Microsoft Security Tool Kit: Installing and Securing a New Windows 2000 System

This is a brief guide intended to help you understand the basic steps necessary to safely install a new copy of Windows 2000.

The information in this guide applies to:

  • Microsoft Windows 2000 Advanced Server

  • Microsoft Windows 2000 Professional

  • Microsoft Windows 2000 Server

Microsoft Windows 2000 Datacenter Server customers should contact their Solution Providers for guidelines about securing their systems.

On This Page

Step 1: Performing a Base Installation
Step 2: Securing the Base Installation
Step 3: Securing the System
Step 4: Securing Internet Information Server
Step 5: Identifying Critical Updates
Step 6: Ongoing Maintenance Program

Step 1: Performing a Base Installation

During the installation process, a system will be vulnerable to exploits of known vulnerabilities until the installation has completed and all applicable service packs and hot fixes have been applied. To prevent a system being compromised during the setup process, disconnect the system from all networks if possible. If network connectivity is required for the setup process, ensure the network has not been compromised by security attacks, is not reachable from the public Internet, and is not reachable by systems infected with worms or viruses.

Choose one of these two installation methods, listed in order of preference:

  • Install Windows 2000 while not connected to a network. Typically this is done by using a CD. It is recommended to integrate the service pack to create a Windows 2000 Service Pack 3 installation CD. Follow the Service Pack Installation and Deployment Guide to create an integrated installation and burn the installation share to a CD.

    Ensure all current roll-up packages and hotfixes are available for install while disconnected from the network. Follow the Hotfix Installation and Deployment Guide for detailed information about how to install hotfixes. The base install of Windows 2000 is vulnerable to security attacks and should remain disabled or disconnected from the network until all current service packs and patches are applied.

Install Windows 2000 while connected to a network that has not been compromised and is not reachable from the public Internet. An integrated Service Pack installation share is recommended for this method.

The base configuration of Internet Information Server (IIS) includes many of the most widely exploited vulnerabilities. To limit the risk of compromise, install Windows 2000 using an unattend.txt file with entries to disable IIS. For more information about how to use an unattend.txt file while installing Windows 2000, read Chapter 13 of the Deployment Planning Guide. An integrated Service Pack installation share is recommended for this method.

Step 2: Securing the Base Installation

Now that the operating system is up and running, so it is time to make it more secure. Depending on how your initial setup was completed in Step 1, you might be able to skip some of the following steps.

Step 3: Securing the System

To continue securing your system, you must follow the checklists below that apply to your installation.

Microsoft Windows 2000 Professional Security Checklist

Microsoft Windows 2000 Server Security Checklist

Step 4: Securing Internet Information Server

You now have a good baseline of security patches installed. Web servers are particularly susceptible to security attacks, and Microsoft has provided this tool to help you. Please follow this step if IIS will be running on this system.

  • Run the IIS Lockdown Wizard:

    This tool lets you instantly configure an IIS 4.0 or 5.0 Web server for secure operation. It provides two modes: an express mode that is appropriate for most basic Web servers and an advanced mode that allows the administrator to pick and choose the technologies that the server will support. The tool provides an Undo feature that allows the effects of the most recent lockdown to be reversed. It also screens all incoming requests to an IIS Web server and allows only those that comply with a ruleset created by the administrator to pass. This significantly improves the security of the server by helping ensure that it responds only to valid requests. The tool allows the administrator to filter requests based on length, character set, content, and other factors. A default ruleset is provided, which can be customized to meet the needs of a particular server.

  • Refine UrlScan configuration:

    The IIS Lockdown Tool installs UrlScan. UrlScan is an ISAPI filter that screens and analyzes requests when IIS receives them. When properly configured, UrlScan is effective at reducing the exposure to potential Internet attacks. The default configuration of UrlScan offers significant improvement over the default configuration of IIS; however, Microsoft recommends further refining the UrlScan configuration to more closely restrict Web requests while still allowing your application to function. Ideally, only requests for file extensions used by your application will be allowed. You should thoroughly test any changes before implementing them in a production environment.

  • Follow the Microsoft Internet Information Services 5 Security Checklist.

Step 5: Identifying Critical Updates

If your system is currently disconnected from the Internet, it should be connected in order to access the Windows Update tool to verify that all critical updates have been applied. From time to time, Microsoft releases critical updates to resolve newly discovered security vulnerabilities in components included with Windows 2000. The Windows Update site is a tool for identifying critical updates not specifically identified in this document.

To access the Windows Update site, connect to the Internet and select Windows Update from the Start menu. If prompted to install a control, verify that the control was issued by Microsoft Corporation, then click Yes to install it. Follow the prompts to scan for and install all critical updates and service packs.

Windows Update may not be able to apply all critical updates at one time. If necessary, return to the site after rebooting the system and repeat the above process until all critical updates and service packs have been applied.

Step 6: Ongoing Maintenance Program

Your system has now been installed with a good security baseline, but without ongoing maintenance, your system can become vulnerable to new forms of attacks.

  • Use Automatic Updates to automatically notify you of the availability of new security fixes. If possible, configure Automatic Updates to automatically download updates and install then without manual intervention. To configure, open Control Panel and select Automatic Updates.

  • Subscribe to the Microsoft Security Notification Service. This is a free e-mail notification service that Microsoft uses to send information to subscribers about the security of Microsoft products.

  • The Baseline Security Analyzer (BSA) evaluates your system's configurations and provides a report with specific recommendations to improve the security. BSA will recommend missing hotfixes and configuration changes related to both the core operating system and optional services such as IIS, SQL Server, and Internet Explorer. Use BSA to identify vulnerabilities in your system's initial configuration, and run it regularly to find new vulnerabilities.

    When you run BSA after installing the security baseline described above, the BSA results will show many security fixes are not installed. This is true and expected. The document provides only a baseline from which to start. It is recommended you take the necessary steps to ensure all the critical security patches are installed.

    You should run this tool against all the computers that you are securing on a daily basis until you are confident that all the recommended fixes have been applied. You can lower the frequency but should continue to check regularly to detect fixes that have been uninstalled or overwritten. As you deploy new security fixes, you should continue to run the tool to verify and detect missing security patches.

  • If deploying fixes to multiple systems, use the Qchain tool to chain hotfixes together in order for only one reboot to be required when installing several fixes.

Once completed, Sysprep can be run on this installation, and it can be stored as a secure baseline image for future servers using non-Microsoft imaging tools. This image can then be applied to machines when needed using the imaging vendor's process. If this image is a Windows 2000 Professional installation, you can make this image available from a Windows 2000 RIS Server.