|
Todd Anderson from SANS.org - March 21, 2001
The first consideration in a Windows 2000 installation is
to define the purpose of the installation. One would set up a home
machine very differently from one set up as a web server. Generally,
it is a good idea to limit the roles any given machine will play,
especially when connecting a machine directly to the internet, where
every port you open or service you enable creates a potential
security hole.
Installation
of Windows 2000
There are a few security options that can be addressed
while installing the operating system.
If you are not using a script
or performing an unattended installation, and have no need of a
network connection, disconnect the machine until a strong
administrator password has been set, service packs have been
installed and necessary hot fixes applied.
File System
Security
Be sure to format all partitions as NTFS, including the
system partition. Windows 2000 runs best on an NTFS partition. Many
of the features of Windows 2000 - resistance to fragmentation, file
and folder level access rights, encrypted file systems, distributed
file systems - can only be leveraged using the NTFS file system.
NTFS includes the use of encrypted file systems (EFS).1 EFS
is a capability, integrated into Windows 2000, which allows users to
transparently encrypt files. Those needing to store sensitive data
on a Windows 2000 machine should consider using EFS to add an extra
layer of defense to protect their data.
The decision to implement EFS, however, should not be taken
lightly, especially on a standalone machine. When encrypting files
it is important to use a strong password and even more important not
to forget it. If a user encrypts a folder and that user’s account is
deleted, the folder cannot be unencrypted because the user’s key
will no longer exist. Normally, the administrator could reset the
user’s password and then login to recover the encrypted files. This
will not work if the account has been deleted2.
More information can be found on EFS can be found at
http://www.infosecuritymag.com/articles/february01/features_applied_crypto.shtmland
http://www.microsoft.com/windows2000/library/planning/security/efssteps.asp
Protocol
Configuration
The next option during setup is the configuration of
protocols. Use only what you need to get the job done. If you don’t
need Client for Microsoft Networks or File and Print Sharing for
Microsoft Networks, it is best not to install them. If you need to
have the Microsoft client installed or file and print sharing
enabled, you will need more than a hardened workstation to protect
you data, you will need a secure network infrastructure, including a
firewall.
Configure the advanced TCP/IP options3. On the WINS tab,
uncheck "Enable LMHOSTS lookup" and check Disable NetBIOS over
TCP/IP.
On the TCP/IP options tab, select TCP/IP filtering. By
enabling filtering you can prevent many incoming connections while,
at the same time, allowing outgoing and established connections to
work normally. If your machine is a single purpose machine,
configure the protocols you want to allow in. In the example below
TCP is IP protocol4 as defined in the IP protocol header and TCP
port 80 is http. This configuration would allow incoming connections
to a web server. These settings will prevent remote administration
capabilities if not configured correctly, creating a Denial of
Service on yourself.
This should not be the only line of defense. Defense in
Depth is the goal. Make your box more work than it is worth to break
into.
Whether you are configuring a home machine or a web server,
a virus scanner and some type of firewall are essential tools. It is
important to regularly update virus definition files. Keep your OS
patches current. Many patches fix known exploits and
vulnerabilities.
Post Windows
2000 Installation
After Windows reboots, there is plenty more to configure.
As with Windows NT, in order to properly configure or harden your
system, you must at some point edit the registry (obligatory note to
back up registry first). However, many of the registry changes that
need to be made can be done with security policies.
Security
Configuration Tools
Many services can be configured using the System Security
Toolbox5. These security snap-ins can assist configuring and
hardening your Windows 2000 machine. On a local or standalone
machine the group policy snap-in or gpedit.msc allows you to view or
edit the policy on the machine.
Using the Security Configuration and Analysis tool and the
Security Template tool, which are snap-ins in the Microsoft
Management Console (MMC), you can centrally manage the local
computer policy and avoid making many of the direct registry
modification that were required when hardening Windows NT.
As described in other GSEC papers6, 7, the templates allow
you to configure make templates for many of the Windows settings.
