UGN Security Forums
My ProfileMember DirectoryLogin
Search our ForumsView our FAQView our Site Rules
View our CalendarView our Active TopicsGo to our Main Page

UGN Security Store

Network Sites UGN Security, The GoNix Initiative, Elite Web Gamers, Back of the Web, EveryDay Helper, VNC Web Design & Development
Sponsored Links
Latest Postings
by Gremelin
10/05/15 06:01 PM
Latest Reviews
Topic Options
Rate This Topic
#15212 - 08/10/02 11:04 PM Securing 2k
pergesu Offline
UGN Elite Poster

Registered: 03/14/02
Posts: 1136
Loc: Pimpin the Colorizzle
For some strange reason, I'd like to have a secure box. I'm kinda new to the windows gig, so I'm pretty ignorant when it comes to its security. I'd like to make my box as secure as possible, both remotely and locally. What are some things I need to do? I know to install the service packs and hotfixes, as well as get any patches that come out for my software. But I always hear how windows can be broken into really easily, and so I'd like to minimize my vulnerability.

Sponsored Links
#15213 - 08/11/02 06:35 PM Re: Securing 2k
Mornse Offline

Registered: 03/03/02
Posts: 185
Loc: Vancouver
A firewall is good, espically a hardware one, such as a router. You want to check the access each user has to different files. I'm assuming you're using NTFS, right? So you can set permissions on files. Make sure improtant files, such as regedit and stuff, have tight permissions set. Get rid of Null sessions (search on google for the registry key for null sessions cause I forget it off the top of my head). You'll also want to log on as a normal user for the most part, something I'm guilty of not doing. For pure laziness reasons I always log in as administrator and it's a dumb idea, but I'm not too worried. Hmm, what else. That's all I can think of for the basics off the top of my head. If I think up anything else I'll post it. unreal might have things to add, he has mad skillz in securing windows.
Cha want some w***up?

#15214 - 08/13/02 11:46 AM Re: Securing 2k
sinetific Offline

Registered: 03/02/02
Posts: 815
Loc: Ann Arbor
remove netbios, client for microsoft networks unless you need it to connect to other computer on your LAN if you have one, if you don't remove it without thinking twice. That goes for ME and 9x also but i think MS got smart and didn't have it in the default install for XP I think.

#15215 - 10/12/02 09:12 PM Re: Securing 2k
Satori Offline
Junior Member

Registered: 10/12/02
Posts: 10
Loc: San Antonio, Texas
You can turn off null sessions without a regedit in 2k. Start -> Programs -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Opetions

additional restrictions for anonymous connections should be set to "do not allow without explicit anonymous permissions."

This will kill anybody using any exploit that does a net view as <> to enumerate shares and users, which takes away the single easiest thing about cracking a windows box over the network - already having half of the username/password combination.

Any apps that you install that need service accounts, especially stuff like SQL or backup software that require high level user rights on SA, should have 14 character complex passwords, and should have non standard names.

Disable the guest account. Rename the Administrator account to something else, rename Guest to Administrator.

Load up Microsoft's Baseline Security Analyzer and hfnetchk.exe to scan for patches that you might have missed. Windows Update is NOT to be relied upon for staying up to date on security patches, as it only gets OS patches and not patches for services like MSSQL.

Turning off NetBIOS is a good idea, but alot of people like to be able to map network drives over SMB. If you leave this on, you've GOT to turn off null sessions as described above, and you should definitely configure account lockout and auditing. Strong password complexity is a must too - 7 character length pwds are more resistant to l0phtcrack than 8, 9, 10, 11, 12, or 13 char length pwds. 14 characters are substantially harder to crack. By strong passwords, I mean random character generations that utilize upper and lower case alpha numerics plus some standard ASCII like !, @, #, $, %, etc...

NTFS permissions are must. If you insist on running FTP services, don't allow anonymous access. Don't EVER ftp to your server using admin credentials, as these are sent in clear text and can be sniffed very easily. If you have to have an upload directory, create ONE user account with write permissions to that directory. Make sure that that user has NO rights to absolutely anything else on the server, period. If you want to know why, lemme know and I'll explain FTP vulnerabilities to malicious code execution exploits more thoroughly.

If you run IIS, disable default and admin web sites. Delete the admin scripts directory, or move it to a different drive with tight permissions. Don't keep your site scripts in your Inetpub directory. If you have SMTP enabled, make sure to lock down relay restrictions tightly. Patches, patches, patches!

Either load a software firewall to permit access only to the ports that you want, or get fancy with an IPSEC policy. A hardware firewall is ALWAYS a better way to go, but I'm assuming that you dont' have the cash to invest in one.

Check the service control manager and change the startup options on all services that you don't need. No reason whatsoever to run remote registry service, for instance, and that is turned on by default on Win2k. Big hole there, too. If you don't know what a service does, ask - I probably do, and 100 other people who also know will likely answer before I do ;.)

Do a netstat -an and check to see what ports you are listening on. If there's anything showing up that you don't recognize, spend some time looking it up and find out what's listening. Once you've got it down to the minimum listeners that can serve the data you want, put the firewall up and drop yourself online.

Be sure to take a screen shot of your listening ports and your running processes before doing so, and periodically check them and compare to your clean list to make sure that you haven't been owned.

Anyway, that's basic Windows 2k hardening 101 for ya. It's by NO MEANS a complete guide, and if you don't eat, sleep, live and breathe security for a while, you'll never get up to speed enough to really lock a Windows box down. The minute you stop keeping up to date, too, a new exploit will emerge and you will probably get owned.

It's so much easier in Unix! IPChains are your friend...


Satori, who maintains security for over 3,000 Windows 2000 webservers, among other things.

#15216 - 10/12/02 09:52 PM Re: Securing 2k
pergesu Offline
UGN Elite Poster

Registered: 03/14/02
Posts: 1136
Loc: Pimpin the Colorizzle
Thanks so much


Featured Member
Registered: 04/29/15
Posts: 2
Forum Stats
2158 Members
46 Forums
41614 Topics
76789 Posts

Max Online: 1567 @ 04/25/10 02:20 AM
Top Posters
UGN Security 34776
Gremelin 7194
§intå× 3255
SilentRage 1273
Ice 1146
pergesu 1136
Infinite 1041
jonconley 955
Girlie 908
unreal 860
Newest Members
Jan Havelles, Herbert_Sherbert, codemauve, Lillysdragon1984, Brewwit
2158 Registered Users
Who's Online
0 registered (), 229 Guests and 347 Spiders online.
Key: Admin, Global Mod, Mod
Latest News

  Get Firefox!
Get FireFox!