##################################################################################################################################### # # # Securing Windows 2000 - By ShaolinTiger - http://www.darknet.org.uk - Version [5] 05/01/2004 - webmaster darknet org uk # # # ##################################################################################################################################### # # # .: Intro :. # # # # I have always been suspicious of Windows security so I decided to make my machine harder than a brass monkeys testicle. # # # # My machine was previously behind a Linux gateway/router/firewall so I never really bothered about my machines security as it # # # # really didn't matter. As it's now exposed to all and sundry on the Internet I suddenly got a lot more interested... # # # # Most of this info is available in the public domain in some form or another, the rest is a result of my own # # # # tweaking/investigating etc. Plus I've never really seen a -conclusive- guide to securing Win2k apart from the massive books. # # # # Once I managed to disable *one* too many services and make my computer into a very expensive but pretty paperweight, this was # # # # whilst trying to 'secure' my Windows 2000 machine and perhaps getting a little carried away, hence the birth of this document. # # # # Also my machine is running a very high resolution so if this document looks stupid, sorry! ;p # # # # The newest version of this document can always be found at: http://www.darknet.org.uk/content/files/securewin2k.txt # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # .: My Config :. # # # # I am currently using: # # # # Windows 2000 Pro SP4 (http://www.microsoft.com/windows2000/downloads/servicepacks/sp2/) # # # # with the SRP Security Rollout (http://www.microsoft.com/windows2000/downloads/critical/q311401/default.asp) # # # # and the IE 6 Cumulative Update (http://www.microsoft.com/windows/ie/downloads/critical/q316059/default.asp) # # # # Plus all current updates from (http://v4.windowsupdate.microsoft.com/en/default.asp) # # # # IIS Cumulative Update (http://www.microsoft.com/Windows2000/downloads/critical/q301625/download.asp) and another at: # # # # (http://www.microsoft.com/technet/security/bulletin/MS02-018.asp) # # # # IIS Lockdown Tool (http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/locktool.asp) # # # # Sygate Personal Firewall Pro (http://smb.sygate.com/products/spf_pro.htm) # # # # My favourite ever Windows Firewall was probably Conseal as it works a lot like IPchains. # # # # Most of the stuff below could also be used with Windows XP Pro, but as I haven't tried it, I don't know so don't hold me to it. # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # :. Useful Software and Various Info :. # # # # Nmap your machine if you have linux, see what ports are open. http://www.insecure.org # # # # Fast Scan for Windows (All) which you can get here :- http://www.shaolin-tiger.com/content/files/fastscan.zip # # # # Scan Yourself and see what is open. # # # # Also use (from a command prompt) netstat -an or netstat -an 3 (to refresh every 3 seconds) and see what your # # # # machine thinks is open. # # # # Kerio Personal Firewall (Was known as Tiny PF) : An excellent peice of software for Windows, configurable, simple and effective. # # # # Good enough for most people's needs. # # # # You can get it here: http://www.kerio.com (http://www.kerio.com/us/kpf_download.html) # # # # There is a discussion on the best Windows firewalls here: http://www.security-forums.com/forum/viewtopic.php?t=186 # # # # If you have the resources try Microsofts ISA. # # # # Or just put a real firewall between you and the rest of the world e.g. (Checkpoint/Sonicwall/PIX/Watchguard Etc.) # # # # Or second best a *nux Machine ;) Read about the options here: http://www.security-forums.com/forum/viewtopic.php?t=31 # # # # If you end up with any ports you simply can't close just firewall them. This will be adequate. # # # # (There is a conclusive list of firewall reviews/info/downloads at the bottom.) # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # .: Various Info :. # # # # Make sure nothing is running when you are testing even things like Norton Ghost Enterprise Edition Open ports. # # # # If you find a port and you don't know what it is go to http://www.google.com and type port+[portnumber] # # # # There will be plenty of info about what it is/does. # # # # There is an invaluable article on Hardening the win2k TCP/IP Stack again DoS attacks here: # # # # http://support.microsoft.com/default.aspx?scid=kb;en-us;q315669 # # # # Xteq can help you set these values and can be found here: http://www.xteq.com # # # # It also good to check at: # # # # http://www.microsoft.com/technet/security/tools/Tools/mbsahome.asp, http://www.pcflank.com/scanner1s.htm, # # # # http://hackerwhacker.com/ and http://www.blackcode.com/scan/index.php # # # # There is a full list of online security scanners here: http://www.security-forums.com/forum/viewtopic.php?t=10541 # # # # Here are some recommended configs for XP, as I don't use it I don't know if it's good or not but it sure looks ok: # # # # http://www.blkviper.com/WinXP/servicecfg.htm # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # .: General Tips :. # # # # Set strong passwords, make sure the Guest account is disabled, don't use the machine as Administrator unless you have to. # # # # If you are really security conscious rename the Administrator account and make a new Adminstrator account with a with no # # # # rights to anything (The original Admin account will still have a SID of 500 but hey, it's better than nothing). # # # # Make sure everything is NTFS. # # # # Click Start>Programs>Administrative Tools>Local Security Policy. # # # # Under Security Settings expand Account Policy and click Password Policy. # # # # Double click Minimum password length (right pane) and set the minimum password length to greater than 15 characters # # # # (you may have to change you password prior to this step). # # # # Click Account Lockout Policy and change Account lockout duration to 30 min., Reset account lockout counter after to 30 min., # # # # and Account lockout threshold to 5 invalid logon attempts or whatever you feel secure with. # # # # Expand Local Policies and click Audit Policy. Enable Success & Failure for everything listed. # # # # Click User Rights Assignment. Double click "Deny access to