Here are some tips I have gleaned from articles about hardening W2K systems for protection against Internet attacks and loss of information while on the Internet.

These are steps to take in addition to shutting down the services which I mentioned in my last email. These steps would apply particularly to DTAP machines.

 

Note: It is not mandatory that we do any of these steps, it depends on how secure we want to get.

 

Shut down unnecessary ports

Phil Cox covers this well in his document “Hardening Windows 2000” http://www.systemexperts.com/win2k/HardenWin2K.html

Set TCP/IP filtering on all adapters and permit only TCP on ports 80 (http) 443 (https) and TCP port 6 (TCP)

For a lot of our machines port 1443 should be open also for SQL communication, also streaming media ports (I’m not sure what ports they are.)

Automation: none

 

There is also IPSec Filtering

Phil Cox points out that you can use IPSec Filtering without actually implementing IPSec

Automation: none

 

Remove unnecessary programs

Phil Cox has tips on removing

Fax

COM

DTC

Imagevue

Games

Accessory Utilities

Communication Applications

PinBall

Accessibility Options

Automation: none

 

 

Set System Policies

This might be accomplished by applying the Security Templates – I have to look into this more in order to understand it. This work is done using the secpol.msc /s snap in

 

Apply the HISSCWEB Security Template http://rr.sans.org/win200/win2000_sec.php

Automation: There may be some automation for this, I have some tools in my next email.

 

Remove unnecessary ODBC connections

Automation: None

 

Create Alternate IIS user accounts to communicate between IIS and SQL Servers (pp. 12 – 17 of http://rr.sans.org/web/sec_IIS.php )

Automation: None

 

Secure Socket Layer Encryption or other authentication method between DTAP machines and WMCSCDTAP  (See http://rr.sans.org/win200/win2000_sec.php )

Automation: None

 

 

Disable IIS from using unnecessary file types (p. 18 of  http://rr.sans.org/web/sec_IIS.php

Automation: None

 

 

Move/Rename Executables

Xcopy

cmd.exe

regini.exe

telnet.exe

ftp.exe

at.exe

etc.

Clearest Article on this: http://rr.sans.org/win200/win2000_sec.php

Automation: None

 

Change ACLs on command line tools such as arp at cmd ftp give access to them only from a special group, e.g., Toolsadmin. See Phil Cox

Automation: There might be some ways to automate this

 

Delete Sample IIS Pages and Scripts (p. 19 of http://rr.sans.org/web/sec_IIS.php)

Automation: None

 

Disable Web-based management of Internet Services

Automation: None

 

Disable Internet Printing

Automation: None

 

Harden the admin password

- DTAP should have some password other than the one we use in the lab

- The Password Policy most likely needs to be set on those machines.

- create a dummy administrator account. The real administrator is an account named something other than administrator.

Automation: ChangePW.cmd

 

 

Enable auditing to see if anyone is trying to log on as administrator or other user

If the admin username is changed as above, logging would show people trying to log on as administrator.

Automation: None

 

Install a Firewall on each server

I think there are some genuinely free firewalls

 

 

Some other Steps

There are many more steps that can be taken to Harden a W2K System. It depends on how much we want to look into it.

 

Install 128 bit Encrytption Pack http://www.microsoft.com/windows2000/downloads/recommended/encryption/

Automation: None

 

Use syskey.exe to change storage place for SAMS database password

Automation: None

           

 

Recap on Shutting down Services

 

As a minimum these are SMTP, NNTP, FTP, Telnet, Index Server

Automation: ChangePW.cmd

 

Phil Cox article says these are only services necessary

 

Needed According to Phil Cox Article

Not needed according to http://rr.sans.org/win200/win2000_sec.php

DNS Client

Eventlog

Logical Disk Manager

Network Connections Manager

Plug and Play

Protected Storage

RPC

Remote Registry Service

RunAs service

Security Accounts manager

 

SANS Says these are also needed

WMI

WMI Extensions

 

Logical Disk Manager Administrative Service – set to manual

 

 

IIS Admin Service

WWW Pub Service

 

Alerter

Clipbook Server

Computer Browser

DHCP Client

Messenger

Netlogon (If stand alone system)

Network DDE

Network DDE DSDM

Network Monitor Agent

Simple TCP.IP Services

Spooler

NetBIOS Interface

TCP/IP NetBIOS Helper

NWLinK NetBIOS

 

 

Server

 

 

Further Resources

 

A Step-by-Step Guide to Securing Windows 2000 for Use as an Internet Server
David S. Courington
March 29, 2001

http://rr.sans.org/win2000/win2000_sec.php  (This article has a good bibliography.)

 

Securing Microsoft IIS

Barbara Chung

Sr. Technology Specialist

National Technology Team

Microsoft Corporation

http://www.techmd.state.md.us/chungpresent.pdf

 

17 Steps for a Secure IIS Server

Article on DeveloperIQ.com

http://www.developeriq.com/Magazinestories/01dec12iis.php3

 

Securing Microsoft’s Internet Information Server 5.0
Ben White
August 31, 2001

http://rr.sans.org/web/sec_IIS.php

 

Securing a Windows 2000 IIS Web Server – Lessons Learned
Harpal Parmar
October 8, 2001

http://rr.sans.org/web/IIS_server.php

 

Comprehensive Review of Windows 2000 Security Policy Templates and Security Configuration Tool
David B. Koconis
SD453373
March 6, 2001

http://www.ists.dartmouth.edu/IRIA/knowledge_base/sectemplates/sectemplates_full.htm

 

Windows 2000 Security Checklist

http://www.labmice.net/articles/securingwin2000.htm

 

 

Microsoft Security Check Lists

W2K Pro

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2kprocl.asp  

 

W2K Server:

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/w2ksvrcl.asp  

 

IIS 5.0

http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/iis5cl.asp

 

 

Securing IIS 5.0 Using Batch-Oriented Command Files

http://www.microsoft.com/technet/treeview/default.asp?url=/TechNet/prodtechnol/iis/deploy/confeat/seciis50.asp

The batch Files for this article are installed on DWSLAB admin

 

 

Systems and Network Attack Center (SNAC) Guide to the Secure Configuration and Administration of Microsoft Internet Information Services 5.0

This is a 128 page Adobe Acrobat Document. They have several guides out. I have downloaded them all and placed them on \\dwslabadmin

 

 

Mentioned Above:

Hardening Windows 2000, by Phil Cox http://www.systemexperts.com/win2k/HardenWin2K.html

 

 

Books we might get

Windows 2000 Security Handbook by Phil Cox

http://www.windows2000securityhandbook.com

 

 

Free Web sites to check security

 

http://www.pedestalsoftware.com/secexp/webscan/scan.htm

 

http://www.microsoft.com/technet/mpsa/start.asp - Microsoft Personal Security advisor website – add to other email that I sent

 

http://windowsupdate.microsoft.com/default.htm - Windows Critcal Update (must click another link here)