• Information Security Office
• Secure Computing
• For Personal Computer Users
• Best Practices for Windows 2000 Professional

Secure Computing: Best Practices for Windows 2000 Professional

Securing a Windows 2000 Desktop

This document provides instructions for building a secure Windows 2000 desktop computer for the Stanford environment.

No matter what operating system you're using, the basic steps for securing it are the same:

• Install all operating system patches.
• Verify user account security.
• Eliminate unnecessary applications and network services.
• Install and configure necessary applications and network services.
• Configure system logging to record significant events.
• Keep applications and operating system patches up to date.

Install the latest patches.

It's imperative that you connect to the network and immediately download and install the necessary patches for your operating system. Many security exploits prey on systems which are not kept up to date. Unpatched machines are frequently exploited within minutes of being attached to an open network like Stanford's.

Once you've booted your Win2000 box onto the Stanford network, select the Start button in the lower left hand corner of the screen. Select the Windows Update menu item, and follow the instructions. Install at least the critical updates that Windows Update discovers. Be sure you've installed all the updates for Internet Explorer, too. IE is an integral part of the Windows operating system, and must be patched at the same time other security fixes are applied.

Verify user account security

Disable Guest Account if necessary. Windows operating systems include a Guest account designed for temporary users. That's usually not a good idea, and in the vast majority of cases the Guest account should be disabled. For Win2000 Professional, confirm or disable the Guest account with this:

1. Select the Start button on the lower left-hand corner of the screen.
2. Select Settings --> Control Panel.
3. Select Users and Passwords.
4. Select the Advanced tab.
5. In the Advanced User Management section, click Advanced.
6. Select the Users folder. All users on the system will be listed.
7. Right-click the Guest account and select Properties.
8. Select the Account is Disabled checkbox.
9. Click the Apply button.
   
   

Make sure all accounts have passwords set. Many Windows systems still have administrator or other accounts without any passwords set, or have very simple passwords. Check all accounts in the User Accounts screen as noted above and make sure passwords have been set. Make sure that all accounts have good passwords that are not based on dictionary words.

Guidelines for choosing good passwords

Be sure all users are required to enter a username and password. Windows 2000 allows you to enforce the use of usernames and passwords for access to your system. Here's what you do:

1. Select the Start button on the lower left-hand corner of the screen.
2. Select Settings --> Control Panel.
3. Select Users and Passwords.
4. Be sure that Users must enter a user name and password... is checked:
   
   

Limit Administrative Privileges. It is very common to either login to one's system as administrator for everything, or create user accounts and assign administrative privileges. Most email and web-clickable trojans and viruses rely upon this fact. Instead, make a new user for anyone accessing the system, and limit them to Power User or Standard User privilege levels. Any user can use the Run As feature (hold shift while right-clicking an application to see the Run As option) to temporarily become the Administrator when necessary to install software. To create new users, follow the guest account access procedures above, but click Add from the Users and Passwords option.

Eliminate unnecessary applications and network services

Many services should be disabled by default, including file sharing. What follows are instructions for verifying and disabling any services that need to be done one by one. Make sure you disable Alerter; ClipBook; HP Web Jetadmin; Internet Connection Sharing; Messenger; Netmeeting Remote Desktop Sharing; Network DDE; Network DDE DSDM; Remote Registry Service; Routing and Remote Access; and telnet, if they are enabled.

1. Select the Start button on the lower, left-hand corner of the screen.
2. Select Settings --> Control Panel.
3. Double-click the Administrative Tools icon.
4. Double-click the Services icon.
5. Scroll down to the service in question and double-click it.
6. Change the Startup type to Disabled instead of either Manual or Automatic.
7. Reboot your computer after all desired service changes are made.
   
   

But note! Members of Stanford Windows domains (including but not limited to the WIN, IT, SU, SU-GSB, FAC, GSB, LAWSU, and STANFORD-NT domains) may need to turn on several of the "riskier" remote management tools, in order to allow their systems to be managed effectively. This risk is reduced by the fact that the domain controllers themselves can secure the individual workstations, making this a reasonable action for domain members. If you're in one of those groups (or smaller domains not specifically mentioned here), ask your administrator about whether or not remote management tools are required. If they are, you'll want to leave the services they require enabled. These are probably Remote Registry Service and Application Management, but may include others.

