Back to Article List
It's Easy to Secure Windows 2000 Servers: Part 1
By Laura Taylor
January 4, 2005
Configuring servers for security is an important part of mitigating risks to enterprise networks. Although Windows 2000 servers have a reputation for being notoriously insecure, if you take the time it is actually possible to lock them down so tightly that leading scanners will not even recognize that they are Windows servers. The best way to do this is to automate the security on your servers by using security templates, sometimes referred to as .inf files.
Let's Get Started
By using Microsoft's Management Console (MMC), Windows 2000 servers can be set up to automatically configure and enforce the following types of security policies:
The MMC allows you to apply security settings to files, directories, groups, and users enterprise-wide from one location. Since you likely have various types of Windows 2000 servers on your network, the best way to automate security for all of them is to set up a specialized security template for each type of Windows 2000 server. For example, some of the possible types of Windows 2000 servers you may have on your network are:
In Part 1 of this article, I'll tell you how to setup a basic Windows 2000 server security template. In each subsequent article of this series, I'll teach you how to set up a new Windows 2000 server template until you have a library of security templates that you can apply to your enterprise servers.
Load the Snap-In Console
Add/Remove the snap-in console.
A Console1 box should appear. In the top menu bar under Console1, click Console and then select Add/Remove Snap-in. The Add/Remove Snap-in Box should then appear as illustrated below. Next, click the Add button. You will then be prompted to select which Add Standalone Snap-in you would like to add. You will want to select the Security Templates Snap-in as illustrated below.
Select security templates in add standalone snap-in box.
Click Security Templates and then click the Add button. Click the Close button and then click OK. The Security Template snap-in is now loaded. To see the modules within Security Templates, click + to expand the view as illustrated below.
Expand the security template.
To further expand the templates, click the + next to C:\WINNT\security\templates. If you installed Windows 2000 in a different location, the path will display your custom location instead of C:\WINNT\security\templates.
Configure the Security Policies to Meet Your Requirements
Expand the security template categories.
In each category, Account Policies will be listed at the top. You will see the following categories:
Select the basicsv category.
Next, you open the particular policy setting that you would like to view or change by clicking on the top level category in the left pane, and then by clicking the particular policy in the right pane of the template window. For example, if you click on Password Policy in the left pane, and then click on Minimum password age a Template Security Policy Setting box will appear as illustrated below and you can type in how many days you would like passwords to last before they expire.
Select the security policy that you would like to configure.
To configure the account lockout policies, click on Account Lockout Policies in the left pane, and the policy that you would like to stipulate in the right pane as shown in Figure 7. Select a Template Security Policy Setting box to define a setting, and then stipulate the setting parameter.
Configure the account lockout policies.
You should now continue through all of the Password Policy and Account Lockout Policy settings and configure each one to meet your organization's security requirements.
On a Windows 2000 network, network authentication can be setup to use either Windows NT LAN Manager (NTLM) or Kerberos. It is best to set NTLM or Kerberos settings for the entire domain, and not for individual servers. Therefore, for now, we are going to leave the Kerberos policies undefined. We will discuss how to define Kerberos policies when we set up the policies for a Domain Controller later on in the this series. For now, you will not want to either enable or disable the Kerberos policies. Just leave these settings alone. For your basic Windows 2000 server, I recommend that you don't enable "Reversible Encryption" in your password policy. Reversible encryption is used primarily with Internet Information Services (IIS) and Challenge Handshake Authentication Protocol (CHAP). (CHAP is an authentication protocol for dial-in users.)
Recommendations and Requirements
Though you will want to select settings that meet your own unique business requirements, I have put together some default recommendations that could be applied to create a baseline Windows 2000 security template for all your Windows 2000 production servers. Default Windows 2000 Account Policy security setting recommendations are listed in the table below. Keep in mind that all of these recommendations may not be appropriate for your organization and that you should review them carefully before implementing.
You have now learned how to apply security to the Account Policies for your basic Windows 2000 server. Before you put these policies into production, you should be sure to test them and have them reviewed by your Change Control review process. You should remember that what you are trying to do is preserve the integrity, confidentiality, and availability of your data. Often times, not enough emphasis is put on availability. Tightening up your policies too much may prevent your data from being available to the right people. Not tightening up your policies enough may result in security intrusions. Therefore, you'll want to think through the possible settings carefully before making any decisions.
Not securing your Windows 2000 production servers poses a big risk to your organization. However, the good news is that contrary to popular belief it's easy to do and you can lock up Windows 2000 tight if you take the time. Regardless of whether you take any time or not to strengthen and automate your security policies, something you should also do is take the time to install the latest security patches.
In the next part in this series, we will configure some of the other security policy settings so you can further strengthen the security posture of your Windows 2000 servers.
|Copyright 1997-2015 Relevant Technologies. All rights reserved | Legal and Privacy | Sitemap
Email: email@example.com | Tel: 240.786.4858 | Fax: 855.451.5466 | 8160 Maple Lawn Blvd, Suite 200, Fulton, MD 20759