Hardening Your Windows 2000 Server

30 November -0001

The following simple 7 steps are ones you can take to easily enhance the overall security of your Windows 2000 Server. These are quick and dirty steps to enhance your security and can be used in addition to any third party security tools and firewalls you may have already implemented.

1. Implement TCP/IP filtering policies. Use these as a basic firewall for you machine. You can set up TCP/IP filtering by right clicking on 'My Network Places' -> Right Click 'Local Area Connection' select Properties -> highlight TCP/IP and click 'Properties' -> Click 'Advanced' -> select the 'Options' tab -> select TCP/IP filtering. You can use IP filtering to deny foreign hosts access to, say, your SQL Server port, or even your Windows Shares. This is a quick and dirty method to prevent foreign machines from accessing local services while still allowing local access (so you can block out your SQL server, yet still allow your .asp pages to retrieve database data). TCP/IP filtering is very primitive. You can't restrict access based on IP address of a host, its an all or nothing port blockage.

2. Delete virtual mappings to all the useless directories in you wwwroot folder. Many of these present potential security vulnerabilities and aren't necessary. You can check what directories are virtual directories in you 'Computer Manger'. Start -> Programs -> Administrative -> Administrative Tools -> Computer Manger. Expand the 'Services and Applications' Tree, select Internet Information Services, then click on 'Default Web Site'. All of the folders listed there are virtual directories. Remove the unnecessary ones by right clicking the folder and selecting delete. Note that this does not delete the folder, the process simply removes the mapping to the web server. At this point it is also a good idea to highlight any services you are not using and click the stop button (the black box) on the tool bar. This should stop these services (Default SMTP Virtual Server, and Administration Web Site are two good candidates for stoppage). You should make these changes permanent by going to Start -> Programs -> Administrative Tools -> Services and change the startup option to 'Manual'. At this point also look for unnecessary services and stop those and set them to 'Manual' as well.

3. Enable Security logging in the 'Event Viewer'. For some strange reason this type of logging isn't enabled on a default install and its tough to find where you have to go to turn it on. Go to Start -> Programs -> Administrative Tools -> Local Security Policy. Expand the 'Security Settings' tree and select 'Local Policies'. From here you want to expand the 'Local Policies' Tree and select 'Audit Policy'. Double click on any of the Policy entries and select logging for that policy. These logs will appear in the Event Viewer under Security and can allow a much finer grain of logging than is normally used on an NT server.

4. Expand your web server logs. To do this you must re-enter the Computer Manager as described above. Select the web site you wish to augment (usually 'Default Web Site') and right click the site and select 'Properties'. In the bottom of the first form there is an area for logging. Make sure the 'Enable Logging' checkbox is checked. Then click the 'Properties' button. In the General Properties you can select how often you want the server to write new log files and specify the location of the log files. It may be a good idea to change the default location of the log files from %WinDir%\System32\Logfiles so they are more difficult to find and damage. Select the 'Extended Properties' tab and check off all of the material you wish to be logged with each hit to the site. I choose to log all information possible, but this may not be feasible if you get too many hits. Remember, log files are stored in simple text so they aren't usually very big and can always be zipped up later if you wish.

5. Install snort so you can do some traffic analysis. Now, how you use snort is beyond the scope of this article, but its not hard, trust me. Snort uses a nice, user friendly format for writing rules, don't be scared off by the seeming complexity of the program. The official site of snort is Snort.orgMadirish.orgSnort.org

6. If you're running an FTP server, unless you absolutely need to, be SURE to disable anonymous access. You can do this by going through the Computer Manager, under Internet Information Services and right clicking 'Default FTP Server' and selecting Properties. If you don't see the FTP listing under the Internet Information Services then it isn't installed. Anonymous connections are controlled under the 'Security Accounts' tab on the Properties form. Simply uncheck 'Allow Anonymous Connections' and you're good to go. You may also want to select the logging properties under the 'FTP Site' tab and expand the FTP logging and possibly change the log locations.

7. Unless you need it, disable the 'Guest' account. You can do this in the Computer Manager by selecting 'Local Users and Groups' -> Users, then right click on the 'Guest' account and selecting Properties, then simply check the 'Account Disabled' checkbox. That is pretty much the only extraneous account that is put on a default Win2k machine.

These are all simple steps, but if you take them you may be able to prevent a security incident down the road. These steps should be taken in addition to any firewalling or network topology considerations that your organization may have. If you know of any other quick and easy steps Admins can take to secure their machines please post them in the comments below.