Deciding what defines security in a server can be like nailing Jell-O to the wall. Just when you think you have a good definition and have configured your server accordingly, you discover another potential hole or something you forgot. Rather than figuring out the proper security settings by yourself, you can use the Consensus Baseline Security Settings to judge your server’s security. In this Daily Feature, I’ll show you how to obtain and use the Windows NT/2000 Security Scoring Tool to compare your server’s setting with the Consensus Baseline Security Settings.
The Consensus Baseline Security Settings take the guesswork out of network security
The Center for Internet Security (CIS), a nonprofit organization that works to develop security methods and strategies for network administrators, developed the Consensus Baseline Security Settings and the Windows Security Scoring Tool to formalize the proper security settings for Windows servers, based on the experiences of dozens of network administrators. CIS includes members from areas as diverse as banking, manufacturing, utilities, healthcare, and the government. Some of the key participants in CIS are:
- Allstate Insurance
- Eastman Kodak
- Federal Computer Incident Response Center
- Federal Reserve Board
- LG&E Energy
- Lucent Technologies
- U.S. Department of Justice, Information Management and Security Staff
CIS does more than provide security information for Windows NT and Windows 2000 servers. It also provides security benchmarks and tools for Solaris, Linux, and HP-UX servers, as well as Cisco routers. For the purposes of this Daily Feature, we’ll focus on the security tools for Windows 2000 Server.
Microsoft's Baseline Security Analyzer
Don’t confuse the CIS’s Consensus Baseline Security Settings with Microsoft’s Baseline Security Analyzer. The people who developed the Consensus Baseline Security Settings have no affiliation to any specific technology. The Baseline Security Analyzer checks your Windows server’s security settings based on Microsoft’s definition of security. The Baseline Security Analyzer compares installed patches and configurations on your server with its internal set of patch lists and configurations to advise you on changes you need to make. For more information about Microsoft’s Baseline Security Analyzer, see the Daily Feature “Make sure your network is secure with the Microsoft Baseline Security Analyzer.”
Obtaining and installing the Windows NT/2000 Security Scoring Tool
To make sure your server meets the Consensus Baseline Security Settings, you can download and run CIS’s Windows NT/2000 Security Scoring Tool from CIS’s Web site. Click the Download link to download the tool to your administration workstation. You’ll need to register with the CIS Web site to download the benchmark. It’s free, so all it will cost you is some information and the time it takes to download the file. CIS updates the tool on a regular basis, so you should revisit the CIS Web site at least once a month to make sure you have the latest version of the tool. As of the writing of this Daily Feature, the current version of the tool is 2.1.2.
When you register, make sure you select the Win 2000 Professional (Workstation Tool—Consensus Baseline Settings) Win 2000 (Level-1) Win NT (Level-1) check box. You don’t have to worry about downloading separate versions for Windows NT, Windows 2000 Server, or Windows 2000 Professional. One single download covers all versions. You’ll also need to click the I Accept radio button to accept the license terms. When you’re done, click Submit.
When the Download page appears, click the Download The Windows Scoring Tool link. Save the CIS-Win.exe file to your workstation. The file is only 6.2 MB, so it won’t take that long to download. After you’ve downloaded the file, copy it to a temporary directory on the server you want to benchmark.
To install the benchmark, double-click the CIS-WIN icon. In order to properly install the benchmark, your server must be running at least 800 x 600 video resolution. CIS-WIN installs like any other Windows application, using a wizard that walks you through the entire process. After the wizard starts, you simply work your way through it, accepting all the defaults. When the wizard installs the tool, it also installs the tool’s documentation in PDF format.
Running the Windows NT/2000 Security Scoring Tool
To start the tool, click Start | Programs | Center For Internet Security | Windows Security Scoring Tool. As you can see in Figure A, the tool has only one screen to deal with. However, CIS has broken it down into sections.
|The Security Scoring Tool matches your system’s security with the Consensus Baseline Security Settings.|
The Computer field displays the name of the server on which you’re running the tool, and the Scan Time field displays the time you ran the scan. The first box below the Computer and Scan Time fields is the Scoring box. This box contains the Scoring button, which you’ll use to begin the scoring process. From the Select Security Template drop-down list box, you’ll select the different baselines against which you can compare your server.
