In my previous article, we looked at the Microsoft Security Toolkit as it pertains to Windows NT. Now we're going to look at the toolkit’s Windows 2000 resources and recommendations and the utilities that can help you bring your Win2K systems up to date.
Analyzing your system
The Microsoft Security Toolkit comes on a CD that you can obtain free from the Microsoft Web site. The Windows 2000 section of the toolkit includes documents containing information on the following topics:
- · Securing a new installation of Windows 2000
- · Securing an existing Windows 2000 system
- · Checklists for improved security
Microsoft also offers a handy utility called the Network Security Hotfix Checker (Hfnetchk.exe) which, when run, tells you what you need to install to bring your system to a current level of security. (For a look at how you can put this tool to work, see "Stay on top of vital patches with Microsoft's Network Security Hotfix Checker.")
To run a streamlined version of this utility, insert the Microsoft Security Toolkit CD into your CD-ROM drive. If Autorun does not start the CD, then open the CD using the Windows Explorer and choose Autoplay. When you do, you will be greeted with a basic Web page describing the contents of the toolkit.
Underneath the heading Protect Your Current System, click the Install Now option to begin the process of analyzing your machine. Of course, before you perform this action on a production server or workstation, be sure that you have a recent emergency repair disk and a backup.
For my installation, I am using a Windows 2000 Server running no service packs, which is not connected directly to the Internet and is not a production machine. I use it only for testing. As you can see in Figure A, when I ran this utility on my test system, I was told that it needed Service Pack 2 and various other updates.
For example, the utility wants to install the Windows 2000 Critical Update Notification, which provides an alert when a critical new update becomes available from Microsoft. The utility also proposes to install the Internet Information Services Lockdown Wizard. In part three of this series, we will discuss the Microsoft Security Toolkit as it pertains to Internet Information Server and will explain how to use the lockdown wizard.
As you can see, the utility tells you the order in which the patches and updates will be applied and when reboots will be required.
For now, this is all of the detail that we will go into on this valuable utility. When securing a Windows system, this tool is a critical first step toward achieving baseline security.
Installing a new Windows 2000 system
Microsoft has provided a guide of best practices to follow when installing a new Windows 2000 system. For the purposes of this discussion, we will talk about these best practices mostly as they relate to Win2K Server, but we’ll also make a few recommendations for Win2K Pro.
One of the documents on the Security Toolkit CD, "Installing and Securing a New Windows 2000 System," provides a system administrator with Microsoft's recommendations for having a successful, noncompromised server at the end of the installation process. It provides a step-by-step guide to installing a new machine.
In this overview, Microsoft recommends installing a new machine while it is not connected to a network, or if it is connected to a network, making sure that the network is not in any way compromised as a result of a prior infiltration by something such as Code Red.
Next, Microsoft recommends installing the latest service pack. As I write this article, that would be Service Pack 2. In my opinion, this step cannot be stressed enough. In addition, Microsoft recommends either staying at Internet Explorer 5.01 SP2 or upgrading to 5.5 SP2 or 6.0. IE 5.01 SP2 is the default if you are doing a new Win2K installation with Service Pack 2.
Now, if you are running IIS, you should install the appropriate security rollup package. If you don't plan to use IIS on this particular machine, you should make sure you remove its option from the default Win2K installation. If you install it by accident, remove it as soon as possible using the Add/Remove Programs applet.
Following a successful installation, you should use Microsoft's series of checklists to ensure that you are making use of proper security procedures. If you can't implement a particular suggestion for some reason, going through these checklists will make you aware of where your system is vulnerable. Either way, it is an important exercise.
Securing an existing system
The process of securing an existing system is similar to setting up a new system. However, before you begin applying fixes to production hardware, I highly recommend that you apply them in a lab environment, if at all possible. I especially recommend using identical or similar hardware since patches can create hardware-specific problems in some instances.
The document "Installing and Securing an Existing Windows 2000 System" on the Security Toolkit CD goes over these steps in much more detail than we have room for here, but here are the basics.
Step one in securing an existing system is to determine its current state, which you can do with Hfnetchk.exe. To install Hfnetchk.exe directly from CD-ROM, browse to the \Combined\Hfnetcheck folder on the Security Toolkit CD and run Nshc32.exe to install the utility. Follow the instructions on the screen.
Once it is installed, run it. The utility will download a list of the currently available fixes from Microsoft. When I run the utility on my desktop system, I get the output shown in Listing A.
This is a comprehensive list of the articles on Microsoft’s Web site pertaining to patches that will bring my system up to full patch level. Keep in mind that not all patches are necessarily required. Read carefully through the articles listed before proceeding.
Next, move ahead as if you had a new baseline system with no service packs. If you need a service pack, install it and then follow the guidelines recommended in the Microsoft document.
Microsoft's checklists are vital tools for ensuring the security of your Windows 2000 systems. Here are some of the most critical checklist items:
- · Use NTFS. The importance of using NTFS to secure systems cannot be overemphasized since FAT and FAT32 do not provide access permissions to files.
- · Disable unnecessary services. You should disable services such as IIS, which is not needed on every server, and Personal Web Server, which is not needed on every client. If they are not disabled, the likelihood is much greater that during patch time they could be forgotten and later compromised.
- · Use strong passwords and good user management. These two items go hand in hand. Set system policies for strong passwords and make sure you pay attention to your user database. Remove old accounts, disable the guest account, etc.
- · Set appropriate ACLs. By default, shares and files in Windows are open to everyone. Fix this! Not everyone needs to have this level of access, which leaves you open to exploits by systems attackers.
- · Stay current with patches. See more below.
I’m done—now what?
Unfortunately, you’re never done. Going through the recommended steps by Microsoft and following the checklists are only the beginning. Providing a secure computing environment for your Windows 2000 machines is an ongoing duty. At a minimum, I suggest doing the following:
- · Visit Windows Update and Windows Update Corporate Site often to look for new patches.
- · Subscribe to the Microsoft security bulletin, which makes you immediately aware of newly discovered vulnerabilities in your Windows 2000 systems.
- · Install the Critical Update Notification service so that you find out immediately when a new critical update is posted.
- · Periodically run the Hfnetchk.exe tool to make sure that you have not missed any updates. Use Hfnetchk in conjunction with Qchain to install multiple updates without having to reboot more than once.
Microsoft is trying to make protecting your systems a little easier with these guidelines, tools, and checklists for securing Windows 2000 machines. Now that Microsoft has gone to the length of providing these resources, it’s up to us to implement its suggestions.
How will the Win2K security toolkit help you?
We look forward to getting your input and hearing about your experiences regarding this topic. Post a comment or a question about this article.