Securing Windows 2000 Professional Clients in a Windows Server Environment

On This Page

Introduction
Before You Begin
Downloading the Windows 2000 Security Templates
Configuring the Active Directory Domain Infrastructure
Creating New Group Policy Objects and Importing the Security Templates
Ensuring Policies Apply to Your Desktop and Laptop Computers
Verifying New Settings
Installing Distributed Firewall Software
Installing Antivirus Software
Maintaining a Current Patch Level
Converting Your File Systems to NTFS
Related Information

Introduction

The threat of intruders and malicious code such as viruses and worms continues to grow. This makes it critical for organizations of all sizes to take immediate action to increase the security of their desktop and laptop computers. A virus is an intrusive program that infects computer files by inserting in those files copies of self-replicating code, while a worm is a program that runs independently, traveling from computer to computer across network connections. This document explains how to implement the security measures recommended in the Microsoft Windows 2000 Security Hardening Guide in a small- or medium-size business environment with Microsoft Active Directory directory service.

The goal of this document is to provide you with clear and concise instructions for you to download the Windows 2000 Security Templates, configure the Active Directory domain infrastructure on the domain controllers in your network, and then create new Group Policy objects (GPOs) in order to import the security templates which should enhance the security of the computers on your network. Information is also provided on verifying the new settings, installing distributed firewall and antivirus software, maintaining a current patch level, and converting the file systems on your computers to NTFS.

The following list provides an overview of the topics and tasks this document covers:

  • Downloading preconfigured security templates to automatically make changes to your system to help make your computers more secure.

  • Configuring the Active Directory domain infrastructure to manage the security level across all of the Microsoft Windows 2000 Professional computers on your network.

  • Applying the policies to your desktop and laptop computers.

  • Verifying the new settings.

  • Installing distributed firewall software.

  • Installing antivirus software.

  • Converting the file system on your computers to the NTFS file system, which provides a higher level of security than the FAT file systems.

  • Keeping your system up-to-date with security patches.

These recommendations will help to ensure that the desktop and laptop systems running Windows 2000 Professional Service Pack 4 in your environment are more secure from the majority of current security threats, while ensuring that users can continue to be efficient and productive on their computers. In addition to the detailed step-by-step guidance in this document, you will find information about the top security recommendations that Microsoft offers to all of the company's customers, from the home user to the enterprise.

Note: Implementing the recommendations in this guidance will help to enable your Windows 2000 Professional desktops and laptops to communicate more securely with other computers running Microsoft Windows XP, Windows 2000, and Windows Server? 2003. However, Windows 2000 desktops and laptops may have difficulty sharing files, folders, or printers with other computers running Microsoft Windows 98 or Microsoft Windows NT 4.0. Windows 98 and Windows NT 4.0 are older operating systems that are more difficult to secure against today's security threats.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Before You Begin

As with any security recommendations, this guidance strives to find the right balance between enhanced security and usability. The recommendations provided here will work successfully for Windows 2000 Professional deployments in a wide variety of environments. However, there are several key points that you should note before implementing these recommendations.

This document does not address the wide variety of needs and configurations that may be required in a large corporation. In addition, the guidance may not fully address the specific security needs of some organizations.

Meeting the Service Pack Requirement

The recommendations in this document apply only to computers running Windows 2000 Professional Service Pack 4 that are members of an Active Directory-based domain. If Service Pack 4 is not installed on a particular computer or if you do not know whether it is installed, you can go to the Windows Update page on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkID=22630, and have Windows Update scan your computer for available updates. If Service Pack 4 shows up as an available update, install it before proceeding with the procedures in this document.

Avoid Using Accounts With Administrative Privileges

A common issue in many organizations is the prevalence of users that run their laptop or desktop with administrative credentials. It is a best practice for all user accounts to be members of the Users group. Users should not be allowed to log in routinely using accounts that are members of the Administrators group. By enforcing this change, users will not be able to install unapproved software that may contain viruses or other types of potentially dangerous code.

Implementing this requirement may be challenging, but using Windows 2000 Professional with logo certified applications makes this easier. Applications that are not logo certified may not run correctly for users without administrative privileges. To find a list of logo certified applications, look for software labeled "Designed for Windows 2000" on the Windows Catalog page of the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=22382.

