Securing Windows 2000 - By ShaolinTiger - http://www.darknet.org.uk - Version [5] 05/01/2004 --------------------------------------------------------- .: Intro :. I have always been suspicious of Windows security so I decided to make my machine harder than a brass monkeys testicle. My machine was previously behind a Linux gateway/router/firewall so I never really bothered about my machines security as it really didn't matter. As it's now exposed to all and sundry on the Internet I suddenly got a lot more interested... Most of this info is available in the public domain in some form or another, the rest is a result of my own tweaking/investigating etc. Plus I've never really seen a -conclusive- guide to securing Win2k apart from the massive books. Once I managed to disable *one* too many services and make my computer into a very expensive but pretty paperweight, this was whilst trying to 'secure' my Windows 2000 machine and perhaps getting a little carried away, hence the birth of this document. Also my machine is running a very high resolution so if this document looks stupid, sorry! ;p The newest version of this document can always be found at: http://www.darknet.org.uk/content/files/securewin2k.html --------------------------------------------------------- .: My Config :. I am currently using: Windows 2000 Pro SP4 ( http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/ ) with the SRP Security Rollout ( http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp ) and the IE 6 Cumulative Update ( http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp ) Plus all current updates from ( http://v4.windowsupdate.microsoft.com/en/default.asp ) IIS Cumulative Update ( http://www.microsoft.com/Windows2000/downloads/critical/q301625/download.asp ) and another at: ( http://www.microsoft.com/technet/security/bulletin/MS02-018.asp ) IIS Lockdown Tool ( http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp ) Sygate Personal Firewall Pro ( http://smb.sygate.com/products/spf_pro.htm ) My favourite ever Windows Firewall was probably Conseal as it works a lot like IPchains. Most of the stuff below could also be used with Windows XP Pro, but as I haven't tried it, I don't know so don't hold me to it. --------------------------------------------------------- .: Useful Software and Various Info :. Nmap your machine if you have linux, see what ports are open. http://www.insecure.org Fast Scan for Windows (All) which you can get here :- http://www.shaolin-tiger.com/content/files/fastscan.zip Scan Yourself and see what is open. Also use (from a command prompt) netstat -an or netstat -an 3 (to refresh every 3 seconds) and see what your machine thinks is open. Kerio Personal Firewall (Was known as Tiny PF) : An excellent peice of software for Windows, configurable, simple and effective. Good enough for most people's needs. You can get it here: http://www.kerio.com ( http://www.kerio.com/us/kpf_download.html ) There is a discussion on the best Windows firewalls here: http://www.security-forums.com/forum/viewtopic.php?t=186 If you have the resources try Microsofts ISA. Or just put a real firewall between you and the rest of the world e.g. (Checkpoint/Sonicwall/PIX/Watchguard Etc.) Or second best a *nix Machine ;) Read about the options here: http://www.security-forums.com/forum/viewtopic.php?t=31 If you end up with any ports you simply can't close just firewall them. This will be adequate. (There is a conclusive list of firewall reviews/info/downloads at the bottom.) --------------------------------------------------------- .: Various Info :. Make sure nothing is running when you are testing even things like Norton Ghost Enterprise Edition Open ports. If you find a port and you don't know what it is go to http://www.google.com and type port+[portnumber] There will be plenty of info about what it is/does. There is an invaluable article on Hardening the win2k TCP/IP Stack again DoS attacks here: http://support.microsoft.com/default.aspx?scid=kb;en-us;q315669 Xteq can help you set these values and can be found here: http://www.xteq.com It also good to check at: http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp , http://www.pcflank.com/scanner1s.htm , http://hackerwhacker.com/ and http://www.blackcode.com/scan/index.php There is a full list of online security scanners here: http://www.security-forums.com/forum/viewtopic.php?t=10541 Here are some recommended configs for XP, as I don't use it I don't know if it's good or not but it sure looks ok: http://www.blkviper.com/WinXP/servicecfg.htm --------------------------------------------------------- .: General Tips :. Set strong passwords, make sure the Guest account is disabled, don't use the machine as Administrator unless you have to. If you are really security conscious rename the Administrator account