Chapter 2 - System Configurations

This guide covers hardening in three different configurations each of Windows 2000 Professional and the Windows 2000 Server family. The configurations are designed to be very generic to enhance applicability. For more specific hardening advice with more detail on particular server environments, please refer to the Securing Windows 2000 Server Security Solution at:

The specific configurations covered in this guide are detailed in Table 1.

Table 1 Covered configurations



Microsoft Windows 2000 Professional

Domain member workstation

Domain member laptop

Stand-alone workstation

Microsoft Windows 2000 Server Family (includes Server, Advanced Server, and Datacenter Server)

Domain Controller

Domain Member Server

Stand-alone Server

Definitions of these configurations are as follows:

  • Domain. A collection of computers that share a common user accounts database. A domain has a unique name and provides access to the centralized user accounts and groups. A domain may also specify security and software policies as well as relationships with other domains and represents a single security boundary of a Windows 2000 computer network. Windows 2000 domains can be either mixed mode or native mode. Mixed mode domains can contain Windows NT 4.0 domain controllers, whereas all domain controllers in a Windows 2000 native mode domain must be running Windows 2000 or higher. A native mode domain has additional functionality, such as enterprise groups and the ability for global groups to contain other global groups. Regardless of the domain type Windows 2000 clients in the domain will use Kerberos for authentication to Windows 2000 domain controllers. For complete details on the differences between native and mixed-mode domains, see the Windows 2000 Server Resource Kit.

  • Stand-alone. A computer that is not a member of a domain. All such machines, by definition, are members of a workgroup, which in turn may contain zero or more additional computers. A stand-alone system is entirely self-sufficient with respect to security and user accounts although it can share resources, such as printers, with other computers. However, user accounts are only defined locally, and any user accessing resources on a stand-alone computer must have a local account. A workgroup is simply a logical group of computers that share a list of resources available within the workgroup.

  • Domain Controller. For a Windows 2000 Server domain, a server that can authenticate domain logons and maintain the security policy and the security accounts master database for a domain. Domain controllers manage user access to a network, which includes logging on, authentication, and access to the directory and shared resources. Any time a user attempts to access a network resource, the system managing that resource will authenticate the user against the domain controller.

  • Domain Member. A Windows 2000 computer that is a member of a Windows 2000 domain.

Built-in Groups

Windows 2000 comes with many built in groups. Several of these in particular deserve special mention. These include the Power Users group (on workstations, stand-alone, and member servers), Server Operators, Print Operators, and Backup Operators (on servers). The purpose of these groups is to enhance the abilities of a user without having to make that user an Administrator. However, due to the powers granted to these groups any user that is a member of one can become an Administrator. The operators groups are designed primarily to prevent administrators from accidentally destroying the system. They do not prevent a malicious member from becoming an administrator.

The Power Users group is designed for use in scenarios where older applications which will not run properly as a normal User are used. For that reason, this group is necessary in certain environments where the only decision is whether to make users Power Users or Administrators. Clearly, faced with that choice, Power Users is preferable. Therefore, this guide does not do what many other similar guides do, which is to attempt as far as possible to render the Power Users group unusable. This group does serve a very important purpose in some environments and to enhance the applicability of the guide, it was felt that this is the best course of action. However, in environments where Power Users are not required, the Power Users group should be controlled and administrators should ensure no users are members of that group.