The settings allow you to manage account and local policies,
restrict groups, control registry and file system access, and manage
system services. Security templates are stored as text based .inf
files in SystemRoot\Security\Templates by default. The template
files can either be edited manually using a text editor such as
notepad or using the Security Template tool. You must be an
administrator to create save or implement security policies.
With the system policy you can create a template for the
security policy of the machine. Creating a template is beneficial.
First, it creates a file that can be easily transferred to another
machine where the same configuration is desirable. Second, by
creating a security template, you create an auditing tool. By
analyzing the current configurations against the configuration of
the template, you can determine if the computer policy has been
altered.
Many of the settings in these policies are undefined, even
in the high security policies. Taking the time to go through these
and create a good template is worth the time and effort. Each
section of the policy template has settings that are important.
There are too many to go over here in detail, but a good resource is
the Windows 2000 Security Handbook3
To use the security configuration tools, create a custom
Microsoft Management Console (mmc from the command line). Add the
Security Configuration and Analysis tool, and the Security Template
tool. Follow these steps:
- Create a template or use a pre-configured template from
one of the Security Templates.
- Create a new database
Right click on the Security Configuration and Analysis
snap-in and select Open Database…. Type in the name of the database
you are going to create. Next you need to choose the template file
(*.inf).
At this point you have two options you can either analyze
or apply the policy file.
If you choose to analyze the computer you can then view and
edit the results. Discrepancies between the system and the template
are highlighted with a red flag. Consistencies are highlighted with
a green check mark. The security setting is not specified in the
database if there is no flag or check mark.
Once the configuration is defined as you like it you can
apply the policy using the Configure Computer Now… option of
Security Configuration and Analysis tool.
It may seem easier to just edit the local security settings
in the Administrative Tools section of the Control Panel or by using
gpedit.msc. While this is true for a single machine, if you have to
edit multiple machines and desire to check them occasionally to make
sure that settings have not been modified, use a policy.
These tasks can be automated even further through the use
of the secedit.exe command. Secedit.exe is a command line version of
the security configuration and analysis snap-in.
secedit
/configure [/DB filename ] [/CFG filename ] [/overwrite][/areas
area1 area2...] [/log logpath] [/verbose] [/quiet]
Configure the machine with the least amount of privilege to
serve its function. This includes logons, services, and protocols.
Audit the machine, using event logging to monitor the system. It may
be worth using Tripwire to check file integrity for critical
machines.
There are many tools in Windows 2000 (at least relative to
Windows NT) that make the job of securing the operating system
easier. It is important to learn these tools. New exploits will
require responses; these tools will help you respond.
Security
Configuration Tool Set
1 "Step by step guide to Encrypting File System (EFS)" 7
March, 2000
URL:
http://www.microsoft.com/windows2000/library/planning/security/efssteps.asp
2 Bragg, Roberta "Applied Cryptography, Hardening EFS"
February 20001 Information Security Magazine
URL:
http://www.infosecuritymag.com/articles/february01/features_applied_crypto.shtml
3 Cox, Philip. Windows 2000 Security Handbook. Berkeley:
Osborne / McGraw Hill, 2001. Chapter 10
4 Stevens, W. Richard. TCP/IP Illustrated Volume 1.
Reading: Addison Wesley, 1994. 10
5 "Step-by-Step Guide to Using the Security Configuration
Tool Set" 16 February, 2000
http://www.microsoft.com/windows2000/library/planning/security/secconfsteps.asp
GSEC Papers
6 Brill, Jeffrey "Windows 2000 Template Security
Implications" May 2, 2000
URL:http://www.sans.org/infosecFAQ/win2000/template.htm
7 Scannella, Carlo "Implementing Password Controls and
Account Policies Using Windows 2000" February 15, 2000
URL:
http://www.sans.org/infosecFAQ/win2000/group_policy.htm
Credits
Todd Anderson from SANS.org
|