Your browser does not seem to support CSS. If images appear below, please disregard them.
It appears that you're running an Ad-Blocker. This site is monetized by Advertising and by User Donations; we ask that if you find this site helpful that you whitelist us in your Ad-Blocker, or make a Donation to help aid in operating costs.
Previous Thread
Next Thread
Print Thread
Rate This Thread
#15212 - 08/11/02 06:04 AM Securing 2k  
Joined: Mar 2002
Posts: 1,136
pergesu Offline
UGN Elite Poster
pergesu  Offline
UGN Elite Poster

Joined: Mar 2002
Posts: 1,136
Pimpin the Colorizzle
For some strange reason, I'd like to have a secure box. I'm kinda new to the windows gig, so I'm pretty ignorant when it comes to its security. I'd like to make my box as secure as possible, both remotely and locally. What are some things I need to do? I know to install the service packs and hotfixes, as well as get any patches that come out for my software. But I always hear how windows can be broken into really easily, and so I'd like to minimize my vulnerability.

Sponsored Links
#15213 - 08/12/02 01:35 AM Re: Securing 2k  
Joined: Mar 2002
Posts: 185
Mornse Offline
Member
Mornse  Offline
Member

Joined: Mar 2002
Posts: 185
Vancouver
A firewall is good, espically a hardware one, such as a router. You want to check the access each user has to different files. I'm assuming you're using NTFS, right? So you can set permissions on files. Make sure improtant files, such as regedit and stuff, have tight permissions set. Get rid of Null sessions (search on google for the registry key for null sessions cause I forget it off the top of my head). You'll also want to log on as a normal user for the most part, something I'm guilty of not doing. For pure laziness reasons I always log in as administrator and it's a dumb idea, but I'm not too worried. Hmm, what else. That's all I can think of for the basics off the top of my head. If I think up anything else I'll post it. unreal might have things to add, he has mad skillz in securing windows.


Cha want some w***up?

http://www.dopeskill.com
#15214 - 08/13/02 06:46 PM Re: Securing 2k  
Joined: Mar 2002
Posts: 815
sinetific Offline
nobody
sinetific  Offline
nobody

Joined: Mar 2002
Posts: 815
Ann Arbor
remove netbios, client for microsoft networks unless you need it to connect to other computer on your LAN if you have one, if you don't remove it without thinking twice. That goes for ME and 9x also but i think MS got smart and didn't have it in the default install for XP I think.

#15215 - 10/13/02 04:12 AM Re: Securing 2k  
Joined: Oct 2002
Posts: 10
Satori Offline
Junior Member
Satori  Offline
Junior Member

Joined: Oct 2002
Posts: 10
San Antonio, Texas
You can turn off null sessions without a regedit in 2k. Start -> Programs -> Administrative Tools -> Local Security Policy -> Local Policies -> Security Opetions

additional restrictions for anonymous connections should be set to "do not allow without explicit anonymous permissions."

This will kill anybody using any exploit that does a net view as <> to enumerate shares and users, which takes away the single easiest thing about cracking a windows box over the network - already having half of the username/password combination.

Any apps that you install that need service accounts, especially stuff like SQL or backup software that require high level user rights on SA, should have 14 character complex passwords, and should have non standard names.

Disable the guest account. Rename the Administrator account to something else, rename Guest to Administrator.

Load up Microsoft's Baseline Security Analyzer and hfnetchk.exe to scan for patches that you might have missed. Windows Update is NOT to be relied upon for staying up to date on security patches, as it only gets OS patches and not patches for services like MSSQL.

Turning off NetBIOS is a good idea, but alot of people like to be able to map network drives over SMB. If you leave this on, you've GOT to turn off null sessions as described above, and you should definitely configure account lockout and auditing. Strong password complexity is a must too - 7 character length pwds are more resistant to l0phtcrack than 8, 9, 10, 11, 12, or 13 char length pwds. 14 characters are substantially harder to crack. By strong passwords, I mean random character generations that utilize upper and lower case alpha numerics plus some standard ASCII like !, @, #, $, %, etc...

NTFS permissions are must. If you insist on running FTP services, don't allow anonymous access. Don't EVER ftp to your server using admin credentials, as these are sent in clear text and can be sniffed very easily. If you have to have an upload directory, create ONE user account with write permissions to that directory. Make sure that that user has NO rights to absolutely anything else on the server, period. If you want to know why, lemme know and I'll explain FTP vulnerabilities to malicious code execution exploits more thoroughly.

If you run IIS, disable default and admin web sites. Delete the admin scripts directory, or move it to a different drive with tight permissions. Don't keep your site scripts in your Inetpub directory. If you have SMTP enabled, make sure to lock down relay restrictions tightly. Patches, patches, patches!

Either load a software firewall to permit access only to the ports that you want, or get fancy with an IPSEC policy. A hardware firewall is ALWAYS a better way to go, but I'm assuming that you dont' have the cash to invest in one.

Check the service control manager and change the startup options on all services that you don't need. No reason whatsoever to run remote registry service, for instance, and that is turned on by default on Win2k. Big hole there, too. If you don't know what a service does, ask - I probably do, and 100 other people who also know will likely answer before I do ;.)

Do a netstat -an and check to see what ports you are listening on. If there's anything showing up that you don't recognize, spend some time looking it up and find out what's listening. Once you've got it down to the minimum listeners that can serve the data you want, put the firewall up and drop yourself online.

Be sure to take a screen shot of your listening ports and your running processes before doing so, and periodically check them and compare to your clean list to make sure that you haven't been owned.

Anyway, that's basic Windows 2k hardening 101 for ya. It's by NO MEANS a complete guide, and if you don't eat, sleep, live and breathe security for a while, you'll never get up to speed enough to really lock a Windows box down. The minute you stop keeping up to date, too, a new exploit will emerge and you will probably get owned.

It's so much easier in Unix! IPChains are your friend...

Regards,

Satori, who maintains security for over 3,000 Windows 2000 webservers, among other things.

#15216 - 10/13/02 04:52 AM Re: Securing 2k  
Joined: Mar 2002
Posts: 1,136
pergesu Offline
UGN Elite Poster
pergesu  Offline
UGN Elite Poster

Joined: Mar 2002
Posts: 1,136
Pimpin the Colorizzle
Thanks so much

Sponsored Links

Member Spotlight
Gremelin
Gremelin
Portland, OR; USA
Posts: 7,195
Joined: February 2002
Show All Member Profiles 
Forum Statistics
Forums45
Topics47,513
Posts82,683
Average Daily Posts8
Members2,159
Most Online1,567
Apr 25th, 2010
Latest Postings
Top Posters(All Time)
UGN Security 40,677
Gremelin 7,195
§intå× 3,255
SilentRage 1,273
Ice 1,146
pergesu 1,136
Infinite 1,041
jonconley 955
Girlie 908
unreal 860
Top Liked Users (All Time)
§intå× Likes: 1
Cold Sunn Likes: 1
Crime Likes: 1
Cyrez Likes: 1
Ghost Likes: 1
Gremelin Likes: 4
Ice Likes: 1
unreal Likes: 1
Top Liked Users (30 Days)
No Data Found
Powered by UBB.threads™ PHP Forum Software 7.6.0
(Snapshot build 20160902)