Print Page      Email Page
Back to Article List

It's Easy to Secure Windows 2000 Servers: Part 3
By Laura Taylor
May 3, 2005

In the first two parts of this series, you learned how to use Microsoft's Management Console (MMC) to automatically configure and enforce security policies by creating security templates. You also learned how to create a security template and assign Account Policies, Local Policies, and Event Log security policies to it for a basic Windows 2000 server. In Part 3, I'll teach you how to configure and assign System Services, Registry Settings, and File System Settings security policies.

Refreshing Our First Two Lessons

Before I show you how to create a different template for specific server types such as a DNS server, a DHCP server, and an Exchange server, we need to finish learning how to configure the remaining policies for a basic Windows 2000 server. By using security templates you can ensure that security policies are automated. Once a template is in place the policies are regenerated and loaded into memory each time a system is re-started.

As you'll recall, to get to the screen where you do the actual policy configuration, you first need to start up the Microsoft Management Console. You can do this from the Start menu by opening up the Run box and typing MMC as shown below.

Starting the MMC.

After you add the Security Template snap-in (explained in Part 1 of this series), you need to select the template called basicsv, and then open the System Services configuration window as illustrated below.

The System Services Configuration Window.

You are now ready to configure and assign System Services settings. The System Services settings allow you to stipulate which services get launched on startup. You can configure the System Services in the same method you configured the Local Policy settings and the Event Log settings.

Configuring and Assigning System Services Security Policies

The System Services settings should be unique to your organization, and should be a topic of discussion among the systems administrators before you configure them. Keeping that in mind, Table 1 shows an example list of System Service settings designed for a typical, client-server enterprise architecture. Your organization may actually have more services installed on its servers than the ones listed in Table 1.

When you install a new server application it usually adds new services to Systems Services list. The applications that you have running on your server will determine what applications show up in the System Services setting list. The list on your server is likely to be slightly different than the list in Table 1. You will also notice that your Windows 2000 services, as well as your application services, are both mixed together in this list and are listed in alphabetical order.

When configure System Settings, you will want to give the Administrators group full control. To configure the System settings on a group-by-group basis, you need to double-click on the Service name, and then click the Edit Security button as shown in below. You will then see the Allow/Deny security settings by group.

Configuring Security Policy Settings.

In most cases, the group known as Authenticated Users should never have Full Control and their settings for most applications should be set to more restrictive settings such as Read access as shown below.

Authenticated Users Have Limited Control.

You will need to step through this process for each and every application and each and every group. It is important that you know what you are doing when you apply these configuration controls. If you are unsure, leave the default settings in place.

Table 1. Example of System Services Setting for Windows 2000
Service Name Startup Permission
Alerter Manual Configured
Application Management Manual Configured
ASP .NET State Service Manual Not defined
Ati HotKey Poller Not Defined Configured
Auotmatic Updates Not Defined Not Defined
Background Intelligent Transfer Service Disabled Configured
ClipBook Manual Configured
COM+ Event System Manual Configured
Computer Browser Automatic Configured
Crypkey License Not Defined Not Defined
DefWatch Automatic Configured
Dfs (distributed file system) Disabled Configured
DHCP Client Automatic Configured
Distributed Link Tracking Server Automatic Configured
Distributed Link Tracking Client Automatic Configured
Distributed Transaction Coordinator Disabled Configured
DNS Client Automatic Configured
Event Log Automatic Configured
Fax Service Disabled Configured
File Replication Disabled Configured
FTP Publishing Service Disabled Configured
IIS Admin Service Disabled Configured
Indexing Service Manual Configured
Infrared Monitor Disabled Configured
Intel File Transfer Manual Configured
Intel PDS Manual Configured
Internet Connection Sharing Disabled Configured
Intersite Messaging Disabled Configured
IPSec Policy Agent Automatic Configured
Kerberos Key Distribution Center Disabled Configured
License Logging Service Disabled Configured
Logical Disk Manager Automatic Configured
Logical Disk Manager Administrative Service Manual Configured
Messenger Automatic Configured
Net Logon Automatic Configured
NetMeeting Remote Desktop Sharing Disabled Configured
Network Connections Manual Configured
Network DDE Manual Configured
Network DDE DSDM Manual Configured
Norton AntiVirus Client Automatic Configured
Norton AntiVirus Server Automatic Configured
Network News Transport Protocol (NNTP) Disabled Configured
NT LM Security Support Provider Manual Configured
Performance Logs and Alerts Manual Configured
Plug and Play Automatic Configured
Portable Media Serial Number Service Manual Configured
Print Spooler Automatic Configured
Protected Storage Automatic Configured
Remote Access Auto Connection Manager Manual Configured
Remote Access Connection Manager Manual Configured
Remote Procedure Call (RPC) Automatic Configured
Remote Procedure Call (RPC Locator) Manual Configured
Remote Registry Service Disabled Configured
Removable Storage Automatic Configured
RIP Listener Manual Configured
Routing and Remote Access Manual Configured
RunAs Service Manual Configured
SAV Roam Not defined Not defined
Security Accounts Manager Automatic Configured
Server Automatic Configured
Simple Mail Transport Protocol (SMTP) Disabled Configured
Simple TCP/IP Services Not defined Not defined
Smart Card Not defined Not defined
Smart Card Helper Not defined Not defined
SNMP Service Automatic Configured
SNMP Trap Service Automatic Configured
Symantec AntiVirus Automatic Configured
Symantec AntiVirus Definition Watcher Automatic Configured
Symantec Event Manager Automatic Configured
Symantec Network Drivers Service Automatic Configured
Symantec Password Validation Automatic Configured
Symantec Settings Manager Automatic Configured
System Event Notification Automatic Configured
Task Scheduler Automatic Configured
TCP/IP NetBIOS Helper Service Automatic Configured
Telephony Manual Configured
Telnet Manual Configured
TrueVector Internet Monitor Not defined Not defined
Uninterruptible Power Supply Automatic Configured
Utility Manager Manual Configured
Windows Installer Manual Configured
Windows Management Instrumetation Automatic Configured
Windows Management Instrumetation Driver Extension Manual Configured
Windows Time Automatic Configured
World Wide Web Publishing Service Automatic Configured
ZipToA Not defined Not defined