Below the Select Security Template drop-down list box, you’ll see the Force Gold Standard Scoring check box. By default CIS enables this check box, but it works only with Windows 2000 Professional, so you should remove the check when running Windows 2000 Server. The security templates you can compare your server with include:
- CIS-Win2K-Level-I-v1.1.7.inf: CIS-recommended settings for a Windows 2000 Server.
- CIS-WinNT-Level-I-v1.0.3.inf: CIS-recommended settings for a Windows NT Server.
- MS-Baseline.inf: Microsoft-recommended baseline settings.
- MS-BaselineDC.inf: Microsoft-recommended baseline security settings for a server.
- NIST-2kdm.inf: National Institute of Standards and Technology's (NIST's) recommended settings for a domain member.
- NIST-2kws.inf: NIST-recommended settings for a Windows 2000 Professional stand-alone computer.
- NSA-isa.inf: National Security Agency's (NSA's) recommendations for a Windows 2000 Server running ISA Server.
- NSA-nt4_BDC.inf: NSA recommendations for a Windows NT Backup Domain Controller.
- NSA-nt4_Exchange.inf: NSA recommendations for a Windows NT Server running Exchange 5.5.
- NSA-nt4_MemberServer.inf: NSA recommendations for a Windows NT Server that is not a domain controller.
- NSA-nt4_PDC.inf: NSA recommendations for a Windows NT Primary Domain Controller.
- NSA-nt4_Workstation.inf: NSA recommendations for a Windows NT Workstation computer.
- NSA-w2k_dc.inf: NSA recommendations for a Windows 2000 domain controller.
- NSA-w2k_domain_policy.inf: NSA recommendations for a Windows 2000 domain policy.
- NSA-w2k_server.inf: NSA recommendations for a Windows 2000 Server.
- NSA-w2k_workstation.inf: NSA recommendations for a Windows 2000 Professional workstation.
- Win2kProGold_R1.2.inf: CIS recommendations for a Windows 2000 Professional workstation.
The INF File Comparison Utility allows you to quickly test a security template you’ve created with the Security Editor to see if it complies with the CIS recommendations. When you click the button, you’ll see a separate dialog box that allows you to select and test your INF file.
The Export Effective Group Policy button lets you quickly export your current group policy settings to a log file. You can use this log file to check your group policy settings or reset them later if you make changes that cause problems.
Scoring your server’s security
When you click Score, the tool will scan your system. As each test completes, you’ll see the individual scores appear in their respective fields. The Overall Score field displays the score your server earns after you click the Score button. You can’t change the information in this field or in any of the fields in the right-hand side of the tool.
The best possible score you can achieve in the Overall Score field is 10. Don’t be surprised if your server achieves only a 1.5. A Windows 2000 Server with all the basic security settings will show this score by default. To achieve a perfect score of 10, the server must score a 2.5 in each of the four boxes below the Overall Score field. These boxes are as follows:
- Service Packs and Hotfixes:The tool checks to make sure you’ve applied all the latest service packs and hot fixes for your server. They must be installed on your server to earn points.
- Account and Audit Policies:This box displays the results of the tool’s inspection of your account and audit policies. You earn points when you’ve placed the proper password restrictions on your users and applied the proper auditing rules. The tool checks for such things as a lockout policy, password complexity, and minimum password length.
- Security Settings:This box shows the results of the tool’s inspection of your server’s security settings. The tool checks to see if you’ve disabled anonymous access to your server and whether you display logon warnings. It also checks to see if you’ve restricted access to floppy drives, changed the name of the administrator account, and renamed the guest account.
- Additional Security Protection: The tool also checks your system for unnecessary or vulnerable services on your server and displays the results in this box. The tool checks only the services included in a basic Windows 2000 installation, not services added by programs such as Exchange and SQL Server. It checks such services as Plug and Play, Routing and Remote Access, Task Scheduler, Telnet, and Net Logon.
Increasing your score
As you run the Security Scoring Tool, remember that it gives you a score based on settings described in the INF file you use in the Select Security Template drop-down list box. You can use these INF files in conjunction with the Security Editor and Security Configuration and Analysis Snap-in to gain a higher score. For more information about how to use these tools, see the Daily Drill Down “Analyze your server’s security with the Security Configuration and Analysis Snap-in.” Don’t blindly use the INF files just to get a higher score. Although your system may be more secure after using the files, it may also be less friendly for your users.