Chapter 1 - Introduction

On This Page

Introduction
Document Overview
Terminology, Conventions, and Assumptions
1.3 Revision History

Introduction

Welcome to the Microsoft Windows 2000 Security Hardening Guide. This document provides administrator guidance for how to set up and configure secure Windows 2000 systems in several scenarios. This document is a baseline for other hardening guides published by Microsoft, such as the Microsoft Solutions for Security.

This document is not meant as a replacement for the Windows 2000 Common Criteria Security Configuration Guide, but rather as a more generally applicable hardening guide, which applies to a much broader range of specific systems which may include or exclude services specified in the Windows 2000 Common Criteria evaluated configuration. The Common Criteria guide is designed for general purpose systems that specifically need to be compliant with the Common Criteria evaluation requirements and sacrifices some usability to do so. The document you are currently reading is designed to provide more generic guidance for a wider range of specific system classes, without necessarily trading off basic operating system functionality. The recommendations in this guide were generally chosen to safely allow Microsoft customers to deploy the recommended settings on existing Windows 2000 systems, not just on newly-built systems. We have also reviewed the default permissions on Windows Server 20003 and recommended those permissions here where they did not break existing Windows 2000 Server services.

Document Overview

This document has the following chapters:

Chapter 1, "Introduction", introduces the purpose and structure of the document and the assumptions of the audience.

Chapter 2, "System Configurations", identifies Windows 2000 configurations for which the document provides guidance.

Chapter 3, "Operating System Installation", describes how to install Windows 2000.

Chapter 4, "Secure Configuration", describes how to make security changes on Windows 2000.

Chapter 5, Security Configuration, describes recommended configuration changes and how to automate them using the included templates.

Chapter 6, "Security Configuration Templates", provides the references used to develop this document.

Chapter 7, References

Appendix A, "Windows 2000 Default Security Policy Settings", identifies the Windows 2000 default security policy settings.

Appendix B, "User Rights and Privileges", identifies the default user rights assignments on Windows 2000, and summarizes recommended changes.

Appendix C, "Windows 2000 Security Configuration Checklist", presents a configuration checklist to ensure all necessary installation and configuration steps are taken.

Terminology, Conventions, and Assumptions

Throughout the document, the following terminology and conventions are followed:

  • Boot partition – The disk partition that contains the operating system files. The operating system files are normally stored in C:\winnt, making C: the boot partition. The operating system files are often referenced with the %SystemRoot% environment variable, while the %SystemDrive% variable references the boot partition itself.

  • System partition – The disk partition that contains the boot files. The boot files are NTLDR, boot.ini, and ntdetect.com. On systems using certain SCSI controllers you will also find a file called ntbootdd.sys, which contains a copy of the SCSI driver. Most modern SCSI controllers, however, do not require this file. On systems which are dual-booted with a DOS-based operating system (such as Windows 98) you will also find a file called bootsect.dos. By default, all of these files will be stored in the C:\ directory, making C: the system partition as well. However, it is by no means required that the boot and system partitions be the same partition.

  • NTFS – One of the file system formats supported by Windows 2000. NTFS is the only Windows 2000 file system format that supports security. It also supports much larger drives, and is faster than FAT on all but the very smallest partitions. We recommend the use of NTFS on all hard disk partitions. Systems formatted with FAT cannot apply many of the security settings discussed in this guide.

In addition, it is important to note that this document does not require any settings. This document provides security guidance only, and is therefore not in a position to make requirements. By its very nature, all settings are therefore recommended, although there are a few that are "highly recommended." Typically, those settings are ones that have minimal functionality impact and/or a large security impact.

Note also that in some cases we do not discuss settings whose default value is acceptable for the purpose of this guide. This is done primarily to make the guide shorter and easier to read. Therefore, if a setting is shown in one of the security interfaces but is not discussed in this guide, the recommendation is to leave this setting at its default value.

