Windows 2000 Server has definitely expanded the Windows server room empire built by Windows NT Server 4.0. However, while Win2K has extended the use of Windows servers to new roles and in greater numbers, the platform has continued to be plagued with a constant stream of newly discovered security vulnerabilities. As a result, it has suffered from a general perception of being an operating system that is insecure by default and must be locked down by administrators.
In fact, in a recent NetAdmin poll we asked members what they considered to be the most difficult aspect of managing Windows servers, and they overwhelmingly selected security problems (Figure A).
In an effort to assist beleaguered Windows admins in identifying and mitigating Windows security problems, we put together the following list of articles to serve as a Win2K security resource.
Pinpointing vulnerable spots
- "Top Windows security threats pinpointed by SANS/FBI"
If you want to get a better feel for the most dangerous security issues in Windows NT/2000—the ones that are most exploited by attackers—look no further than this list developed by the SANS Institute and the FBI.
- "Reference sheet: Win2K services that can be disabled"
When you want to lock down your Win2K servers, you need to start by closely examining the services that are running and paring them down. This Excel worksheet lists the default Win2K services and shows you which ones are needed and which ones can be safely disabled.
- "Go the extra mile in securing the Windows administrator account"
One of the most dangerous—and therefore most sought after—targets on Win2K networks are the administrator accounts. Learn the extent of the danger posed by the admin accounts and the steps you can take to secure them.
- "Take advantage of the IIS 'What If' security tool"
No discussion of Win2K security would be complete without addressing IIS. The matter of IIS security is so touchy that many companies circumvent it altogether. Instead of using IIS, they install Apache on Windows or use another Web server suite. Nevertheless, IIS remains in use in a large number of organizations. For those who use the native Windows Web server, the IIS Security Planning Tool (a.k.a. the IIS "What If" tool) is a great place to start in figuring out how to lock it down.
Protecting your Win2K infrastructure
Once you get up to speed on the issues involved in securing Windows 2000, you're ready to engage in the lockdown process. The following articles provide tips and tools that can help:
- "Protect Windows servers with Microsoft Security Resource Kit"
- "Analyzing the Microsoft Security Toolkit for Windows 2000"
- "Let the U.S. government help you secure Win2K"
Security remains a paramount challenge in managing a Windows 2000 network, but the resources we've mentioned here can get any administrator started down the right path. And some relief may be in sight with the next version of Windows server. Read this article to see how Microsoft has made a major investment in improving the default security of Windows Server 2003.