Posted by: pergesu
Securing 2k - 08/11/02 02:04 AM
For some strange reason, I'd like to have a secure box. I'm kinda new to the windows gig, so I'm pretty ignorant when it comes to its security. I'd like to make my box as secure as possible, both remotely and locally. What are some things I need to do? I know to install the service packs and hotfixes, as well as get any patches that come out for my software. But I always hear how windows can be broken into really easily, and so I'd like to minimize my vulnerability.
Posted by: Mornse
Re: Securing 2k - 08/11/02 09:35 PM
A firewall is good, espically a hardware one, such as a router. You want to check the access each user has to different files. I'm assuming you're using NTFS, right? So you can set permissions on files. Make sure improtant files, such as regedit and stuff, have tight permissions set. Get rid of Null sessions (search on google for the registry key for null sessions cause I forget it off the top of my head). You'll also want to log on as a normal user for the most part, something I'm guilty of not doing. For pure laziness reasons I always log in as administrator and it's a dumb idea, but I'm not too worried. Hmm, what else. That's all I can think of for the basics off the top of my head. If I think up anything else I'll post it. unreal might have things to add, he has mad skillz in securing windows.
Posted by: sinetific
Re: Securing 2k - 08/13/02 02:46 PM
remove netbios, client for microsoft networks unless you need it to connect to other computer on your LAN if you have one, if you don't remove it without thinking twice. That goes for ME and 9x also but i think MS got smart and didn't have it in the default install for XP I think.
Posted by: Satori
Re: Securing 2k - 10/13/02 12:12 AM
You can turn off null sessions without a regedit in 2k. Start -> Programs -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Opetions
additional restrictions for anonymous connections should be set to "do not allow without explicit anonymous permissions."
This will kill anybody using any exploit that does a net view as <> to enumerate shares and users, which takes away the single easiest thing about cracking a windows box over the network - already having half of the username/password combination.
Any apps that you install that need service accounts, especially stuff like SQL or backup software that require high level user rights on SA, should have 14 character complex passwords, and should have non standard names.
Disable the guest account. Rename the Administrator account to something else, rename Guest to Administrator.
Load up Microsoft's Baseline Security Analyzer and hfnetchk.exe to scan for patches that you might have missed. Windows Update is NOT to be relied upon for staying up to date on security patches, as it only gets OS patches and not patches for services like MSSQL.
Turning off NetBIOS is a good idea, but alot of people like to be able to map network drives over SMB. If you leave this on, you've GOT to turn off null sessions as described above, and you should definitely configure account lockout and auditing. Strong password complexity is a must too - 7 character length pwds are more resistant to l0phtcrack than 8, 9, 10, 11, 12, or 13 char length pwds. 14 characters are substantially harder to crack. By strong passwords, I mean random character generations that utilize upper and lower case alpha numerics plus some standard ASCII like !, @, #, $, %, etc...
NTFS permissions are must. If you insist on running FTP services, don't allow anonymous access. Don't EVER ftp to your server using admin credentials, as these are sent in clear text and can be sniffed very easily. If you have to have an upload directory, create ONE user account with write permissions to that directory. Make sure that that user has NO rights to absolutely anything else on the server, period. If you want to know why, lemme know and I'll explain FTP vulnerabilities to malicious code execution exploits more thoroughly.
If you run IIS, disable default and admin web sites. Delete the admin scripts directory, or move it to a different drive with tight permissions. Don't keep your site scripts in your Inetpub directory. If you have SMTP enabled, make sure to lock down relay restrictions tightly. Patches, patches, patches!
Either load a software firewall to permit access only to the ports that you want, or get fancy with an IPSEC policy. A hardware firewall is ALWAYS a better way to go, but I'm assuming that you dont' have the cash to invest in one.
Check the service control manager and change the startup options on all services that you don't need. No reason whatsoever to run remote registry service, for instance, and that is turned on by default on Win2k. Big hole there, too. If you don't know what a service does, ask - I probably do, and 100 other people who also know will likely answer before I do ;.)
Do a netstat -an and check to see what ports you are listening on. If there's anything showing up that you don't recognize, spend some time looking it up and find out what's listening. Once you've got it down to the minimum listeners that can serve the data you want, put the firewall up and drop yourself online.
Be sure to take a screen shot of your listening ports and your running processes before doing so, and periodically check them and compare to your clean list to make sure that you haven't been owned.
Anyway, that's basic Windows 2k hardening 101 for ya. It's by NO MEANS a complete guide, and if you don't eat, sleep, live and breathe security for a while, you'll never get up to speed enough to really lock a Windows box down. The minute you stop keeping up to date, too, a new exploit will emerge and you will probably get owned.
It's so much easier in Unix! IPChains are your friend...
Satori, who maintains security for over 3,000 Windows 2000 webservers, among other things.