To define the access control, ownership, and audit settings on your Windows 2000 server you need to configure the Registry security settings. There are three types of Registry keys you can configure: the CLASSES_ROOT keys, the MACHINE keys, and the USERS keys. To configure the Registry security settings, from the Console window shown in Figure 2, right-click on the Registry folder and select Add Key as shown below.

Adding Registry Keys for Configuration.

You'll then be prompted to select a particular type of key to configure as shown below.

Selecting a Type of Registry Key to Configure.

When you configure the security settings for your server's Registry keys, you should be sure that the box called Allow inheritable permissions from parent to propagate to child is not checked. You will then need to decide whether to Propagate the inheritable permission or Replace the existing permission for each key. In most cases you will want to elect to Replace the existing permission so that the inheritable permission is not propagated. An example of three Registry key settings is shown in Table 2. Note that for the Registry key settings, you will always want to give the Administrator group Full Control and the SYSTEM group Full Control.

Table 2. Example Security Setting of Registry Key
Object Name Permission Audit
MACHINE\SOFTWARE\Microsoft\Cryptography Replace Replace
MACHINE\SOFTWARE\Microsoft\NetDDE Replace Replace
MACHINE\SOFTWARE\Microsoft\Windows Replace Replace
USERS\.DEFAULT Replace Replace
USERS\.DEFAULT\Software\Microsoft\Windows\CurrentVersion\Policies Replace Replace

To determine File System settings, select the File System folder in the Console window as illustrated below.

Configuring Security File System Settings.

You can then double-click on each of the File System Object Names to configure the setting. Like with the Registry keys, you will have the option of selecting Propagate Inheritable Permissions or Replace Existing Permissions. The groups Administrator, SYSTEM, and Creator Owner should always be given Full Control. You will want to be more restrictive to Authenticated Users and other user groups and will need to understand which users need to access what files before you implement these settings. You should either remove the Everyone group, or else Deny all file permissions to this group. You want to know who is using what resources, and requiring all users to be Authenticated will enable you to know that.

Table 3. File System Setting Recommendations for Windows 2000
Object Name Permission Audit
%SystemDrive%\autoexec.bat Administrators Allow Full Control
Authenticated Users Allow Read, Execute
Creator Owner Allow Full Control
SYSTEM Allow Full Control Everyone Deny All
%SystemRoot% Administrators Allow Full Control
Authenticated Users Read, Execute
Creator Owner Allow Full Control
SYSTEM Allow Full Control Everyone Deny All
%SystemRoot%\Cookies Administrators Allow Full Control
Authenticated Users Read, Write, Execute
Creator Owner Full Control
SYSTEM Full Control Everyone Deny All
%SystemRoot%\repair Administrators Full Control
SYSTEM Full Control Everyone Deny All
%SystemRoot%\Temporary Internet Files Administrators Full Control
Authenticated Users Read, Write, Execute
Creator Owner Full Control
SYSTEM Full Control Everyone Deny All

Before Implementation

You should research, write down, and determine all of your security settings in advance before you actually perform the configuration on a production server. Determining the correct settings will involve understanding the applications, the operating system, and user behavior patterns. This is a job for a Senior Systems Administrator.

You should then circulate the documented settings to the Administrators on your staff, and your security team within your organization for review before implementing them. You should test them in a lab before implementing them on a production server. Finally, the IT Director or Security Officer should sign-off on all settings before implementation. By tightening up your security settings, you can greatly reduce the risk of intrusion or unauthorized use.

Read Part 4 of our series on securing Windows 2000 Servers here.

DHTML Menu By Milonic JavaScript