Securing Windows 2000 Professional in a Peer-to-Peer Networking Environment

On This Page

Introduction
Before You Begin
Securing the File System
Securing User Accounts
Using a Firewall
Updating Security Patches
Check Security with the Microsoft Baseline Security Analyzer
Related Information

Introduction

Peer-to-peer networking can increase productivity by making it easy to share information and resources on your network. However, the ability of computer users to control access to their computer can leave them vulnerable to information theft, loss, or inadvertent sharing of information. That is why, in addition to enforcing a corporate computing policy, you should make sure you and your employees understand the basics of Windows peer-to-peer networking and security. Some basic best practices include:

• Staying current with Windows security updates

• Using antivirus software

• Using Internet Connection Firewall

• Using strong passwords

• Not sharing files or folders with hosts on the Internet

• Restricting permissions on shared folders to the minimum required

• Sharing only the minimum folders required

• Disabling sharing wherever it is not required

With the increasing threat of malicious code-such as worms, viruses, and hacker threats-it is critical that all customers take immediate action to help lock down their desktop and portable computers. This document explains how to implement the security measures for a small or medium business environment where peer-to-peer networking is used. These recommendations help ensure that your computers running Microsoft Windows 2000 Professional are more secure from many current security threats, while ensuring that users can continue to be efficient and productive on their computers.

The following tasks are included in this document:

• Securing the file system

• Securing user accounts

• Securing access from the network

• Checking security with the Microsoft Baseline Security Analyzer

In addition to the advanced step-by-step guidance in this document, you will also find information about the top security recommendations that Microsoft is making to all customers, from home customers to enterprise customers.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps may differ slightly.

Before You Begin

As with any security recommendations, this guidance strives to find the right balance between enhanced security and usability. The recommendations provided here will work successfully for Windows 2000 Professional deployments in a wide variety of environments. However, before implementing these recommendations, you should note that this document does not address the wide variety of needs and configurations that may be required in a large corporation. In addition, the guidance may not fully address the specific security needs of some organizations.

Meeting the Service Pack Requirement

The recommendations in this document apply only to computers running Windows 2000 Professional Service Pack 4 that are members of a WORKGROUP. If Service Pack 4 is not installed on a particular computer or if you do not know whether it is installed, you can go to the Windows Update page on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkID=22630, and have Windows Update scan your computer for available updates. If Service Pack 4 shows up as an available update, install it before proceeding with the procedures in this document.

Administrative Requirements

You must be logged on as an administrator or a member of the Administrators group in order to complete the following procedures. If your computer is connected to a network, network policy settings might also prevent you from completing these procedures.

Securing the File System

A file system is the way that directories and files are organized on a computer. There are several ways to protect your file system from unauthorized access, alteration or deletion. This section provides the following step-by-step instructions for securing the file system:

• Converting file systems to NTFS

• Using antivirus software

• Protecting file shares

• Securing shared folders

• Disabling or deleting unnecessary accounts

Converting File Systems to NTFS

During the Windows 2000 setup process, computers are configured to use either the FAT32 or NTFS file system. FAT32 is an older technology used by previous versions of Windows. The NTFS file system is faster and more secure than FAT32. For optimal performance and security of the operating system, use NTFS on all file system partitions on your computer.

Checking the File System Type on Your Computer

Before converting the file system on your computer, you need to verify that you are not using NTFS already. Use the following steps to check the file system type on your computer. If these steps help you confirm that you are already using NTFS, you can skip Converting the File System to NTFS below.

• To check the file system type on your computer:

  1. On the desktop, double-click My Computer.

  2. Right-click the drive letter you want to check, and then click Properties.

  3. Verify that the file system type is NTFS. If it is not, you can use the convert.exe utility described below to convert from FAT16 or FAT32 to NTFS.

     

Check the file system type for all disks on the computer. Even if the file system was configured as FAT32 when the operating system was installed, it can be easily converted to NTFS to provide additional security.

Converting the File System to NTFS

To convert the file system to NTFS, take note of the name of the disk otherwise known as the volume label (C Drive in the preceding example) and complete the following steps.

• To convert the file system to NTFS

  1. On the Start menu, click Run, type cmd, and then click OK.

  2. At the command prompt, type the following, where drive letter is the drive you want to convert:
     convert drive letter: /fs:ntfs
     You will be prompted to enter the current volume label for the drive.

  3. Type the volume label for the drive, and then press ENTER.

  4. When the conversion is complete, close the command prompt by typing EXIT.

Note: If you are attempting to convert the drive where the operating system is installed, you might be prompted to schedule the conversion to occur the next time the system is restarted. If this occurs, type Y, and then restart the computer.

Using Antivirus Software

Computer viruses are programs that are loaded on to your system without your knowledge or approval. Viruses and other forms of malicious software have been around for years. Today's viruses can replicate themselves and use the Internet and e-mail applications to spread across the world within hours.

