Securing Windows 2000 Server

Securing Win2k

This page is a culmination of some of the things I have done to secure my Windows 2000 server. Most of these are pretty basic.

Load all service packs and windows update initially when the machine is installed first. This way if one of them pooches the machine you have not lost much.
Load only those network protocols you need. If you do not know you need it do not install it.
Enable only those protocols on each adapter that you know you need. Specifically do not enable Client for Microsoft Networks and File and Printer sharing on your internet adapter. Only TCPIP should be enabled on the internet connection (and IPX if you need it).
Do not use VNC. VNC is a massive security hole in that the data stream (including passwords) is not encrypted, it is hashed. If you need VNC then manually enable it only when you need it. You can do this by going into services and change it to manual.
Do not use Citrix Server it is a massive security hole in that the data stream (including passwords) is not encrypted, it is hashed. There is a high encryption pack add on that fixes this.
Make limited use of telnet/ftp and use only restricted access user ids for this purpose. The passwords are passed unencrypted. The only exception is telnet under Windows 2000 for both the client and server, which allows NTLM password passing which is mildly encrypted.
SMTP authentication is also not encrypted.
Change passwords from time to time.
Only load those services you know need. So if you do not need an FTP server do not load it. Or perhaps manually enable/disable it when you need it.
disable messenger. This has been used of late as a new way of spamming you.
disable computer browser. Only your one main server needs to have the browser service active. And with multiple computers active as the master browser they fight as to whom is going to be the master browser on the network.
be sure and check whether your network adapter and hub have connected efficiently. Often they will go into half duplex by default. Your hub may support full duplex but your netowrk card may not properly detect it. The diags provided with the Intel Pro 100 called Proset and the diags provided with the 3Com 905 for example will identify and allow you to detect and change this setting. Additionally this code will tell you the number of errors the network card has seen this can be used to find bad cables, cards etc that can degrade your network's preformance.
If you load terminal services be sure to change the encryption level to high. Default is not. You can find it in Terminal Services Confiuration right click on top of RDP-tcp and select properties. General tab, encrryption level high.
On servers load only the code you need. Each peice of code you load can add instability and open holes.
For IIS delete the samples that are installed by default. These have been used by hackers. Also stop the admin site if you do not need it
Check your IIS log files from time to time. They can show hacking attempts. For example the Code red virus shows up in your log file as an attempt to get at a file called default.ida. Log files are located in your c:\winnt\system32\logfiles directory. One logfile per day.
Use HFCINST and NSHC from Microsoft to keep your server up to date with the latest hot fixes. Hot fixes are released to address specific instabilities and security holes. Hot fixes are not installed by Windows update.
Run Windows update frequently to keep it up to date. Critical update does not work properly on terminal server. Which user ID should Windows use to inform the user that the OS needs updates, all?
Enable security logging. This will allow you to see if people are logging onto your machine, when they succeed and fail. You can enable this by going into Administrative tools, Local security policies.
Consider some form of offline storage for sensitive personal data. Zip/Jazz etc.
Default file permissions are lame. Default is Everyone full control. I change them to system read, admins read/write (only admins log onto my server), and the inetpub directory (used by IIS) needs to have everyone read admins full control. If you use ASPs you will also need everyone read to the winnt directory. Individual CGIs may reqire write authority to some directories.
be sure to set a default screensaver with a timeout and use one that is password protected. I use the built in logon screensaver.
Be sure to consider spyware cleaners/blockers if you intend to surf from your server. You can read more on spyware on my spyware page.
There is only one comprehensive user id manager in windows. If you create a userid to allow someone to ftp into your machine, they can telnet, ftp, terminal serve etc. by default. Limit your userids and control access by securities on the file permissions.
If possible put all shares and critical data behind your firewall or router.
Disable VB and JS scritping using Norton NoScript.
consider locking down password policies to lock the account after some number of tries to remove the possibility of a brute force attack. You can find this by Start, Control Panel, Administrative Tools, Local Security Policy, Account Policies, Account Lockout Policies Account Lockout Thresholds.
Also be sure to change the security settings to remove the ability to have a blank password. You can find this by Start, Control Panel, Administrative Tools, Local Security Policy, Account Policies, Password Policies, Minimum password length.

When done be sure to run Microsoft Personal Security Advisor.
You can also probe your machine by Runing shields up to test your servers vulnerability.
Here is another document Securing your server
Obvious stuff:

Load an anti virus program. Have it update automatically at least daily. Automatically run Virus scans as often as you deem necessary.
Backup critical files frequently.

Increasing Reliability

There are two fairly obvious things you should consider when building a server on your own. First is temperature. Most motherboard companies provide some form of monitor for checking and alerting. This is a good idea especially if the machine is in a remote area. Check your motherboard manufacturer's web site.
Motherboard Monitor

Second is SMART. Smart is a Pre-failure warning system built into most new hard drives. Problem is it is not built into Windows. Some hard drive companies have programs to check the smart of there drives and sometimes even run tests. Problem is if you have more than one companies drives. Also the programs from the Hard drive companies are pretty basic. I looked around a bit and found a really good program to handle smart. The program is called Active Smart. The program includes:

showing you the values of the parameters returned by smart. This allows you to see how good or how bad the drive is and what the problem may be. Platter, motor etc.
SMART can be checked automatically on a defined interval
The program will alert you if it

What's missing?:

ability to run a program on alert (the company says they are adding this).
ability to manually/schedule Smart self tests (company also says they are adding this).

There is a demo version of the program available but you will need to buy it to keep it working. I think it is worth it.
Want to read some more about SMART? Even more about SMART?

A couple of other thoughts

There are a couple of other items that can help in the setup of a server.

Time Syncronization

I setup a machine on my network using to sync with internet time servers. Then I sync to the server from all other machines on my network. I use a freeware program called Time Sync and point it at the following internet time servers:

tick.ucla.edu
timelord.uregina.ca
clepsydra.dec.com

From there sync of the client can be done in many ways. I use a simple net command:
net time \\server /set /y
You can also use a service that is part of either the NT resource Kit of the Win2k Resource kit called TIMESRV
A list of time servers on the internet.

Certificate errors

Tired of seeing certificate errors in the event viewer? Read how to get rid of em.

SSL encryption for your web server

You can encrypt parts of your web server by creating a certificate for your web server. Here's how.

Reboots

Servers when they get unstable or are being hacked can sometimes reboot unexpectedly. To watch for these I use a dos program called Mailto to email myself whenever the server reboots.

Remote desktop connection over the web

In Windows XP IIS can be used to pass remote desktop to the client which then requires no client code be installed. This same feature can be added to Windows 2000 server. You simply need to install the link between IIS and remote desktop support.