Install necessary applications: PC-Leland

PC-Leland is a Stanford-specific application that allows Windows users to authenticate using Kerberos, and enables access to the AFS file system and authenticated parts of the Stanford Web space. With PC-Leland, you can login once to your PC desktop, and have that login shared across multiple applications and services running on SUNet (the Stanford University Network). All Windows users are strongly encouraged to install PC-Leland.

Install necessary services: file sharing.

Stanford provides the AFS file system as the primary mechanism for sharing files between members of the SUNet community. AFS support is included in PC-Leland on Win2000. But if for some reason you need to enable PC-based file sharing -- that is, network-based access to the documents on your local system's hard drive -- here's how to do it as securely as possible:

Allowing Anonymous connections to your shared folders allows everyone on the Stanford network to browse your systems without having a local user account, which is undesirable in most cases.. Limiting users on each share to Authenticated Users makes this more difficult. On a Win2000 system, replace the Everyone group with Authenticated Users on all file shares:

1. Click on My Computer
2. For each drive icon, right click it and select Sharing And Security
3. Click on the Security tab
4. Click Add and in the window type Authenticated Users.
5. Click Ok to get back to the user list screen
6. Select Everyone and click the remove button
7. Click Apply and then click Ok when it finishes.
   
   

For additional protection, you can make a change in the system Local Security Policy that further restricts the ability of unauthenticated users to see the file shares on your system. From the Start button, select Control Panel, then Administrative Tools (Common), then Local Security Policy. Open the Local Policies folder, then the Security Optionsfolder, to find the entry for Additional restrictions for anonymous connections.Be sure it's set to "Do not allow enumeration of SAM..."

Far more information on disabling null session enumeration

Install anti-virus software

Stanford licenses Norton Anti-Virus for desktop protection. All users are strongly encouraged to install it and to run LiveUpdate regularly (this is Norton's mechanism for updating virus signatures). This software can be downloaded from http://ess.stanford.edu.

Configure system logging

Although Stanford makes no attempt to collect system logs from every desktop computer on its network, those logs are invaluable when administrators need to troubleshoot a problem or recover a system that's been hacked. By default, Windows leaves all logging disabled, but you can set it yourself. Click on the Start button, then Settings, then Control Panel. Double click on Administrative Tools. Double click on Local Security Settings, and select Local Policies --> Audit Policy. Here's the audit policy configuration we recommend for stand-alone Win2000 desktops:

To change the setting on an individual policy, highlight it, then right-click. Under the Properties item, you'll be able to select for success and/or failure audits. Note that if your machine is a member of a domain, its audit policy may be controlled by the Domain Controller.

Microsoft allows a whopping 512 kb of storage space for Event Log records, and overwrites old records when that limit is reached. In most cases, that's a reasonable configuration (it should allow your machine to retain at least a few days of activity). But you can increase the amount of storage space available. From the Control Panel, double click on Administrative Tools, and then double click on Event Viewer. You'll see the three subsets of the Event Log, the Application, Security and System Logs. Access the properties of these logs by selecting one, right clicking on it, and bringing up the Properties. Log size is controlled here. We recommend leaving the default configuration of When maximum log size is reached to avoid inadvertently disabling your desktop system should you run out of log space.

Keep application and operating system patches up to date

Use WindowsUpdate. Default configurations of Windows2000 rely on the WindowsUpdate mechanism to notify users of new critical patches, and to manage the download and installation of those patches. To be sure you've got it running:

1. Click on the Start button in the lower left hand corner of your screen.
2. Select the Control Panel.
3. Double-click on Automatic Updates.
4. Be sure that Keep my computer up to date is selected, and pick the notification and install option that best suits your needs (Notify me before installing updates, Install updates automatically, Install updates at the time I've selected)
   
   

You can confirm that your system is up to date by visiting http://windowsupdate.microsoft.com.

Install and use the Security Self-Test. Install the Security Self-Test to make sure your system meets a good standard for security. This tool checks for many of the above conditions, as well as what software you have installed. Passing this test confirms that the changes you've made have been successful, and that your computer is ready for the Stanford network.

Other Resources and Links

Windows Security at Stanford

Stanford's Windows News page

Windows 2000 Security Checklist

Windows 2000 Professional Benchmark from the Center for Internet Security

Securing Your PC - Windows 2000

Windows PC Security (on campus)