Securing Windows 2000 Server
|Archived content. No warranty is made as to technical accuracy. Content may contain URLs that were valid when originally published, but now link to sites or pages that no longer exist.|
Chapter 1: Introduction to Securing Windows 2000 Server
Note: Welcome to the TechNet Archive. We've created this Archive area so that we can continue to make available older content that is still of interest to some of our users. This allows us to streamline the content offerings on the site and keep it focused on the newest, most relevant content.
Welcome to the Securing Windows 2000 Server solution guide. This guide is designed to inform you of the best information and analysis tools available to assess security risks specific to Microsoft® Windows® 2000 servers in your environment. The guide then provides detailed guidance on building in enhanced security settings and features wherever possible in your Windows 2000 servers to mitigate the risks that you have identified. Finally, detailed instructions to help keep your servers secure are provided. If you are a consultant, designer, or systems engineer involved in a Windows 2000 Server environment, this guide was designed with you in mind.
The guidance was reviewed and approved by Microsoft engineering teams, consultants, and support engineers, and by customers and partners. It is:
Proven – Based on field experience
Authoritative – Offers the best advice available
Accurate – Technically validated and tested
Actionable – Provides the steps to success
Relevant – Addresses a real-world problem
Rather than discuss all of the different approaches that you could use to secure the Windows 2000 servers in your organization, and to best illustrate the considerations, a fictitious company with a very real technical scenario is followed. It represents a significant percentage of Windows 2000 Server deployments. Working with consultants and systems engineers who have implemented Windows 2000 Server in a variety of environments establishes the latest best practices to secure these servers. Chapters 2 through 10 include step-by-step security procedures to provide you with a list of tasks to perform to move your Windows 2000 servers from where they are to where you want them to be. If you want more in-depth discussion of the concepts behind this material, refer to resources such as the Microsoft Windows 2000 Resource Kit and Security Resource Kit, or Microsoft TechNet.
Whatever your environment, you are strongly advised to take security seriously. Many organizations make the mistake of underestimating the value of their information technology (IT) environment, generally because they exclude substantial indirect costs. If an attack on the servers in your environment is severe enough, it could greatly damage the entire organization. For example, an attack in which your organization's Web site is disabled that causes a major loss of revenue or customer confidence might lead to the collapse of your organization's profitability. When evaluating security costs, you should include the indirect costs associated with any attack, as well as the costs of lost IT functionality.
Vulnerability, risk, and exposure analysis with regard to security informs you of the tradeoffs between security and usability that all computer systems are subject to in a networked environment. This guide will show you how to identify the risks inherent in a networked environment, help you to determine the level of security appropriate for your environment, and provide you with the steps necessary to achieve that level of security. Although targeted at the enterprise customer, much of this guide is appropriate for organizations of any size.
The fictional customer and technical implementation may not mirror your own, but by using the Security Risk Management Discipline (SRMD), you will identify any common vulnerabilities and risks, as well as the ones unique into your environment. These risks can then be assessed and the mitigation steps applied to be successful in securing your servers.
To get the most value out of this material, you will need to read the entire guide. The team that produced this guide hopes that you will find the material covered in it useful, informative, and interesting.
On This Page
The Securing Windows 2000 Server solution guide consists of 11 chapters. Each chapter builds on the end-to-end solution process required to secure Windows 2000 servers in your environment.
The chapters in the solutions guide align with the IT life cycle, which contains industry standard proven practices as shown in the following figure.
Chapter 1: Introduction to Securing Windows 2000 Server
This chapter introduces the Securing Windows 2000 Server guide. It includes a brief overview of each chapter.
Chapter 2: Defining the Security Landscape
This chapter focuses on defining security components that need to be understood to perform a security analysis of your organization. General guidance about how to perform a preliminary asset analysis for your organization is offered. The relationship between threats, exposures, vulnerabilities, and countermeasures is also explained.
Chapter 3: Understanding the Security Risk Management Discipline
Proven practices are drawn upon in this chapter, from security analysis methodologies in use today that make the most of MSF and MOF. MSF offers guidance in the planning, building, stabilizing, and deploying phases of the project life cycle in the areas of enterprise architecture and infrastructure deployment. MOF provides advice on how to develop or improve management systems for IT operations. The SRMD also is defined in detail in this chapter, which provides learning that can be applied to assess and determine the level of risk in your own environment.
Chapter 4: Applying the Security Risk Management Discipline
The SRMD is put into practice throughout this chapter to determine which threats and vulnerabilities have the most potential impact on a particular organization. Because every company has different business requirements, it is impossible to create one list of vulnerabilities that will have the same impact on every environment. However, this chapter will apply this process to a generic scenario in which a fictitious company is used to illustrate how a set of common implementation decisions, and, therefore, a significant number of real-world vulnerabilities, should be determined. At the conclusion of this chapter, the specific risks addressed are fully defined, described, and analyzed.