An administrator must implement the recommendations in this document, but the settings provide functionality that will allow someone who is not a member of the Administrators group to run the laptop or desktop on a day-to-day basis. Once the security settings recommended in this document are implemented, they will apply to all users who log on to the desktop or laptop, including the Local Administrator.

Downloading the Windows 2000 Security Templates

A security template is a file that represents a recommended security configuration. Security templates are applied to a system by importing them to the desktop or laptop. The following procedure shows you how to download the preconfigured security templates to secure your desktop and laptop systems.

The procedure explains where you can obtain the Windows 2000 security templates, and then how to install them on a domain controller in your computer network. Ensuring the templates are correctly installed will enable you to effectively use related procedures in this document to strengthen the security of your computers.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged on to both a domain controller and a member computer as a member of the Domain Admins group.

  • Tools: a Web browser, Windows Explorer.

  • To download the security templates

    1. From the member computer, open a Web browser and navigate to the Windows 2000 Security Hardening Guide page of the Microsoft Download Center Web site at https://go.microsoft.com/fwlink/?LinkId=22380.

    2. On the right side of the page, in the grey box called Windows 2000 Security Hardening Guide, click Download.

    3. In the File Download dialog box, click Save.

    4. When prompted for a location, expand the Save in: drop-down list box, click Desktop, and then click Save.

    5. In the Download complete dialog box, click Close.

    6. Copy the file you downloaded, W2KHG.exe, to the My Documents folder on the domain controller.

      Note: The step-by-step instructions for copying the file from your computer to the domain controller will vary depending on how your network is configured. You may need to open a new Explorer window that points to the C$ share on your domain controller by clicking Start and then Run, and then typing \\Your_Domain_Controller_Name\c$.

    7. From the domain controller, click Start, select All Programs, select Accessories, and then click Windows Explorer.

    8. Use Windows Explorer to navigate to your My Documents folder and double-click the W2KHG.exe file.

    9. In the WinZip Self-Extractor dialog box, click Browse.

    10. Click My Documents and then click OK.

    11. In the WinZip Self-Extractor dialog box, click Unzip.

    12. After all the files have finished extracting, click OK.

    13. In the WinZip Self-Extractor window, click Close.

Configuring the Active Directory Domain Infrastructure

Group Policy is a feature of Active Directory that facilitates change and configuration management in Windows Server 2003 and Windows 2000 Server domains. However, you need to perform certain preliminary steps in your domain prior to applying Group Policy to the Windows 2000 Professional clients in your environment.

Use the following procedure to set up the Active Directory infrastructure for your computer network. Creating this structure will enable you to use related procedures in this document to help strengthen the security of your computers.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged on to a domain controller as a member of the Domain Admins group.

  • Tools: The Active Directory Users and Computers snap-in.

  • To configure the Active Directory domain infrastructure
    Use the snap-in to create the following new branch of organizational units (OUs) in your domain:

    • Secured Computers OU: This OU will contain the child OUs for each operating system running in your environment.

    • Windows 2000 OU: This OU will contain child OUs for each type of Windows 2000 client in your environment. Guidance is included here for desktop and laptop clients.

      Note: Even though identical security settings are applied to both desktop and laptop computers when you follow the instructions in this document, it includes instructions to create separate OUs for each to make it easier for you to configure additional security settings that may be specific to only one class of client computer in your environment.

    • Desktop OU: This OU contains desktop computers that remain connected constantly to your corporate network.

    • Laptop OU: This OU contains laptop computers for mobile users that are not always connected to your corporate network.

The OU structure you will create is summarized in the image below.

OU structure

  1. Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Active Directory Users and Computers.

  2. Right-click the root container for the domain, hold your pointer over New, and then select Organizational Unit.

    Active Directory Users and Computers

    Note: Screen shots in this document reflect a test environment and the information might differ from the information displayed on your screen.

  3. Type Secured Computers OU to name the new OU and click OK.

  4. Right-click the Secured Computers OU, hold your pointer over New, and then select Organizational Unit.

  5. Type Windows 2000 OU to name the new OU and click OK.

  6. Right-click the Windows 2000 OU, hold your pointer over New, and then select Organizational Unit.

  7. Type Desktop OU to name the new OU and click OK.

  8. Right-click the Windows 2000 OU, hold your pointer over New, and then select Organizational Unit.

  9. Type Laptop OU to name the new OU and click OK.

  10. Move all of the desktop computers that are running Windows 2000 from their current location to the Desktop OU by dragging them from their current OU to the new one.