An antivirus software program will help protect your computer against many known viruses, worms, Trojan horses, and other malicious code. Antivirus software continually scans your computer for viruses and helps detect and remove them. Installing antivirus software only solves part of the problem - keeping the antivirus signature files up-to-date is critical to maintaining a secure desktop or portable computer.

Many new computers come with antivirus software already installed. However, antivirus software requires a subscription to stay up-to-date. If you don't have a current subscription for these updates, your computer is likely to be vulnerable to new threats.

User education regarding safe e-mail practices is another critical step in preventing virus attacks. Users should not open an e-mail or take action on an e-mail attachment unless they are expecting the file. All e-mail attachments should be scanned with the antivirus software prior to its execution.

For a list of the software vendors that provide antivirus software compatible with Windows, see https://go.microsoft.com/fwlink/?LinkId=22712.

Protecting File Shares

Peer-to-peer networking allows you to create file shares so that network users can be limited to read-only access or so that network users can read, create, change, and delete files. If you are connected to the Internet, and are not operating behind a firewall, remember that any file shares you create might be accessible to any user on the Internet.

By default, Windows 2000 Professional grants Full Control, Change and Read permissions to everyone who can access your shared folders. You should use the procedure below to remove the Everyone group from share permissions on your shared folders, or at least change the permissions to deny Full Control and Change permissions where appropriate. If you do remove the Everyone group from the share permissions, grant share permissions to specific users, because deleting Everyone means you are not allowing anyone access to the shared folder.

Securing Shared Folders

Windows peer-to-peer networking allows you to share the contents of your file system with other computers on the network. The following set of steps assumes that you have already shared one or more folders in your file system. By changing some of the default file system settings, you can make unauthorized access to you your shared folders more difficult.

• To secure a shared folder

  1. On the desktop, click My Computer, and then locate the file or folder you want to secure.

  2. Right-click the shared folder you want to secure, and then click Sharing.

  3. On the Sharing tab, click Permissions.

     

  4. Remove the Everyone group to prevent unauthorized access. Click the Everyone group, and then click Remove.

     

  5. Click the user or group you want to add from the Name list, and then click Add. Repeat to add more users or groups. After the users are selected, click OK.

  6. Each user in the permissions list needs to be granted the correct type of access. Double-click a user, and then clear the Allow check box next to Full Control. Then choose whether the user should have Change and Read or just Read access.

  7. Click OK after the permissions have been set.

     Notes:

     • You can set permissions only on drives formatted to use the NTFS file system.

     • If the check boxes on the Permissions dialog box are not available, the permissions are inherited from the parent folder.

     • To change permissions, you must be the user who created the shared folder or have permission from the user who created it.

     • Groups or users who have Full Control permissions for a folder can delete files and subfolders in that folder, regardless of the permissions that otherwise protect the files and subfolders.

Disabling or Deleting Unnecessary Accounts

After installing Windows 2000 Professional, disable or delete any user accounts that you do not require.

• To disable an account

  1. Click Start, click Settings, and then click Control Panel.

  2. Double-click Administrative Tools, and then double-click Computer Management.

  3. In the console tree, double-click Local Users and Groups, and then click Users.

  4. Right-click the user account you want to change, and then click Properties.

  5. On the General tab, Select the Account is disabled check box.

     

Notes:

• A disabled account still exists, but the user is not permitted to log on. It appears in the Users details pane, but the icon has an X in it.

• When a user account is not disabled, the user is permitted to log on normally.

• The built-in Administrator account cannot be disabled.

• To delete an account

  1. Click Start, click Settings, and then click Control Panel.

  2. Double-click Administrative Tools, and then double-click Computer Management.

  3. In the console tree, click Local Users and Groups, and then click Users.

  4. Right-click the user account you want to delete, and then click Delete.

  Notes:

  • Before you remove user accounts, disable the accounts first. After you are certain that disabling the account has not caused a problem, you can safely delete it.

  • A deleted user account cannot be restored.

  • The built-in Administrator and Guest accounts cannot be deleted.

Securing User Accounts

By using passwords, disabling or deleting unnecessary accounts, and setting account lockout, you can reduce the chances of unauthorized access to your computer.

Using Passwords

It is important to set passwords for all user accounts created on a Windows-based computer for two reasons. Firstly, leaving a password blank allows anyone to access the computer by using that user account.

Secondly, by default, local user accounts without a password can only log directly on to a computer at the console logon screen and cannot log on remotely. This restriction does not apply to domain accounts or to the local Guest account. If the Guest account is enabled and has a blank password, it can be used to log on and access any resource on a peer-to-peer network authorized for access by the Guest account.

• To set or reset a password for an existing user account

  1. Click Start, click Settings, and then click Control Panel.

  2. Double-click Users and Passwords.

  3. Click the user account you want.
     If clicking the user account has no effect, and the Users for this computer box is unavailable, it means that the computer is set to logon the default user, in which case no logon screen is displayed. Upon initial installation of the operating system, you can choose to use passwords for access to the operating system, or have the computer assume that the default user (created at installation) is always the user logging on. In the latter case, the computer doesn't display a logon screen when the operating system is started. Always select the Users must enter a user name and password to use this computer check box.

