Lockdown W2K (in progress)
Author: jason
Date: 2003-05-16
Category: Technical

The reason I like Windows 2000 Server for my home is that I use it at work. The time I spend learning about it at work can be applied at home. It makes things easier.

Locking down W2K isn't all that hard. I can think of 3 distinct areas that sum up security in W2K: Permissions, Rights, Patches. Most of the vulnerabilities I see day to day are buffer overflows with IIS, unpatched programs, and default permissions/rights (everyone full control).

With some fairly simple steps you can decrease the likelihood of an easy hack. Please note, I am not claiming the below steps will make your system invulnerable! In fact most of the stuff I will mention is fairly common sense. I am only indicating that with some simple steps your machine will be *less likely* to be successfully hacked.

What is your server's purpose? Web Server? FTP server? LAN File Server? Game Server? By acquiring a copy of Windows 2000 Server you can quickly setup a server performing the mentioned services. Whee!

Let's talk about a File/Game Server first, which will lead into a Web/FTP server.

I would recommend using all the defaults for Windows 2000 during the install, except... Do NOT install Internet Information Service (IIS)!! Uncheck that option when prompted in setup. At a later time you can install IIS if you wish. More machines get hacked through IIS right after a new W2K install is brought online because the admin doesn't even have time to lock it down before a scan and slam!

Load Service Pack 3 after installing!!! Go on now... Load it up... You can do it... It's only a 129MB download... I'll wait... Now run out to WindowsUpdate and do all the other Critical Updates. Don't worry, I won't go anywhere. And don't be so paranoid, M$ isn't tracking your porn collection... Just Product Key and IP address.

By default W2K puts Everyone - Full Control over the partitions created/formatted in setup. Typically just C: drive, unless you actually formatted more. So all of C: is set for Everyone - Full Control! Hooray!! Microsoft just made it extremely easy for all the legacy products to install/run on W2K Server. Only... Ah... It just screams "hack me". If you are a File/Game Server you can safely change the C: Security permissions to another setting.

Double-click My Computer, right-click C:, select Properties. Right off the bat I would uncheck "Allow Indexing..." I think it's a waste of resources. I would also check the box to modify the sub-folders and files. After that finishes go into the Security tab. Click Add, Select Administrators (the group, not the user), System, and Users (if you want to add Users...). The function of a File/Game Server should not require network users to need permissions to the C:. And in that sense, do not share/store your files on the C:! Now after those 2 (or 3) are added, change Administrators and System to Full Control by clicking the Allow Full Control box for each one. You can set Users to Modify, if you added them. After that you can safely remove the Everyone group. Then go into Advanced and select "Replace permissions on..." This will take a few seconds. When it finishes go ahead and close the window(s).

Now right-click the My Computer icon on the desktop and choose "Manage". Go into Event Viewer. There are 3 types of events: Application, Security, System. Right-click Application, select Properties. I would recommend setting the Maximum log size to: 10048 (10MB). And setting the events to overwrite as needed. Please note!! If you are good at checking/clearing your logs then set this to "Do not overwrite". For home use I wouldn't recommend "Overwrite events after..." unless you were to bump it to like 20-30 days, its just too easy to not check the logs for a month and have important stuff overwritten because it's been so long. 10MB is a good size for a maximum log file. If you're checking it once a week on a not-so-busy server it should be fine. If you have the room set the log file to 100MB. Please note!! Choosing "Do not overwrite" will not overwrite your logs when the maximum log size is reached. W2K will stop logging at that time! Whatever you do, just make sure you're paying attention to the logs and clearing them every now and then. You can also setup a batch file program with a resource kit utility (can't remember the name right now) to auto-schedule your logs to save and clear themselves. Now do the same as you did for App to Sec and Sys.

Moving on into Shares. NT, W2K, and XP create default admin shares. They are: C$, Admin$, IPC$, and other partition you've got $... like E$, D$, but not for the CDROM... These are hidden shares for admins to access the root the drives. Admin$ is linked to %systemroot% which is typically Windows or Winnt. The IPC$ is used for other people establishing network connections to your machine, it is tied to the Server service. Things you need the IPC$ for is normal file sharing, remote registry browsing, remote computer management, etc... You do not need it if you have separate services announcing on their own ports (like web 80, ftp 21, telnet 22/23, smtp 25, etc...). You can delete these admin shares, but when you reboot they will recreate! What's really fun on a LAN is to delete your IPC$ and challenge your buddy to null scan you... It takes a good scanner (or clever hacker) to illicit the valuable responses you want. To permanently remove the default shares you need to modify the registry: Hive: HKEY_LOCAL_MACHINE Key: SYSTEM\CurrentControlSet\Services\LanManServer\Parameters Name: AutoShareServer for servers Name: AutoShareWks for workstations Type: REG_DWORD Value: 0 MS Article: Q156365.

Go into Local Users and Groups. This is where you can change the default name of your admin and guest accounts. Just right-click them and select Rename. I recommend logging off and logging back in if you change the admin name. Makes it difficult to do admin things when you're logged in as a non-existent admin account... Pretty funny though. At this point, if you want, you can create local users.

The Performance Logs and Alerts section is where you can track the server usage... Nothing to secure here. Move along. Move along now...

Jump down to Services and Applications. Expand it and select Services. There are quite a few services you do not need. Some can help secure the system, others will just remove overhead from the processor and memory. Here's a list of unnecessary services for a file/game server: Alerter, Automatic Updates, Background Intelligent Transfer, Indexing, Messenger, blah blah blah. If you really really want to lock down go out and read about the function of each service and set those you don't want to Disabled. Go on now. Read a book!! Just kidding here are some basics: Alerter, ClipBook, Computer Browser, DHCP Client, DHCP Server, Fax Service, File Replication, INfrared Monitor, Internet Connection Sharing, Messenger, NetMeeting Remote Desktop Sharing, Network DDE, Network DDE DSDM, NWLink NetBIOS, NWLink IPX/SPX, Print Spooler, TCP/IP NetBIOS Helper Service, Telephony, Telnet, Uninterruptible Power Supply. For the most part running a File Server requires things like the Server Service and RPC, which can give out valuable information about your machine. So it's a trade-off.

Close out of Computer Management. Click Start, Programs, Admin Tools, Local Security Policy. That's right baby... Moving on from Permissions to Rights... This is where you can tinker with some pretty tight security settings. Go into Account Policies. Set the Password Policy!! Come one. You know you need good passwords. Then set the Account Lockout. Gotta keep the kiddies out...

Then into Local Policies, Audit Policies. If you've set your Audit logs fairly high then go ahead and set the Success and Failure of all activities. If not maybe just select the failure of Logon Events, System Events, Account Logon events. And the success of Account Management, Policy Changes, Privilege Use, and Object Access. But I would really select the Success and Failure of EVERYTHING!

Now onto User Rights Assignments. This can get tricky!! By default Everyone is in several places. Removing it won't stay permanent. Microsoft will just add it back after reboot. There's a registry setting to keep Everyone out... But I haven't looked into that too hard... Hmmm... Might have to stay up late tonight...

More to come!!



jason @ jasonthomasfrance.com - www.masterstationlog.com - copyright 2009