  11. Move all of the laptop computers that are running Windows 2000 from their current location to the Laptop OU by dragging them from their current OU to the new one.

    Note: The default location for new computer objects in Active Directory is the Computers container.

The new OU structure should look like what you see in the following image.

Active Directory Users and Computers

Creating New Group Policy Objects and Importing the Security Templates

The next step to helping to secure your computers is to configure many of the built-in security settings. While this may seem like a daunting task, step-by-step instructions for using the W2KHG-baseline.inf and W2KHG-MemberWKS.inf files that are included with the Windows 2000 Security Hardening Guide are provided below to perform this task.

These policies will configure settings to ensure that only valid users can connect to the computer, only administrators can back up and restore files on the computer, and that only administrators can add new drivers to the system.

Use the following procedure to create new GPOs to use while configuring security measures for the desktop computers on your network. The GPOs will enable you to use related procedures in this document to help strengthen the security of your computers.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged on to the domain controller as a member of the Domain Admins group.

  • Tools: Active Directory Users and Computers and the command prompt.

  • To create the GPO for desktop computers

    1. Reopen the Active Directory Users and Computers snap-in if needed by clicking Start, clicking Settings, clicking Control Panel, double-clicking Administrative Tools, and then double-clicking Active Directory Users and Computers.

      1. Navigate to the Desktop OU.
    2. Right-click Desktop OU and select Properties.

      Active Directory Users and Computers

    3. In the Desktop OU Properties dialog box, click the Group Policy tab, and then click New.

    4. Type 2000 Desktop Policy to name the GPO, and then click Edit.

      Desktop OU Properties

    5. The Group Policy Object Editor tool will open and display the GPO that you just created in the Group Policy Object Links dialog box.

    6. Under Computer Configuration, expand the Windows Settings folder, right-click Security Settings, and then select Import Policy.

      Group Policy Object Editor

    7. In the Import Policy From dialog box, expand the Templates folder in the drop-down list box, and then navigate to \My Documents\Templates\.

    8. Select the W2KHG-baseline.inf security template and click Open.

      Note: If you do not see the W2KHG-baseline.inf file, you may have saved it to a different location. Extract the files from the W2KHG.exe self-extracting file again if this is the case.

      Import Policy From

    9. Repeat step 6 above by right-clicking Security Settings and then selecting Import Policy.

    10. Select the W2KHG-MemberWKS.inf security template and click Open.

      Import Policy From

    11. Close the Group Policy Object Editor tool.

    12. Close the Desktop OU Properties dialogue box.

Use the following procedure to create new GPOs to use while configuring security measures for the laptop computers on your network. The GPOs will enable you to use related procedures in this document effectively to help strengthen the security of your computers.

  • To create the GPO for laptop computers

    1. Reopen the Active Directory Users and Computers snap-in if needed by clicking Start, clicking Settings, clicking Control Panel, double-clicking Administrative Tools, and then double-clicking Active Directory Users and Computers.

    2. Right-click the Laptop OU and then select Properties.

    3. In the Laptop OU Properties dialog box, click the Group Policy tab, and then click New.

    4. Type 2000 Laptop Policy to name the GPO, and then click Edit.

    5. The Group Policy Object Editor tool will open and display the GPO that you just created in the Group Policy Object Links box.

    6. Under Computer Configuration, expand the Windows Settings folder, right-click Security Settings, and then select Import Policy.

    7. On the Import Policy From dialog box, expand the Templates folder in the drop-down list box, and then navigate to \My Documents\ Templates\.

    8. Select the W2KHG-baseline.inf security template and click Open.

      Note: If you do not see the W2KHG-baseline.inf file, you may have saved it to a different location. Extract the files from the W2KHG.exe self-extracting file again if this is the case.

    9. Repeat step 6 by right-clicking Security Settings and selecting Import Policy.

    10. Select the W2KHG-MemberWKS.inf security template and click Open.

    11. Close the Group Policy Object Editor tool.

    12. Close the Laptop OU Properties dialogue box.

    13. Wait for replication to complete between all of your domain controllers so that the new group policy will be available to the client computers regardless of which domain controller is used for logon.

