be able to apply all critical updates at one time. If necessary, return to the site after rebooting the system and repeat the above process until all critical updates and service packs have been applied.

Automate Patch Deployment
Use Automatic Updates to automatically notify you of the availability of new security fixes. If possible, configure Automatic Updates to automatically download updates and install then without manual intervention.

Larger organizations should use Microsoft Software Update Services, Microsoft Systems Management Server, or a similar solution (such as Patchlink) to reduce the labor associated with deploying patches.

Install the Appropriate Post-Service Pack Security Hotfixes
Microsoft issues security bulletins through its Security Notification Service. When these bulletins recommend installation of a security hotfix, you should immediately download and install the hotfix on your member computers.

deadmonkey

 

All original content © 2005 aaed.co.uk. All trademarks, articles and photos belongs to their respective owners.Piggy Production