and make a new Adminstrator account with a with no rights to anything (The original Admin account will still have a SID of 500 but hey, it's better than nothing). Make sure everything is NTFS. Click Start>Programs>Administrative Tools>Local Security Policy. Under Security Settings expand Account Policy and click Password Policy. Double click Minimum password length (right pane) and set the minimum password length to greater than 15 characters (you may have to change you password prior to this step). Click Account Lockout Policy and change Account lockout duration to 30 min., Reset account lockout counter after to 30 min and Account lockout threshold to 5 invalid logon attempts or whatever you feel secure with. Expand Local Policies and click Audit Policy. Enable Success & Failure for everything listed. Click User Rights Assignment. Double click "Deny access to this computer from the network. Click Add. Double click "Everyone", click OK and the OK again. Click Security Options. Double click Additional restrictions for anonymous connections and choose No access without explicit anonymous permissions. --------------------------------------------------------- .: Others :. As far as networking goes, if you look under TCP/IP advanced then the options tag for networking settings you can configure IPSEC and IP filtering here. Most people don't know about these options and they can be used very effectively to secure a machine. Restrict access to public Local Security Authority (LSA) information You need to be able to identify all users on your system, so you should restrict anonymous users so that the amount of public information they can obtain about the LSA component of the Windows NT Security Subsystem is reduced. The LSA handles aspects of security administration on the local computer, including access and permissions. To implement this restriction, create and set the following registry entry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA Value Name RestrictAnonymous Type REG_DWORD Value 1 Default value for this is 0, so generally you just need to change it to 1. --------------------------------------------------------- .: Specific Ports :. Port 135 Run C:\WinNT\System32\Dcomcnfg.exe And Turn It Off. This can also be done with the registry key: HKEY_LOCAL_MACHINE\Software\Microsoft\OLE - The value "EnableDCOM" may be set to Y change this value to N to disable DCOM. Many programs "support" Distributed Communication (DCOM) but hardly ever use it. This includes such programs as Windows Media and Wordpad, which are designed to be used across a network. As you scan this tab, look for third-party applications that might actually require network support, as opposed to those that simply support it. To determine if these programs really require DCOM, you must disable it, run those programs, and see what happens. Note that it is probably only necessary to look at third-party programs here; Microsoft programs designed to run on a non-networked, stand-a-lone computer (Office, etc.) are usually written to support but not require DCOM. To disable DCOM, go to the Default Properties tab and uncheck the box labeled Enable Distributed COM on this computer. Reboot, and try running the third-party programs noted as above. Chances are good that everything will still run correctly. If not, go back and enable DCOM again. As you re-enable it, also go to the Default Protocols tab and remove all protocols except Connection-oriented TCP/IP. This won't make your system much safer, but it will reduce the number of connection methods you have to keep an eye on. If you do not have to re-enable DCOM again, then on the Default Protocols tab remove all protocols. You won't need them, and that should stop the OS from listening on Port 135 (unless you have other programs that are forcing it open; for example Task Scheduler. If your port 135 is still open try opening services, stopping Task Scheduler and Disabling it. Also go to your Ethernet Connection Protocols and Untick File And Printer Sharing for Microsoft Networks. Port 445 - This is a highly debated area by Microsoft themselves and many others It's uses are discussed here: http://ntsecurity.nu/papers/port445/ Method 1: Steps in Windows 2000 Professional, SP2: (Please read others below before proceeding as this one may prevent DHCP from functioning correctly which most Cable ISPs require and some Other ISPs too) 1. Open Computer Management 2. Click on Device Manager 3. Select View: Show Hidden Devices 4. Click on Non-Plug and Play Drivers 5. Open Properties for NetBIOS over TCPIP 6. Click on Disable 7. Reboot per prompt If you do not disable the TCP/IP NetBIOS Helper Service at the same time an error will be logged to the system event log. You can Disable this service in Administrative Tools - Services if desired as