Ensuring Policies Apply to Your Desktop and Laptop Computers

You are now ready to apply the security settings to your desktop or laptop. To ensure the settings are applied, use the secedit.exe command. You can use the following procedure to force a refresh of Group Policy. Completing this procedure and restarting your system will ensure that you have successfully applied the security policies.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged onto the desktop or laptop computer as a member of the Domain Admins group.

  • Tools: Command prompt, secedit.exe.

  • To force a refresh of Group Policy

    1. Click Start, click Run, type cmd, and then click OK.

    2. At the command prompt, type secedit /refreshpolicy machine_policy /enforce, and press ENTER.

      Command Prompt

    3. In the Application Event Log, verify that the policy downloaded successfully by clicking Start, Settings, and then click Control Panel.

    4. In Control Panel, double-click Administrative Tools.

    5. In Administrative Tools, double-click Event Viewer.

    6. In Event Viewer, click Application Log and then look for the most recent event that is defined with the following:

      • The Type called Information.

      • The Source called SceCli.

      • The Event ID number 704.

    7. If you double-click this event you will see an Event Properties dialog box similar to the following:

      Event Properties

    8. Restart the computer.
      Once the system restarts, the security policies have been successfully applied. In the image above, the information in the Description: box on the Event tab also indicates that the GPOs have been applied successfully.

Verifying New Settings

The following procedures and information are provided to enable you to verify that the appropriate security settings have been applied to the local computers in your environment. Use the following procedure to view the local computer settings on your machine. Verifying the settings will ensure that the correct ones are in effect on your computer.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged on as a member of the Domain Admins group.

  • Tools: The Local Security Policy snap-in, Control Panel.

  • To verify the security policy on your computer

    1. Click Start, click Settings, and then click Control Panel.

    2. In Control Panel, double-click Administrative Tools.

    3. In Administrative Tools, double-click Local Security Policy.

    4. In the Local Security Settings console tree, expand the Local Policies folder, and then click the Security Options folder.

      Local Security Settings

    5. On the right in the details pane of the Security Options folder, review the applied Security Options policy settings.

    6. You only need to verify that a few settings have been changed from their original values to the new, more secure ones. To do this, review the following settings carefully:

      1. Verify that the policy called Additional restrictions for anonymous connections is configured to No access without explicit anonymous permissions.

      2. Verify that the policy called Digitally sign server communications (always) is configured to Enabled.

      3. Verify that the policy called Prevent system maintenance of computer account password is configured to Disabled.

Installing Distributed Firewall Software

Distributed firewall software, often referred to as host-based firewalls or personal firewalls, can help prevent attackers and worms on the network from compromising your computer systems. The use of this technology is critical in preventing remote or mobile users from unknowingly transmitting malicious programs. Distributed firewalls are software firewalls installed on each individual system, but they use a centralized access policy. Depending on the software you choose, a host-based firewall can offer features beyond those of network firewalls, such as protecting computers from spyware and Trojan horses. A Trojan horse is malicious software application designed to look like a legitimate one, for example, a Trojan horse program may mimic the logon dialog box for financial software so that the attacker can collect the user's password.

Windows XP includes a built-in firewall called the Internet Connection Firewall (ICF) that provides this functionality. Microsoft originally designed ICF for home users instead of businesses, but for many organizations ICF can provide an additional layer of protection against network-based attacks, such as worms and denial-of-service attacks. If you are not prepared to upgrade your Windows 2000 Professional computers to Windows XP then it is very important that you purchase and deploy distributed firewalls on those computers.

Most third-party firewalls protect computers from software that could violate your users' privacy or allow an attacker to misuse their computers. To find out more about popular distributed firewall products that are available from many software vendors, you can go to any of the following Web sites:

Installing Antivirus Software

Computer viruses are programs that are loaded on to your system without your knowledge or approval. Viruses and other forms of malicious software have been around for years. Today's viruses can replicate themselves and use the Internet and e-mail applications to spread across the world within hours.

Antivirus software continually scans your computer for viruses and helps detect and remove them. Installing antivirus software only solves part of the problem-keeping the antivirus signature files up to date is also critical to maintaining secure desktops and laptops.

