A recent posting in our Technical Q&A asked for help in covering all of the bases to ensure that Windows 2000 Professional systems remain secure. Members responded with a number of tips, which you can put to work in securing your own systems. And if any of your end users use AOL software to connect to personal e-mail from work, some of these security recommendations will be of particular interest.
Member Robert_Smith posed the following challenge in our Technical Q&A:
“I need ‘best practices’…for Win 2K Pro and security….Leave no stone unturned in your response.”
Smith asked for information on which services should be deactivated and which ones should be allowed to run. He also wanted to know what risks he faced by using an administrator group account while logged into AOL and browsing the Web. A complication to the issue is his use of ZoneAlarm Pro, which, because of problems with AOL, forced Smith to move the AOL security setting to Medium.
In sum, Smith wanted to know what steps he should take to ensure that his Win2K Pro workstation is secure and what specific measures he should consider with regard to Web browsing to prevent security breaches.
Smith provided the following pertinent information about his current system:
- Windows 2000 Professional is patched to version 5.00.2195 with Service Pack 2.
- Internet Explorer is version 5.50.4807.2300 (though Smith uses AOL for Internet access).
- Smith is the only user of the computer.
- Smith rarely uses the Administrator login, and the Guest login is disabled.
He also requested feedback on what to do about files in the Temp folder. The Temp folder in Local settings contained 230 MB of files, including an 80-MB file named simply 00000004, with no extension. Smith wanted to know if he needed to keep any of the files in the folder or if he could safely delete them whenever he wanted to.
Members responded to Smith’s challenges with a number of suggestions on what he could do to improve security on his system. Doug Klippert, an application trainer/consultant, said Smith should upgrade IE to the latest release, 6.0.2600. He also advised Smith to rename the Administrator account, citing it as one of the first things a hacker looks for. In addition, he suggested that Smith stop using AOL and use a program such as Lavasoft's Ad-aware to recognize and remove any spyware from his system.
Network engineer Joseph Moore also recommended changing the Administrator account name and added that passwords should meet high complexity requirements.
Maxwell Edison, a computer systems manager, agreed that AOL poses some security risks. Edison referred to information that AOL’s reliance on VPN technology could allow hackers to bypass firewalls. Edison suggested that if Smith wanted to continue using AOL, he should open up a regular browser upon connecting, merely using AOL for Internet access and avoiding the AOL software.
Edison and Moore both noted that AOL monitors browsing habits and that using it may not be in Smith’s interests in securing his network. “It is all being recorded,” Moore wrote, “and you can bet that AOL has a copy of WebTrends or [another] reporting package.”
What is spyware?
For additional information about spyware and why you should be concerned about it, visit Spychecker.com. It offers a detailed definition as well as links to useful resources on the topic.
Edison said that although Smith said he was using Service Pack 2, he didn’t mention other necessary security updates that Microsoft has released for Win2K.
“To make sure you have all those security holes addressed, download and install…patches that may be pertinent to your computer.”
He pointed Smith to Microsoft’s Win2K Downloads page to obtain the latest security patches.
Win2K Pro resources
Edison said that Element K Journals published a detailed Windows 2000 article that includes information about security. He also recommended LabMice.net, which offers a security checklist for Win2K. If you’re interested in print or CD Windows 2000 resources, check out the following TechRepublic reference guides:
- Windows 2000 Professional Resource Guide
- Windows NT/2000 Network Administrator’s Resource Guide, Volume 2
Edison noted that Win2K’s system services can be configured to improve system security. But he said that a best practices breakdown for enabling or disabling the services depends on each user’s individual needs.
“By default, Windows 2000 automatically runs many of these services and consumes more memory than it actually may need.…My rule of thumb would be, if you definitely don’t need [a service], turn it off. If you definitely will need it, turn it on. If you might need it, then it’s a judgment call only you can make.”
Both Moore and Edison agreed that the files in the Temp folder should be deleted on a regular basis because they serve no recurring purpose and simply take up hard drive space.
“Windows has a nasty habit of generating tons of garbage files. Cleaning this and other temporary directories out should be part of your regular Windows maintenance," Edison said.
If Windows reports that a file is in use and can’t be deleted, either skip that file or close all programs and attempt to delete the file again.
As a part of his regular maintenance routine, Edison said that he:
- Deletes all temporary files, including the Temporary Internet files folder and any temp files and folders with filenames beginning with a tilde (~).
- Deletes all history files.
- Deletes the contents of the hidden Recent folder.
- Empties the Recycle Bin.
- Optimizes hard disk utilization with Norton Speed Disk, Microsoft Disk Defragmenter, or a similar utility.
Members responding to Smith’s challenge of a best practices Win2K security approach listed a number of online resources to consult on the issue. In addition to those already discussed, members recommended the following sites:
- National Security Agency’s Security Recommendation Guides page
- TechSpot.com’s Windows 2000 Services Tweak Guide
- Microsoft TechNet’s Security Best Practices
General security recommendations
As our members pointed out, security best practices always vary depending on the network configuration and the needs of users. Still, some universal practices can help admins better secure their Win2K Pro systems. Here's a rundown of the general recommendations that members offered:
- Change the Administrator account name to make it more difficult for hackers to locate it.
- Follow password complexity guidelines to make it more difficult for hackers to crack passwords.
- Keep up to date on Windows hot fixes, Service Packs, and security updates.
- Download and install the latest IE updates from Microsoft’s site.
- Avoid using AOL software for Internet browsing because of the security risks it poses.
- Eliminate all spyware from your computer using Lavasoft’s Ad-aware or a similar utility.
If you consult the Win2K Pro security resources mentioned in this article and follow the general recommendations of our members, your Win2K Pro systems should provide a more secure environment in which to do business.