detailed below. Alternate Procedure: The following information was developed, tested, and supplied by T-1 (t1@san.rr.com) Go to : HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\ Value Name: TransportBindName Data: \device\ Either Rename TransportBindName to something like TransportBindNameX (Easier to change back later) Or Delete \device\ Then Reboot. The Registry tweak is more flexible because the NetBT driver is allowed to run (and therefore allows the dependent services to run), but it never opens port 445 (either TCP or UDP). Port 137 & 139 You can use the following steps to disable NetBIOS over TCP/IP. Take care in implementing this setting because it causes the Windows-based computer to be unable to communicate with earlier operating systems using SMB traffic: 1. Click Start, point to Settings, and then click Network and Dial-up Connection. 2. Right-click Local Area Connection, and then click Properties. 3. Click Internet Protocol (TCP/IP), and then click Properties. 4. Click Advanced. 5. Click the WINS tab, and then click Disable NetBIOS over TCP/IP. Also Un-check - Enable LMHOSTS Lookup. --------------------------------------------------------- .: Services :. Click Start>Programs>Administrative Tools>Sevices and set the following services to manual or disabled if they aren't already. Alerter Application Management ClipBook Computer Browser Distributed Link Tracking Client Distributed Transaction Coordinator DNS Client (NOTE: Required if using IPSEC) Fax Service Indexing Service Internet Connection Sharing IPSEC Policy Agent Logical Disk Manager Administrative Service Messenger Network DDE Network DDE DSDM NT LM Security Support Provider Performance Logs and Alerts QoS RSVP Remote Access Auto Connection Manager Remote Procedure Call (RPC) Locator Smart Card Smart Card Helper Task Scheduler Uninterruptible Power Supply (unless needed) Utility Manager Windows Installer Windows Time The following services should be disabled. Net Logon NetMeeting Remote Desktop Sharing Remote Registry Service (MAKE SURE YOU DISABLE THIS ONE) Routing and Remote Access Server TCP/IP NetBIOS Helper Service Telnet Optional Workstation (I personally leave this one on automatic, Test and Test again see what you think ;) Info on each service and some dependencies are shown here: http://www.blackviper.com/WIN2K/servicecfg.htm --------------------------------------------------------- .: Other :. Some info about the most common Windows ports here: http://www.netice.com/Advice/Exploits/Ports/groups/Microsoft/default.htm A comprehensive port list can be found here : http://www.iana.org/assignments/port-numbers You can see some reviews and info about various windows firewalls here: http://www.free-firewall.org/ http://grc.com/lt/scoreboard.htm (Some good info written by a raving lunatic IMO) http://thedslzone.com/Software.html http://www.firewallguide.com/software.htm http://www.security-forums.com/forum/viewforum.php?f=19 Most can be got from here: http://www.tucows.com/firewall95.html and here: http://download.cnet.com/downloads/1,10150,0-10001-103-0-1-7,00.html?tag=srch&qt=firewall&cn=Utilities&ca=10001 --------------------------------------------------------- .: Conclusion :. The huge amount of things to be done to Windows 2000 after a default install shows how dreadfully insecure it really is, I by no means claim this is a compreshensive guide and I haven't delved into half of the detailed and really technical stuff. In saying that, all things here should be done with upmost care, there are mostly quite serious changes and should be done one at a time and tested. Test to see if your machine still works and test to see if it's acheived what you wanted. If you follow everything here hopefully by the end your machine should still work as you want it to but you will have no open ports and be fairly much secure. Remember to keep hotfixing (public beta testing) and keep up to date with security patches. I have tried to keep this document as simple to follow as possible but with enough technical detail to enable all but the computer illiterate to secure their machines. If this isn't enough check out the SANS Win2k reading room at http://rr.sans.org/win2000/win2000_list.php and the NSA security guidelines : http://nsa2.www.conxion.com/win2k/download.htm There are also some good tips in this book http://www.security-forums.com/forum/viewtopic.php?t=9717 on the subject --------------------------------------------------------- .: Sources :. (In no particular order) http://accs-net.com/smallfish/dcom.htm http://www.blkviper.com/ http://www.gpick.com/tq/ http://www.securiteam.com/windowsntfocus/3E5PUR5QAY.html http://www.microsoft.com/technet/security/tools/w2kprocl.asp http://www.systemexperts.com/tutors/HardenW2K101.pdf http://www.novogate.com/board/719/30500-1.html