  4. Click Set Password.

  5. In the New password field, type a new password of at least eight characters in length. Retype the same password again in the Confirm new password field.

  6. Click OK.

Using a Firewall

A firewall is software or hardware that creates a protective barrier between your computer and potentially harmful content on the Internet. It helps guard against hackers and many computer viruses and worms. If your computer is running Windows 2000 Professional, Microsoft recommends that you get and install either a hardware or software firewall before connecting to the Internet.

Microsoft does not manufacture stand-alone software firewalls or hardware that includes a firewall. The following resources provide more information about some firewall options.

Hardware Firewalls

Hardware firewalls are a good choice for versions of the Windows operating system prior to Windows XP. Some home-networking hardware, like wireless access points and broadband routers come with built-in hardware firewalls. These help protect most home networks. The Microsoft Broadband Networking Wireless Base Station is one example of a wireless access point with a built-in hardware firewall and other home networking features.

Software Firewalls

Software firewalls are available from several vendors, including BlackICE PC Protection, Computer Associates, McAfee Security, Symantec, Tiny Software, and ZoneAlarm.

To learn more about software firewalls made by other companies, hardware firewalls, and network routers, and for information about selecting a firewall for your computer, read Install a Firewall at https://go.microsoft.com/fwlink/?LinkId=22496.

If you have a different configuration, a small network, or want to learn more about firewalls, read Frequently Asked Questions about Firewalls at https://go.microsoft.com/fwlink/?LinkId=19713.

Updating Security Patches

A good way to keep up-to-date on security patches is to subscribe to Microsoft Security bulletins which will arrive in your e-mail at about the same time as Automatic Update notifies you of available updates. Sign up to receive the security bulletins in e-mail at https://go.microsoft.com/fwlink/?LinkId=22339. In addition to staying informed through bulletins, there are a number of technologies that can help automate security patching.

Automatic Update

The Automatic Update feature in Windows 2000 Service Pack 4 can automatically detect and download the latest security fixes from Microsoft. Automatic Update can be configured to automatically download fixes in the background and then prompt the user to install them after the download is complete.

• To configure your computer for automatic updates

  1. On the Start menu, click Settings, click Control Panel, and then double-click Automatic Updates.

  2. Select the Keep my computer up to date check box. With this setting enabled, Automatic Update software might be automatically updated prior to applying any other updates.

  3. Select the option for Automatically download the updates, and install them on the schedule that I specify.

     

  4. Select the day and time for the updates to occur.

  5. Click OK to close the System Properties dialog box.

     Note: Additionally, Microsoft issues security bulletins through its Security Notification Service. These bulletins are issued for any Microsoft product that is found to have a security issue. When these bulletins recommend installation of a security patch, you should immediately download and install the patch on your computers.

Check Security with the Microsoft Baseline Security Analyzer

As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA).

In Windows 2000, Windows XP, and Windows Server 2003, the Microsoft Baseline Security Analyzer will report configurations that are not secure and patches that can be used to help fix the problem. The tests can be run locally or on remote computers.

• To install Microsoft Baseline Security Analyzer

  • Download and install MBSA from the MBSA home page at https://go.microsoft.com/fwlink/?LinkId=20567

Scanning for Updates and Patches

• To use the MBSA to scan for updates and patches

  1. Click Start, click Programs, and then click Microsoft Baseline Security Analyzer.

  2. Click Pick a computer to scan.

  3. Make sure that the following options are not selected, and then click Start scan:

     • Check for Windows vulnerabilities

     • Check for weak passwords

     • Check for IIS vulnerabilities

     • Check for SQL vulnerabilities

       

Scanning for Secure Configuration

• To scan for secure configuration

  1. Clear the Check for security updates check box, make sure that the following options are selected, and then click Start scan:

     • Check for Windows vulnerabilities

     • Check for weak passwords

     • Check for IIS vulnerabilities

     • Check for SQL vulnerabilities

  2. Analyze the scan. The resulting report will appear similar to the patch scan you performed earlier. The only difference is the link How to correct this will be available when issues are found. When you click the link, a page will appear with the details of the issue found, the solution to the issue, and instructions to correct the issue.

  3. Correct any issues that you find by choosing the link How to correct this. In the resulting page, the solution and instructions explain the steps that you need to take to correct the issue.

Related Information

For more information about securing Windows 2000, see the following:

• The Windows 2000 Security Hardening Guide page on the Microsoft Web site to download the complete guide at https://go.microsoft.com/fwlink/?LinkId=22380.

For more information about related topics on securing Windows 2000, see the following:

• The Threats and Countermeasures Guide page on the Microsoft Web site at https://go.microsoft.com/fwlink/?LinkID=15159.

• Microsoft's HotFix & Security Bulletin Service at https://go.microsoft.com/fwlink/?LinkId=22690