It is impossible to secure a computer that is not physically secure. An attacker that has physical access to a computer will eventually be able to break into it. Neither Windows 2000 nor any other operating system can change that. Therefore, the recommendations in this guide are designed with the assumption that the computer is physically secure against unauthorized attackers. The immutable laws of security state that if "a bad guy has unrestricted physical access to your computer; it is not your computer any more" (https://www.microsoft.com/technet/archive/community/columns/security/essays/10imlaws.mspx). Please also note that we highly discourage applying these configuration settings to a computer that was not physically secured from the beginning. Such a computer should be considered compromised and should be rebuilt from scratch.

The settings in this guide are primarily designed for systems that are on a network protected by at least a minimal firewall or filtering router. For the purpose of this guide a minimal firewall is one that blocks at least TCP ports 135, 139, and 445, and UDP ports 135, 137, and 445. A bastion host system (one that is directly connected to the Internet) without any kind of firewall protection, has higher security requirements than what this guide is designed to provide. On such systems, significant functionality may need to be traded off against security. Although the configuration measures in this guide can be used to secure such systems, the specific settings may need to be revisited. In some cases, additional changes recommended for a bastion host are highlighted.

Many of the settings recommended in this guide will not work with service pack revisions prior to Service Pack 3 – the settings were not tested with any earlier revisions of Windows 2000. Service Pack 3 may be downloaded from https://www.microsoft.com/windows2000/downloads/servicepacks/sp3/default.mspx.

This guide is not intended to be an authoritative document on how to secure systems running Microsoft Internet Information Services (IIS). Although IIS is installed by default on Windows 2000 server products, securing a web server beyond the scope of this document. If IIS is not used, it should be uninstalled. The interested reader is referred to the online resources on Microsoft's TechNet/Security web site on securing IIS: https://www.microsoft.com/technet/archive/security/chklist/iis50srg.mspx. Specifically, it is highly recommended that, in addition to installing all the latest patches, the IIS Lockdown tool and URLScan be used on the server. Those tools are available at:

This guide assumes that the reader is familiar with basic system administration concepts, such as installing the operating system and promoting a server to a domain controller. For readers who are not familiar with these concepts, we recommend taking one of the Windows 2000 administration courses. These are detailed on the Microsoft Training and Certification web site, at https://www.microsoft.com/learning/.

1.3 Revision History

Version

Date

Differences

1.0

3/19/2003

Original Release

1.1

4/10/2003

  • Fixed a typo in the DC template that allowed Authenticated Users to logon interactively

  • Fixed typos in the sceregvl.new file that prevented a few settings from showing up correctly in the secedit UI

  • Included two missing settings in the server templates

  • Fixed a typo regarding the number of configurations supported in the introduction

  • Moved LDAP Server signing requirement to DC template

  • Added LMCompatibilityLevel 2 (Require NTLM or higher and enable NTLM v. 2) to the baseline template

  • Removed LM hashes in the baseline template. Note that this will break compatibility with some Windows 9x systems. If compatibility with those system is desirable, see the section "Disable LMHash creation" in Chapter 5 for information on how to turn this setting off.

  • Fixed references to Windows Server 2003 to use the correct product name

  • Removed some references to RISC-only settings (no RISC platforms are supported on Windows 2000)

  • Improved registration procedure for the sceregvl.inf file in the batch file

  • Removed W32Time settings from the sceregvl.inf file. This setting can not be configured via the UI.

  • Added the Revision History table

1.2

 
  • Fixed broken links

  • Inserted missing section on installing Windows 2000 Service Packs and Hotfixes

  • Improved the description for the LM Compatibility Level setting

  • Configured LM Compatibility Level to require NTLM v.2 in the baseline template.

  • Fixed the name on the download package to be compatible with downlevel browsers.

1.3

 
  • Corrected the title for Chapter 4

  • Added a missing registry keys ACL (winlogon) to the DC template

  • Fixed one misspelling and two broken links