Increasing Windows 2000 and XP Security

Articles

Increasing Windows 2000 and XP Security (cont.)

Local Security Policy Tips:

If you are a network administrator, you better be very familiar with this area. To edit Windows 2000 or XP's Local Security Policy follow this path Start > Administration Tools > Local Security Policy. The Local Security editor has the same feel as the registry editor.

Always set a password for the Administrator account

Set the password to 6 or more characters, Account Policies > Password Policy > Minimum Password Length.

Ensure passwords use a combination of letters and numbers

This prevents the passwords from easy detection using Brute Force methods such as a program that enters passwords from a dictionary. To enable this setting enable Account Policies > Password Policy > Password Must Meet Complexity Requirements.

Must Meet Complexity Requirements follows these rules:

Does not contain all or part of the user's account name
Is at least six characters in length
Contains characters from three of the following: English uppercase characters (A through Z), English lowercase characters (a through z), Base 10 digits (0 through 9), Non-alphabetic characters (for example, !, $, #, %)

Complexity requirements are enforced when passwords are changed or created.

Enable Account Lockout Period

By enabling this feature, brute force methods, automated guessing, cannot be used to guess the password because after so many tries the system will lock the user out for a specific period of time. Account Policies > Account Lockout Policy.

Account Lockout Duration - is the amount of time you wish the computer to disallow access to an account that has been locked out. 15 minutes is a time that I like, although the longer the time set the longer you will not have access to the account if an attack has been launched. A side effect is that an attacker can deny logins just by entering invalid passwords.

Require users to change their passwords - Account Policies > Password Policy > Maximum Password Age.

Account Lockout Threshold - is the amount of failed logins before Windows disables access to the account.

Reset Account Lockout Counter After - is the amount of time before Windows resets the Account Lockout Threshold counter to 0.

Account Tips:

The more accounts on a computer the more entry points attackers can try. Default accounts will always get you into trouble because the attacker does not have to guess a user name. To edit an account go to Start > Programs > Administrative Tools > Computer Management > Local Users and Groups > Users.

Disable the guest account if it is not needed. Their are tools that will allow an attacker to create accounts with Administrative privileges on an unpatched Windows 2000 system.

Do not login as administrator if you do not need to. Viruses or malicious scripts will try to run programs or modify registry settings. If the user does not have access to perform these tasks than the malicious script cannot either.

Remove or disable the Windows remote help account. Is anyone really going to use this account. Another great idea from Microsoft that opens a hole in our computers and only applies for users that are inexperienced and open up other security flaws.

Network Management Security Tips:

Make sure not to put password information, or account information in the User Description field. This sounds stupid but many times Administrators will put Backup Administration account in the description field.

Set screen saver password. This way when users leave their computers on or walk away from them, another user will deter from using their computer.

Terminal Services - Use 128 bit encryption to avoid packet sniffers. Change terminal services to log users off. If a session is left open a hacker might enter that person's session. Another safety measure with terminal services, change the port from the default port of 3389. If you want to learn how to perform this edit, go here. This method will not really stop attacks, just avoid attackers doing a quick scan or targeting port 3389.

Disable DNS Transfers - If using active directory limit DNS zone transfers. Attackers are allowed to scan the network and gain information of IP addresses and ports. While there is no damage to your system by performing these, attackers can learn a lot about your network. To disable go to Start > Programs > Administrative Tools > Computer Management > Services and Applications > DNS > [server] > Forward Lookup Zones > [zone_name] > Properties. Add the IP addresses that are on your network. The best option is to disable zone transfers by unchecking Allow Zone Transfers.

Software Helpers:

To aid security there are software solutions for users. The first important thing to do is stay up to date on Windows updates and software patches.

Virus scanner - ensure trojans and other viruses do not destroy data and leave security holes open. On a larger network, a virus scanner that updates all users is a good idea because normal users will never update their virus definitions.

Software firewall - is a good solution to preventing attackers from getting into your computer. I prefer Zone Alarm. If you are on a network you will have a hardware firewall or router. Both our as useful as the users. If you leave ports open or allow every piece of software installed on your system to open a port, then there is no point to having either of these.

Port Scanner - a great tool for finding ports open on your system or network. Here are a couple you might try, SuperScan, NetScanTools Pro, GFI, and NMap.

Conclusion:

Windows is a strong operating system that could be quite useful for web servers and networks. Microsoft does assume that most users will want its advanced features and less security. This is why it is very important to read up on the version of Windows and components that are being used. Applications will also be a threat; therefore, research them.

A firewall solution is very important. Make sure these are maintained and the logs are checked. Enabling Windows security features behind firewall's, only doubles your security effort.