Security Essentials for Windows 2000 Systems

Learn the Essentials for Securing Windows 2000 Operating Systems

Systematic approach to system administration pays off

Because Microsoft Windows 2000 is such a large and complex operating system, securing Win2K machines may initially appear to be a daunting task. If basic standard practices of system administration are followed, however, securing a Win2K machine can be fairly manageable.

Below I've outlined the basic security measures necessary for setting up any Win2K machine. Some of these recommendations may look familiar, since the most common computer security practices generally apply to all types of machines.

Perform Regular Backups
The most important thing you can do to protect your data is to implement a full backup regimen. This makes your job easier in case of a break-in and also helps in the event of a hardware failure.

Commercial backup programs. Win2K comes with a built-in backup program called "Microsoft Windows Backup" that should be adequate for most backup tasks. The full commercial version of the program, Veritas Backup EXEC, has additional features for users with larger installations. Another commercial program that is popular for backups is Symantec's GHOST. GHOST can be used to perform full image dumps and restores.

Using a second hard disk for backup. Now that hard disks have become more affordable, it is becoming more popular to use a second hard disk as a fast, near-line backup storage device. For example, by GHOSTing a copy of the entire system disk to a second hard disk on a regular basis and then unmounting the disk from the running system, you have a poor man's mirroring system that can be extremely helpful in recovering from a problem on the primary disk.

A larger disk with multiple partitions can also be used to add multiple copies of the image, or to store incremental backups. Reports from incremental backup runs can also prove to be valuable in providing a list of all filesystem modifications that occur on a system from one day to the next.

Monitor System Integrity
The only way to know with any degree of certainty that your system's been compromised is through careful system monitoring. This can be done using built-in checking mechanisms, add-on commercial system integrity checking tools, or by monitoring system event logs.

Win2K includes a system file checker called "SFC." This command can be run from the command prompt to verify the signatures of some of the default system files against signatures on the install CD-ROM. Insert the original install CD and run the command "sfc/scannow," and the program will check the integrity of critical system files. Win2K also includes, by default, a Windows File Protection feature which prevents anyone but the Administrator from replacing critical system files.

Tripwire is a commercial tool that can provide a more complete set of tests for system modification (for more information about Tripwire, see "Concerned About File System Integrity? Try Some of These Useful Tools" on page 6 of the Spring 2001 Computing News; the online version of this article is available at http://cc.uoregon.edu/cnews/spring2001/tools.html#tripwire).

With Tripwire, you can customize the set of files that are checked to include files other than the small set of system files Win2K normally monitors. A typical set of Tripwire commands is listed below for reference:

C:\> twadmin -print-polfile > policy.txt
C:\> twadmin -create-polfile policy.txt
C:\> tripwire -init -verbose
C:\> tripwire -check -verbose
C:\> at 03:00 /every:M,T,W,Th,F,S,Su "cmd.exe /c tripwire\bin\tripwire.exe --check --email-report"

Win2K also includes very fine-grained access auditing mechanisms. The local control interface for these settings on a Win2K Professional machine is in Administrative Tools // Local Security Policy // Security Settings // Local Policies // Audit Policies. Here you can enable auditing of logins, file accesses, and so on. To view the logged information, go to the Administrative Tools // Event Viewer and select the appropriate log to see the events.

Block Selected Attacks with Packet Filters
Monitoring system integrity is the necessary approach for determining whether or not a machine has been compromised. But it is clearly much better if the machine is never compromised in the first place. Packet filtering is one method to actively block selected attacks from being successful.

Packet filters are derived by understanding the TCP/IP services your computer offers, as well as the range of IP addresses that will have access to those services. For example, the IP addresses on UOnet are almost all within the range 128.223.0.0 - 128.223.255.255. By restricting access to that specific range of addresses, the number of possible attackers is reduced from "every machine on the Internet" to "just UOnet machines." For services that necessitate only local access, this can be a good approach.

BlackICE Defender is a commercial product that implements a coarse set of filtering rules. Using BlackICE, a system can be configured to refuse connections from remote sites by selecting one of the pre-configured settings-"Paranoid," "Nervous," "Cautious," or "Trusting." Custom rules can be added to allow specific hosts or specific types of traffic to get through. BlackICE has additional features for logging that can be helpful in back-tracing connections when attempted intrusions do occur.

Microsoft added IPSEC support when it released Win2K. As part of the IPSEC engine, Microsoft included a new IP Filter Lists component that can be employed whether or not the more complex IPSEC associations are being used.

This new feature provides very precise construction of rulesets for performing packet filtering. The controls for this functionality are located under Administrative Tools // Local Security Policy // IP Security Policies on Local Machine. Select and right-click to select "Manage IP Filter Lists." Once a list is created, it can be added as part of an "IP Security Policy" for the machine.

IP Filter Lists allow you to specify addresses, protocols, ports, interface, and direction. Because these rule sets can be complex, it's best to understand which network traffic is going to be blocked or permitted by your rules before you begin putting them in place.

The Win2K Resource kit also provides a command-line utility called "ipsecpol" for performing these same functions. A good article describing the process of activating a filter list can be found on the Microsoft website at http://www.microsoft.com/ISN/columnists/using_ipsec.asp

Virus Prevention
Computer viruses are one of the most serious threats to a system based on a Microsoft OS. With all the outbreaks that have occurred recently, no one should doubt the need to install anti-virus software on their machine. The UO has a site license for Norton AntiVirus 2001, and you can download the software from ftp://public/software/AntiVirus/NAV2001/

"Safe computing" practices go a long way toward preventing infection. Simple common sense can prevent most virus infections. For example, do not:

download software from sources you don't trust
swap files with unknown parties
visit websites cited in questionable emails

Exposed file shares are a frequent source of abuse. If you are not using File Sharing, disable it (open Settings -> Control Panel -> Network -> File and Print Settings, and make sure the file sharing options are unchecked). You might also want to review the information on Steve Gibson's "Shields Up!" site at http://www.grc.com/su-rebinding9x.htm

Stay Up To Date
As new vulnerabilities are discovered in Win2K, they need to be addressed. Microsoft releases security updates on a regular basis and you should periodically check the following site to see if any of those updates apply to your environment: http://www.microsoft.com/technet/security/current.asp

Microsoft periodically bundles updates into "Service Packs." As of this writing, Microsoft has released "Windows 2000 Service Pack 2." To check for updates, visit the Microsoft Windows Update Homepage at http://windowsupdate.microsoft.com/

Summary
Here are six essential points to remember when securing your Win2K environment:

Some work is required if you want to improve the security of your machine.
Good backups are a must
System integrity monitoring is critical in order to know if there has been a break-in
Packet filtering is an excellent tool for preventing break-ins
Anti-virus software is essential for preventing the destructive effects of common computer viruses
And system updates are necessary to make sure that your machine stays secure over time.

Used in combination, these practices can help ensure that you have a safe computing experience.

Other Useful Resources
Additional information on Win2K security is available from the following websites and publications:
http://www.microsoft.com/technet/security/

http://www.sans.org/infosecFAQ/win2000/win2000_list.htm

http://www.cert.org/

http://www.securityfocus.com/

http://www.securityportal.com/

http://www.windowsitsecurity.com/

"Windows 2000 Security: Step by Step" http://www.sansstore.org/

"Securing Windows NT/2000 Servers for the Internet" Stefan Norberg and Deborah Russell. ISBN: 1-56592-768

Summer 2001 Computing News | Computing Center Home Page