Microsoft Security Tool Kit: Securing an Existing Windows 2000 System

For the purposes of this guide, we are assuming that the existing installation has not been compromised. For the case in which a system has been compromised, you need to follow the recommendations for fixing that system before you can begin the following baseline steps. For more information about how to find out if your system or network has been compromised, click here. This guide references additional documents and updates that can be found in the contents section of the Microsoft Security Tool Kit.

The information in this guide applies to:

  • Microsoft Windows 2000 Advanced Server

  • Microsoft Windows 2000 Professional

  • Microsoft Windows 2000 Server

Microsoft Windows 2000 Datacenter Server customers should contact their Solution Providers for guidelines on securing their systems.

On This Page

Step 1: Applying Updates
Step 2: Securing the System
Step 3: Securing Internet Information Server (IIS)
Step 4: Ongoing Maintenance Program

Step 1: Applying Updates

From time to time, Microsoft releases critical updates to resolve newly discovered security vulnerabilities in components included with Windows 2000. The Windows Update site is a tool for identifying critical updates not specifically identified in this document. To access the Windows Update site, connect to the Internet and select Windows Update from the Start menu. If prompted to install a control, verify that the control was issued by Microsoft Corporation, then click Yes to install it. Follow the prompts to scan for and install all critical updates and service packs.

Windows Update may not be able to apply all critical updates at one time. If necessary, return to the site after rebooting the system and repeat the above process until all critical updates and service packs have been applied.

If you are unable to use Windows Update, perform the following tasks.

Step 2: Securing the System

Microsoft Windows 2000 Server Security Checklist

Step 3: Securing Internet Information Server (IIS)

You now have a good baseline of security patches installed. Web servers are particularly susceptible to security attacks, and Microsoft has provided this tool to help you. Please follow this step if IIS will be running on this system.

  • Run the IIS Lockdown Wizard :

    This tool lets you instantly configure an IIS 4.0 or 5.0 Web server for secure operation. It provides two modes: an express mode that is appropriate for most basic Web servers and an advanced mode that allows the administrator to pick and choose the technologies that the server will support. The tool provides an Undo feature that allows the effects of the most recent lockdown to be reversed. It also screens all incoming requests to an IIS Web server and allows only those that comply with a ruleset created by the administrator to pass. This significantly improves the security of the server by helping ensure that it responds only to valid requests. The tool allows the administrator to filter requests based on length, character set, content, and other factors. A default ruleset is provided, which can be customized to meet the needs of a particular server.

  • Refine UrlScan configuration:

    The IIS Lockdown Tool installs UrlScan. UrlScan is an ISAPI filter that screens and analyzes requests IIS when receives them. When properly configured, UrlScan is effective at reducing the exposure to potential Internet attacks. The default configuration of UrlScan offers significant improvement over the default configuration of IIS; however, Microsoft recommends further refining the UrlScan configuration to more closely restrict Web requests while still allowing your application to function. Ideally, only requests for file extensions used by your application will be allowed. You should thoroughly test any changes before implementing them in a production environment.

  • Follow the Microsoft Internet Information Services 5 Security Checklist.

Step 4: Ongoing Maintenance Program

Your system has now been installed with a good security baseline, but without ongoing maintenance, your system can become vulnerable to new forms of attacks.

  • Use Automatic Updates to automatically notify you of the availability of new security fixes. If possible, configure Automatic Updates to automatically download updates and install them without manual intervention. To configure, open Control Panel and select Automatic Updates.

Subscribe to the Microsoft Security Notification Service. This is a free e-mail notification service that Microsoft uses to send information to subscribers about the security of Microsoft products.

  • The Baseline Security Analyzer (BSA) evaluates your system's configurations and provides a report with specific recommendations to improve the security. BSA will recommend missing hotfixes and configuration changes related to both the core operating system and optional services such as IIS, SQL Server, and Internet Explorer. Use BSA to identify vulnerabilities in your system's initial configuration, and run it regularly to find new vulnerabilities.

    When you run the BSA after installing the security baseline described above, the BSA results will show many security fixes are not installed. This is true and expected. The document provides only a baseline from which to start. It is recommended you take the necessary steps to ensure all the critical security patches are installed.

    You should run this tool against all the computers that you are securing on a daily basis until you are confident that all the recommended fixes have been applied. You can lower the frequency but should continue to check regularly to detect fixes that have been uninstalled or overwritten. As you deploy new security fixes, you should continue to run the tool to verify and detect missing security patches.

  • If deploying fixes to multiple systems, use the Qchain tool to chain hotfixes together in order for only one reboot to be required when installing several fixes.

Once completed, Sysprep can be run on this installation, and it can be stored as a secure baseline image for future servers using non-Microsoft imaging tools. This image can then be applied to machines when needed using the imaging vendor's process. If this image is a Windows 2000 Professional installation, you can make this image available from a Windows 2000 RIS Server.