Windows 2000 Professional has been widely adopted as the desktop client of choice for both private-sector organizations and government agencies. In the two years since its release, Win2K Pro has proven to be a viable IT interface solution for even the most demanding environments.

Windows 2000 Professional offers numerous security mechanisms to control and monitor access. It addresses many of the issues related to maintaining the confidentiality, integrity, and availability of data, resources, and network services. However, nearly every useful security feature of Win2K Pro (and Windows 2000 Server, for that matter) must be configured and implemented after the initial install by a system administrator.

There is no shortage of recommended checklists and step-by-step guides to implement security on Win2K client systems. I’ve personally reviewed and even written a few of these myself. The problem is that most are developed from a singular viewpoint and can quickly become dated due to lack of upkeep.

However, a new benchmark and security scoring utility addresses both those problems. The Center for Internet Security (CIS) has published the “Windows 2000 Professional Operating System Benchmark – Consensus Baseline Security Settings (v1.0).” In this article, I’ll introduce you to the CIS and explain both the Win2K Pro benchmark and the security utility.

The CIS is a not-for-profit consortium of more than 170 security professionals, organizations, and agencies from around the world whose primary mission is to prevent businesses and government agencies from becoming victims of cybercrimes due to inadequate IT security. To that end, the CIS develops, publishes, and maintains security checklists, baselines, and analysis tools for a wide variety of operating systems. OS vendors are consulted, but they are not allowed to be members.

To date, the CIS has developed and published Level 1 security benchmarks for Solaris, HP-UX, Windows NT, Windows 2000, Linux, and Cisco router IOS. Level 1 benchmarks are compilations of security best practices from various federal agencies, such as the National Security Agency, Department of Defense, and the Defense Information Systems Agency; as well as private-sector security organizations, such as SANS. The Level 1 benchmarks were designed for system administrators with any level of experience with IT security. Level 1 documents are discussions of recommended security features rather than procedural guidelines on how to implement the security controls.

Level 2 benchmarks (of which only one, for Cisco Router IOS, is currently available) are designed for more sophisticated security professionals. Level 2 benchmarks are aimed at rating security policy compliance, identifying configuration errors, and troubleshooting security configuration controls. CIS is currently designing Level 2 benchmarks for other OSs.

The Windows 2000 Professional benchmark and utility
The goal of the Win2K Pro benchmark is to establish a minimal, prudent due care security baseline for a Win2K Pro system. This minimum-security baseline is proposed as a universal starting point for any environment, from home users to corporate enterprises to government agencies. This document builds on the Level 1 benchmark document but provides details on exactly what security features to enable and which configuration settings to make. Any system administrator familiar with Windows 2000’s basic security features and control interfaces can follow this document. (Note: This document is for Windows 2000 Professional system only. A Consensus Baseline for Windows 2000 Server is still in development.)

In addition to the Consensus Baseline, the CIS has released an analysis tool for evaluating systems against this prescribed minimum baseline. The scoring tool, shown in Figure A, performs a detailed system analysis for 12 areas of concern.

Figure A
Windows NT/2000 security scoring tool v2.1.1

The utility generates reports that indicate exactly which areas of the system are insecure, incorrectly configured, and vulnerable to intrusion. The reports include benchmark compliance grades for each of the 12 areas and recommendations and instructions for improving security for specific items. The scoring utility incorporates the functionality of Microsoft’s HFNetChk and therefore stays up to date with the latest service packs and hot fixes available for the OS and native Microsoft components. The utility is a noninvasive scanning, analyzing, and scoring tool that makes no modifications to the scanned system whatsoever. It’s the responsibility of the system administrator to actually implement the security configuration benchmark manually or with automation tools.

The recommendations made in the Win2K Pro benchmark document, while relatively easy to put into practice, can take a considerable amount of time to implement manually (upwards of two days). However, you can greatly reduce the time required to implement the security baseline by using the Windows 2000 Security Configuration Manager or other automated configuration utility to create a common security template based on the CIS recommendations.

The purpose of benchmarking
Many federal agencies are required to comply immediately with the new benchmark for Windows 2000 Professional. Many agencies will adopt the benchmark as a minimum requirement for the purchase of new systems. Thus, computer vendors will begin to establish grades of security compliance within their product lines to meet government and business purchasing needs.

The CIS benchmarks are not a final security solution for any organization; rather, they are designed to address common attacks and OS failings and to establish a common, minimally secure foundation upon which stronger and environment- or organization-specific, high-level security can be imposed. The ultimate goal of the CIS benchmarking program is to help America improve its defenses against domestic and international cybercrimes and other online threats. If everyone—from government agencies to businesses to user communities—patches common vulnerabilities and protects against known attack methodologies, a significant portion of system intrusion and data loss will be eliminated.

Benchmarks are not the final solution to worldwide IT security. Rather, they are a step in the right direction. If there is significant backing of a benchmark standard by federal agencies, businesses, and individuals, then computer manufacturers and software/OS developers will follow suit by developing products that offer a higher level of minimum default, out-of-the-box security.

In the short term, meeting the baseline security requirements will protect your IT infrastructure from common attack methods, setting the stage for higher productivity, consumer confidence, and profits. In the long term, these benefits will encourage the industry to integrate security into the design and development of new products. Ultimately, we will all benefit from a more secure online world.