Chapter 5: Securing the Domain Infrastructure
Determining the criteria on which to base decisions that affect the organization at a domain level is the focus of this chapter. A high-level overview of the Active Directory® directory service design, the organizational unit (OU) design, and domain policy is provided. In addition, specific domain policies that are implemented at Contoso, the fictional customer scenario used in this guide, are discussed in detail.
Chapter 6: Hardening the Base Windows 2000 Server
The base settings applied to the member servers at Contoso are explained in this chapter. Group Policy was used to apply as many of the changes to the default Windows 2000 Server configuration as possible. For the member servers in this scenario, the policy settings described are stored in the security template, MSS Baseline.inf. This template was imported into the Member Server Baseline Policy Group Policy, which is linked to the Member Server OU.
Chapter 7: Hardening Specific Server Roles
The domain controllers, file servers, network infrastructure servers, and Web servers in any organization require different settings to maximize their security. This chapter focuses on the domain controllers and the other primary member server roles to show the steps that you should take to ensure that each of these roles is as secure as possible.
Note This guide assumes that servers perform specific defined roles. If your servers do not match these roles, or if you have multipurpose servers, you should use the settings defined here as a guideline for creating your own security templates to provide you the functionality that you require. However, remember that the more functions that each of your individual servers performs, the more vulnerable your servers are to attack.
Chapter 8: Patch Management
One of the main ways to guard against attack is to ensure that your environment is kept up to date with all the necessary security patches. Patches may be required at the server and client levels. This chapter shows you how to ensure that you find out about new patches in a timely manner, implement them quickly and reliably throughout your organization, and monitor to ensure that they are deployed everywhere.
Chapter 9: Auditing and Intrusion Detection
In any secure environment, you should actively monitor for intrusion and attack. It would be counterproductive to implement security measures and then not perform any auditing, based on the assumption that you will not be attacked. Additionally, not all attacks are obvious. Sometimes the more subtle attacks are more dangerous, because they go unnoticed, and it is difficult to tell what changes have been made. This chapter shows how to audit your environment to give you the best chances of spotting attacks, and it looks at intrusion detection systems—software specifically designed to detect behavior that indicates an attack is occurring.
Chapter 10: Responding to Incidents
No matter how secure your environment, the risk of being attacked remains. Any sensible security strategy must include details about how your organization would respond to different types of attack. This chapter will describe the best ways to respond to different types of attack and includes the steps that you should take to report the incidents effectively. It also includes a case study to illustrate a typical response to an incident.
Chapter 11: Conclusion
Chapter 11 completes the solution guide by providing a brief overview of everything that has been discussed.
Appendix A: Purpose of Microsoft Windows 2000 Services
This appendix lists all available services in the Windows 2000 operating system and briefly explains the purpose of each.
Appendix B: Registry Access Control Changes
This appendix provides information about additional registry settings that can be applied to computers that run Windows 2000 Server to make them more secure.
Appendix C: Disabling NetBIOS on Servers in Untrusted Networks
This appendix discusses the recommendation that NetBIOS be disabled on servers in untrusted networks, and provides instructions for doing so.
Appendix D: Configuring Digital Certificates on Domain Controllers
This appendix provides information about installing and configuring a certification authority, and also how to install and configure digital certificates on domain controllers in a Windows 2000 Server environment.
Tools and Templates
A collection of security templates, scripts, and additional tools are included with this guide to make it easier for your organization to evaluate, test, and implement the countermeasures recommended in this guide. The security templates are text files that can be imported into domain-based Group Policies, or applied locally using the Security Configuration and Analysis snap-in. These procedures are detailed in Chapter 6, "Hardening the Base Windows 2000 Server." The scripts included with this guide implement IPsec packet filters using the IPSecPol.exe command line tool and test scripts used in testing the recommended countermeasures. These tools and templates are included in the self-extracting WinZip archive that contains this guide. When you extracted the files from this archive the following folder structure is created in the location you specified:
\Securing Windows 2000 Server—contains the Word document that you are currently reading
\Securing Windows 2000 Server\Tools and Templates—contains subdirectories for any items that may accompany this guide
\Securing Windows 2000 Server\Tools and Templates\Security Templates—contains the security templates and other tools discussed in the guide
\Securing Windows 2000 Server\Tools and Templates\Sample Scripts—contains sample IPsec filter scripts and patch management scripts
WARNING The security templates in this guide are designed to increase security in your environment. It is quite possible that by installing the templates included with this guide, some functionality in the environment of your organization may be lost. This lost functionality could include the failure of mission-critical applications.
