Windows 2000 Server Security Checklist

The following checklist is a summary of the security points which should be checked prior to bringing a Windows 2000 server online. In cases where these points are not followed, the administrator may want to securely document the known security issues for referral should a security break-in occur. More detail about specific settings and the impact they can have are available on Microsoft's website.

General Assumptions

Server is physically secured.
Only system administrators are local administrators.
Every administrator (each person) has a separate account, i.e. no shared administrator accounts.
Installation and patching is done OFF the network, so server isn't exploited prior to patching.
All drives are formatted NTFS.
Email will not be read on the server by anyone.
Remote access software will not be installed. Windows Terminal Services in application mode can be employed if remote console access is required by non-administrators.
No account will be logged in at the console continuously. Most processes can be configured to run as a service. Processes which must be run from the console and not as a service require a locked console.

Again, if these assumptions are not true, you probably want to document the exceptions and discuss the implications with appropriate personnel.

Design Guidelines

Applications should not be installed on the system drive.
User or application data should not be stored on the system drive.
Only administrators should have access to the system drive.
Replace Everyone ACLs with Authenticated Users, Domain Users, or a more restrictive group.
Web browsing from a server is a security risk due to browser security issues. If browsing is required, server-based browsers should be vigilantly patched, and if possible restrictions on use should be employed.
Any service which requires a service account which is a domain user should be documented as a known security issue. Should the server be compromised these accounts can easily be used to further compromise other domain systems. Pre-built code which will grab the password for service accounts (given a system level compromise) is easy to obtain on the internet.
Consider implementing IPSec if all clients are Windows 2000 or higher.
Consider implementing SMB signing and secure channel encryption if all clients have an AD client.

Installation Configuration

Install Norton Anti-Virus or another virus scan solution, with a daily virus definition update setting.
Consider disabling unneeded services. Unneeded services increase the risk profile of the server. http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp lists the default services, and the implications of disabling them. Some infrequently used services to strongly consider are: Alerter, Distributed Link Tracking, Distributed Transaction Coordinator, Fax Service, Indexing Service, Internet Connection Sharing, Messenger, NetMeeting Remote Desktop Sharing, QoS RSVP, Remote Access Auto Connection Manager, Remote Access Connection Manager, Remote Registry Service, Routing and Remote Access, Smart Card, Smart Card Helper, Telnet, Uninterruptible Power Supply.
OS2 and Posix Subsystem removed: delete os2.exe and posix.exe.

Patch Level

Apply Service Packs and hotfixes with UpdateExpert or HFCheck.
Make sure high encryption pack is installed (Windows 2000 SP2 does this).

Authentication Changes

Guest account is disabled.
IIS accounts removed from Guests group.
Administrator account renamed.
Restrict authentication methods. NTLMv2 or Kerberos are the only acceptable forms of authentication.

Restricting the authentication methods can be doen via the registry key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\LMCompatibilityLevel (reg_dword)

Or via a GPO:

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\LAN Manager Authentication Level

The values are:

Send LM and NTLM, never use NTLMv2 session security
Use NTLMv2 session security if negotiated
Send NTLM only
Send NTLMv2 only
DC refuses LM responses (accepts only NTLM & NTLMv2)
DC refuses LM and NTLM responses (accepts only NTLMv2)

The value 5 should be set, and 3 should be used if there is any problem.

Authorization Changes

Non-system drives should have the default root NTFS permissions changed from Everyone:Full to something more appropriate. At the very least, Authenticated Users:Change should be set. At best, restrict permissions at the root to the specific client group which will need access to the application/data there.
Share permissions should likewise be restricted from Everyone:Full as noted above. At the least, Authenticated Users: Change & Adminstrators:Full should replace this setting. Not doing this can also leave your system open to CAL stealing by unauthorized users.
If this server will support a service which has regularly has security problems, consider changing the ACLs on all executables in \winnt\system32 from Administrators & System: FULL to something more specific like listing all the specific domain admin accounts individually. System doesn't need access to those executables.