User education regarding safe e-mail practices is another critical step in preventing virus attacks. Users should not open e-mail or an e-mail attachment unless they are expecting the file and can verify its source. Ensure that all e-mail attachments are scanned with antivirus software prior to executing them.

To find out more information about software vendors providing antivirus software that is compatible with Windows 2000, see the List of Antivirus Software Vendors page Knowledge Base resource on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkId=22381.

Maintaining a Current Patch Level

To ensure that your laptops and desktops remain secure, Microsoft strongly recommends that you keep your computers up to date with all released security patches for Windows 2000. With Windows 2000, this is easy to do if your computers are connected to the Internet. Simply configure your computers to automatically download and install the latest updates from Microsoft using the following procedure.

The following procedure will set your machine up to receive automatic updates. Enabling your computer to receive automatic updates helps to protect it against new viruses and worms that could attempt to spread through the Internet to computers on your network.

Requirements

The following is required to complete this task:

  • Credentials: You must be logged onto the desktop or client computer as a member of the Domain Admins group.

  • Tools: Control Panel.

  • To configure your machine for automatic updates

    1. Click the Start menu, and then click Control Panel.

    2. Double-click Automatic Updates.

    3. Select the check box labeled: Keep my computer up to date. With this setting enabled, Windows Update software may be automatically updated prior to applying any other updates.

    4. Select the option to Automatically download the updates, and install them on the schedule that I specify.

    5. Select a day and time for the updates to occur, and then click OK to close the Automatic Updates window.

      Automatic Updates

Once you enable Automatic Updates, the new updates will automatically be applied to the computer according to the schedule you defined. You can set the automatic download time for any time, day or night. Just be sure your computer is on at that time. (To avoid slow-downs, Microsoft recommends that you choose a time when you will not be using the computer yourself. The computer will need to be turned on, however.) If you set up Automatic Updates to notify you, or if you forget to leave your computer on, you will see a notification balloon. Click the notification balloon to review and install the updates.

Converting Your File Systems to NTFS

A file system is the way that directories and files are organized on the computer. During the Windows 2000 setup process, computers could either be configured to use the FAT32 or NTFS file system.

FAT32 is an older technology that previous versions of Windows use. The NTFS file system is faster and more secure than previous file systems. For optimal performance and security of the operating system, use NTFS to protect all of the file system partitions on your machine. Use the following two procedures to first verify the type of file system on your computer, and then, if needed, convert the file system to NTFS.

  • To check the file system type on your machine

    1. Click the Start menu, and then click My Computer.

    2. Right-click the drive letter you want to check, and then point to Properties and click it.

    3. The file system type should be NTFS. If it is not, you can use the convert.exe utility to convert from FAT6 or FAT32 to NTFS.

      Local Disk (C:)

Repeat this process for all partitions located on hard disks on the computer. Even if the file system was configured as FAT32 when the operating system was installed, you can easily convert it to NTFS to provide additional security.

To convert the file system to NTFS, take note of the name of the disk otherwise known as the volume label (Drive C in the previous image) and complete the following steps.

The following procedure will convert your file system to NTFS. Converting your file system to NTFS provides your computer with a higher level of security.

  • To convert the file system to NTFS

    1. Click the Start menu, click Run, type cmd, and then click OK.

    2. At the command prompt, type the following, where drive letter is the drive you want to convert:

      1. Convert drive letter : /fs:ntfs
    3. You will be prompted to enter the current volume label for the drive. Enter the volume label that was identified earlier, and then press ENTER.

    4. When the conversion is complete, type EXIT, and then press ENTER to close the command prompt.

      Note: If you are attempting to convert the drive where the operating system is installed, you may be prompted to schedule the conversion to occur the next time the system is restarted. If this occurs, type Y and restart the computer.

For more information about securing Windows 2000, see the following:

For more information about related topics on securing Windows 2000, see the following:

  • The Threats and Countermeasures Guide page on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkID=15159.

  • The "Develop Password Policy Guidelines" section in the "Selecting Secure Passwords" document in the Security Guidance Kit.

  • The "Enforce a Strong Password Policy on All Machines" section in the "Enforcing Strong Password Usage Throughout Your Organization" document in the Security Guidance Kit.