It is therefore essential to thoroughly test these templates before deploying them in a production environment. Back up each domain controller and server in your environment prior to applying any new security settings. Ensure the system state is included in the backup to enable registry settings or Active Directory objects to be restored
This guide is primarily intended for consultants, security specialists, systems architects, and IT professionals who are responsible for the planning stages of application or infrastructure development and deployment across multiple projects. These roles include the following common job descriptions:
Architects and planners who are responsible for driving the architecture efforts for their organizations
IT security specialists who are focused purely on providing security across platforms within an organization
Business analysts and business decision-makers (BDMs) who have critical business objectives and requirements that need IT support
Consultants, both Microsoft Services and partners, who need knowledge transfer tools for enterprise customers and partners
Of course, other readers involved in planning, designing, and implementing an infrastructure project will find that this guide contains relevant and useful information. There are many roles in infrastructure development, and each person involved in the project requires different types and levels of information.
For information about the roles involved in a software development project within the MSF Team Model, see the Microsoft Solutions Framework Web site at www.microsoft.com/technet/itsolutions/msf/default.mspx.
The Securing Windows 2000 Server Solution Scenario
To provide prescriptive guidance for Securing Windows 2000 Server, this solution uses a fictitious organization to provide the context around which the solution is implemented. Using a fictitious company, security tradeoffs can be presented in light of the business requirements and technical possibilities of the scenario.
The Securing Windows 2000 Server solution revolves around a fictitious marketing research company named Contoso, Ltd. Contoso has two offices: a headquarters located in Atlanta, Georgia, and a second office located in Boston, Massachusetts. Contoso is a fairly large enterprise, with several thousand employees who use computing resources. Contoso reported revenue of $829 million last year.
The company's server platform has been completely upgraded to Windows 2000 Server, but its client deployment remains in a mixed state. The company currently has a combination of Microsoft Windows 98 SP2, Microsoft Windows NT® Workstation 4.0, Microsoft Windows 2000 Professional, and Microsoft Windows XP Professional.
Contoso has two data centers connected with two T1 lines. Each office has a portion of the engineering and operations staff providing network infrastructure services. All Web servers are located at the main data center in Atlanta.
Each location has 100-megabits per second (Mbps) connections to all servers and 10-Mbps connections to all client workstations. The servers are segmented on their own subnet. Client computers are on a separate subnet. All computers have access to the Internet through a connection in Atlanta.
Active Directory Design
Contoso has deployed a single Windows 2000 Server forest with an empty root and a single child domain. An empty root domain is a separate domain that houses only the computer accounts for the domain controllers in that domain and the default user accounts.
Contoso has also divided its network into two Active Directory sites—Atlanta and Boston. The flexible single master operations (FSMO) roles are divided between these sites.
Each site has domain controllers that run Active Directory integrated with DNS, DHCP, and File and Print servers. Atlanta hosts the WINS servers for the entire organization. Most of the organization's server computers that run Internet Information Services (IIS) reside in Atlanta; however, some smaller department Web servers are located in Boston.
This figure shows the server-based distribution of services within Contoso, but it does not accurately represent the total number of servers within the organization.
As mentioned, Contoso is a marketing research company. Marketing research is an industry that focuses on planning and controlling the sum of activities involved in directing a flow of goods and services from producers to consumers, including such activities as packaging, pricing, promotion, and physical distribution to meet the needs of a particular market.
To find out what the market's needs are, market researchers must learn as much as they can about their customers. To help facilitate this learning, Contoso provides market researchers with detailed information about their target markets.
The majority of Contoso's marketing information is housed in IIS servers located within the organization. Contoso's marketing research personnel use the internal marketing research Web servers when gathering detailed information for their customers. Some of this information is also located on file shares, but the information on these file shares is only a subset of the information available on the intranet servers.
Contoso wants to ensure that its internal data is secure and stays secure. Marketing research is a very competitive field, and the company's research data is its primary competitive advantage over other companies in the same field. Therefore, maintaining a high level of security for the company's marketing research data is the top priority of the organization.
A separate project has been started to address the security of Contoso's external connectivity and its perimeter network. These concerns are out of scope for this project.
This guide uses the following style conventions and terminology.
Characters that are typed exactly as shown, including commands and switches. User interface elements in text that is prescriptive are also bold.
Placeholder for variables where specific values are supplied. For example, Filename.ext could refer to any valid file name for the first case in question.
The folder in which the Windows 2000 operating system is installed.
Alerts the reader to supplementary information.
Alerts the reader to supplementary information that is essential to the completion of the task.
This chapter provided an overview of the primary factors involved to secure Windows 2000 Server, which are considered in greater depth in the chapters of the guide. It also introduced a typical enterprise organization that is referred to throughout the chapter series to illustrate the best practices and procedures used to secure Windows 2000 servers. Now that you have an understanding of how this guide is organized, you can decide whether to read it from beginning to end, or to select only those sections of most interest to you. However, it is important to remember that effective, successful security operations require making improvements in all of the areas covered in this guide, not just a few. For this reason, it is highly recommended that you read the entire guide to take advantage of all of the information on securing Windows 2000 servers in your organization that the guide has to offer.
Solution Accelerator Notifications