Rights

The following user rights should be set and reviewed closely:
Access this computer from the network - only those who require network access, so Everyone is not appropriate. Authenticated Users would be the least acceptable option, and a more restrictive group would be preferred.
Bypass Traverse Checking - Remove Everyone and replace with Authenticated Users.
Change System Time - Remove Power Users. Administrators only.
Create permanent shared objects - Administrators only
Force Remote Shutdown - Remove Server Operators. Administrators only.
Logon locally - only those who require local console access, so Administrators and service accounts only. Remove Everyone, Server Operators, Backup Operators, Power Users, Guests, Users.
Logon as a service - Review this closely.
Manage auditing and security log - Administrators only
Take ownership of files or other objects - Administrators only
Shutdown system - Administrators only

Auditing

The local audit settings must be enabled. These settings can be enabled at:

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Audit Policy

The following settings should be set:

Event	Success	Failure
Account logon events	X	X
Account management	X	X
Directory service access	X	X
Logon Events	X	X
Object access		X
Policy change	X	X
Privilege use	X	X
Restart, Shutdown, and System	X	X
Process Tracking

Setting auditing policy isn't complete, until you have also set the file auditing ACL, known as a SACL. You will probably want to set the following SACL at the root of the system's drives:

Event	Success	Failure
Traverse Folder / Execute File		X
List Folder/Read Data		X
Create Files / Write Data		X
Create Folders / Append Data		X
Delete		X
Set Value (Registry Key)		X
Print (Printers)		X
Change Permissions (Dirs and Printers)	X	X
Take Ownership (Dirs and Printers)	X	X

Make sure server is added to event log dump process so that auditing is actively summarized and watched.

Denial of Service Settings

The following settings should be set to limit the exposure to denial of service attacks. These setting are especially important since UW has no firewall. All the following settings are registry keys in the hive:

HKLM/SYSTEM/CurrentControlSet/Services/Tcpip/Parameters

SynAttackProtect: REG_DWORD=2
Determines how a SYN flood is handled, where the third packet of the handshake is never received in an attempt to exhaust the available TCP session handles.
EnablePMTUDiscovery: REG_DWORD = 0 (i.e. False)
Restricts an attempt to use a non-standard Path Maximum Transmission Unit size for all connections external to the local subnet.
Netbt\Parameters\NoNameReleaseOnDemand: REG_DWORD = 1 (i.e.True)
Prevents an external host request to release the local host's netbios name.
EnableDeadGWDetect: REG_DWORD = 0 (i.e. False)
Prevents the server from switching to a different gateway when problems are encountered. Attackers cause problems then hijack the session via their fake gateway.
KeepAliveTime: REG_DWORD = 300,000 Decimal (milliseconds)
Idle TCP connections are actively verified with a keep-alive packet.
Tcpip\Parameters\Interfaces\PerformRouterDiscovery: REG_DWORD = 0
Uses RFC 1256 router discovery.
EnableICMPRedirects: REG_DWORD = 0 (i.e. False)
Determines whether an external party can use ICMP packets to modify the local host's routing table.

Other Security Policies

Restrict anonymous users from accessing the registry.

This can be done via the registry key:

HKLM\System\CurrentControlSet\Control\LSA\RestrictAnonymous=1 or 2

OR via a GPO:

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Additional restrictions for anonymous connections

The values are:

1. Do not allow enumeration of SAM accounts and shares

2. No access without explicit anonymous permissions

The value 2 is preferred, but 1 may be needed by some poorly written applications.

The following security policies should be reviewed closely. They are located at:

Group Policy\Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\

Disable CTRL+ALT+DEL requirement for logon - Disabled
Do not display last user name in logon screen - Enabled
Acceptable Use message on user logon.

Additional steps that can be taken

The following settings may additionally limit the exposure to denial of service attacks.

HKLM\System\CurrentControlSet\Services\Tcpip\Parameters\

TcpMaxHalfOpen: REG_DWORD=100 (500 on Advanced Server)
Determines the number of half-open (i.e. only 2 of the 3 packets in the handshake) TCP sessions available. This should be used in conjuction with the SynAttackProtection key.
TcpMaxHalfOpenRetried: REG_DWORD=80 (400 on Advanced Server)
Determines the number of half-open TCP sessions (that have been retried once) before the SynAttackProtection key kicks in.
TcpMaxPortsExhausted: REG_DWORD=1
TcpMaxConnectResponseRetransmissions: REG_DWORD=2
EnableSecurityFilters: REG_DWORD=1
DisableIPSourceRouting: REG_DWORD=1
Determines whether the client can determine the routing path of its packets should follow to this server.
TcpMaxDataRetransmissions: REG_DWORD=3
DisableDynamicUpdate: REG_DWORD=1
Determines if DDNS updates are set across ALL interfaces on the local server. A different setting might be desired on AD domain controllers.

HKLM\System\CurrentControlSet\Services\AFD\Parameters\

EnableDynamicBacklog: REG_DWORD=1
MinimumDynamicBacklog: REG_DWORD=20
MaximumDynamicBacklog: REG_DWORD=20000
DynamicBacklogGrowthDelta: REG_DWORD=10

Re-used with permission from Stanford University for which I originally wrote this documentation, http://windows.stanford.edu/docs/w2kservsecchecklist.htm

UW Windows Domains Menu