I was asked recently to go to a car dealership and do a security analysis on their Windows Server 2000 machine. This is what I recommend doing to any Windows 2000 machine where applicable. Make sure that the guest account is disabled. It comes disabled by default. A problem I notice allot is when I go to companies, lots of accounts are still active for employees who no longer work there. They should be removed when the employee is terminated or leaves on their own accord. Disgruntled employees have been known to wreck havoc. Group policies can and should be implemented in a Windows 2000 environment and audited to make sure there are no extra accounts or accounts with weak passwords. Password security is also important; if your password is weak it will be cracked. I have been in companies where your password is your initials. That is to simple. Implement password policies and account lockouts after multiple failed login attempts. WARNING this can create a denial of service attack. Create multiple admin accounts and give them different rights. A strong password policy for administrative tasks. Run Net Share from the command line to view open shares on your network and shut those down unless needed. Go into the BIOS and set a user password and disable the ability to boot from a floppy, USB, or CD. People can easily grab the SAM file which is a password hash stored on your system from a Linux boot CD or other tools. Then attempt to crack the hash. Change the administrator account to a different name. That is usually a crackers first attempt. Rename it to something other than root as well. Use NTFS on all partitions this gives you more control and security than using the FAT file system. Make sure that the "Everyone" permission is not allowed on your resources, directories, etc. Have the last user logged on turned off. This makes it easier for an attacker to guess passwords. There already half way there the have the username. Apply appropriate access control lists. Dont forget about the people around you and either lock your workstation when you leave or have a screensaver enabled with a strong password. Insider threats are a reality. You can enable EFS encryption file system; you can encrypt whole directories as well. I suggest if your really paranoid or smart to look into a utility that allows you to choose different encryption algorithms. I do not like encryption standards that are closed. Meaning we cant see the source code. I prefer open source its easier to look for holes and attacks. Make backups of all your important files. This is the most important thing I learned in System Administration. Backup, Backup, Backup to something that cannot be overwritten such as a CD-R. To configure Security Policies use the Security Configuration Toolset you can make your job allot simpler by using snap-ins. I visited Microsofts site to see everything they had, I have to say there is plenty of information. Shut down services that are not needed. The more ports that are open and the more applications running the more avenues of attack. Restrict access to Local Security Authority only to admin. Change log in warning to something like. Authorized Personnel only, "all activities are logged and monitored. Violators will be prosecuted to the fullest extent of the law." Shut down individual ports, that are not used. I personally like smartcards for two form authentication. I recommend RSA secure ID for machines that need more security. Enable auditing to track what users and possible intruders are doing on your system. Everything from login attempts to access of objects can be audited in Windows 2000. Protect the registry from anonymous access. Make sure the audit logs are locked down so they cannot be erased, or tampered with. Only the admin should have rights to these files. Install service packs. Make sure that your antivirus is up to date with the latest signatures. Run a Spy-Ware utility. You can also run an online vulnerability checker such as Shields Up by Gibson Research. Get automated patch software. Remember that security is not something that can be finished. Keep up to date. |