this computer from the network. Click Add. # # # # Double click "Everyone", click OK and the OK again. # # # # Click Security Options. Double click Additional restrictions for anonymous connections and choose # # # # No access without explicit anonymous permissions. # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # .: Others :. # # # # As far as networking goes, if you look under TCP/IP advanced then the options tag for networking settings you can configure # # # # IPSEC and IP filtering here. # # # # Most people don't know about these options and they can be used very effectively to secure a machine. # # # # Restrict access to public Local Security Authority (LSA) information # # # # You need to be able to identify all users on your system, so you should restrict anonymous users so that the amount of # # # # public information they can obtain about the LSA component of the Windows NT Security Subsystem is reduced. # # # # The LSA handles aspects of security administration on the local computer, including access and permissions. # # # # To implement this restriction, create and set the following registry entry: # # # # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\LSA # # # # Value Name RestrictAnonymous # # # # Type REG_DWORD # # # # Value 1 # # # # Default value for this is 0, so generally you just need to change it to 1. # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # .: Specific Ports :. # # # # Port 135 # # # # Run C:\WinNT\System32\Dcomcnfg.exe And Turn It Off. # # # # This can also be done with the registry key: # # # # HKEY_LOCAL_MACHINE\Software\Microsoft\OLE - The value "EnableDCOM" may be set to Y change this value to N to disable DCOM. # # # # Many programs "support" Distributed Communication (DCOM) but hardly ever use it. This includes such programs as Windows Media # # # # and Wordpad, which are designed to be used across a network. As you scan this tab, look for third-party applications that might # # # # actually require network support, as opposed to those that simply support it. To determine if these programs really require # # # # DCOM, you must disable it, run those programs, and see what happens. Note that it is probably only necessary to look at # # # # third-party programs here; Microsoft programs designed to run on a non-networked, stand-a-lone computer (Office, etc.) # # # # are usually written to support but not require DCOM. To disable DCOM, go to the Default Properties tab and uncheck the box # # # # labeled Enable Distributed COM on this computer. # # # # Reboot, and try running the third-party programs noted as above. Chances are good that everything will still run correctly. # # # # If not, go back and enable DCOM again. As you re-enable it, also go to the Default Protocols tab and remove all protocols except # # # # Connection-oriented TCP/IP. This won't make your system much safer, but it will reduce the number of connection methods # # # # you have to keep an eye on. # # # # If you do not have to re-enable DCOM again, then on the Default Protocols tab remove all protocols. You won't need them, # # # # and that should stop the OS from listening on Port 135 (unless you have other programs that are forcing it open; # # # # for example Task Scheduler. # # # # If your port 135 is still open try opening services, stopping Task Scheduler and Disabling it. # # # # Also go to your Ethernet Connection Protocols and Untick File And Printer Sharing for Microsoft Networks. # # # # Port 445 - This is a highly debated area by Microsoft themselves and many others # # # # It's uses are discussed here: http://ntsecurity.nu/papers/port445/ # # # # Method 1: Steps in Windows 2000 Professional, SP2: (Please read others below before proceeding as this one may prevent # # # # DHCP from functioning correctly which most Cable ISPs require and some Other ISPs too) # # # # 1. Open Computer Management # # # # 2. Click on Device Manager # # # # 3. Select View: Show Hidden Devices # # # # 4. Click on Non-Plug and Play Drivers # # # # 5. Open Properties for NetBIOS over TCPIP # # # # 6. Click on Disable # # # # 7. Reboot per prompt # # # # If you do not disable the TCP/IP NetBIOS Helper Service at the same time an error will be logged to the system event log. # # # # You can Disable this service in Administrative Tools - Services if desired as detailed below. # # # # Alternate Procedure: The following information was developed, tested, and supplied by T-1 (t1@san.rr.com) # # # # Go to : # # # # HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters\ # # # # Value Name: TransportBindName # # # # Data: \device\ # # # # Either Rename TransportBindName to something like TransportBindNameX (Easier to change back later) # # # # Or Delete \device\ # # # # Then Reboot. # # # # The Registry tweak is more flexible because the NetBT driver is allowed to run # # # # (and therefore allows the dependent services to run), but it never opens port 445 (either TCP or UDP). # # # # Port 137 & 139 # # # # You can use the following steps to disable NetBIOS over TCP/IP. # # # # Take care in implementing this setting because it causes the Windows-based computer to be unable to # # # # communicate with earlier operating systems using SMB traffic: # # # # 1. Click Start, point to Settings, and then click Network and Dial-up Connection. # # # # 2. Right-click Local Area Connection, and then click Properties. # # # # 3. Click Internet Protocol (TCP/IP), and then click Properties. # # # # 4. Click Advanced. # # # # 5. Click the WINS tab, and then click Disable NetBIOS over TCP/IP. # # # # Also Un-check - Enable LMHOSTS Lookup. # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # .: Services :. # # # # Click Start>Programs>Administrative Tools>Sevices and set the following services to manual or disabled if they aren't already. # # # # Alerter # # Application Management # # ClipBook # # Computer Browser # # Distributed Link Tracking Client # # Distributed Transaction Coordinator # # DNS Client (NOTE: Required if using IPSEC) # # Fax Service # # Indexing Service # # Internet Connection Sharing # # IPSEC Policy Agent # # Logical Disk Manager Administrative Service # # Messenger # # Network DDE # # Network DDE DSDM # # NT LM Security Support Provider # # Performance Logs and Alerts # # QoS RSVP # # Remote Access Auto Connection Manager # # Remote Procedure Call (RPC) Locator # # Smart Card # # Smart Card Helper # # Task Scheduler # # Uninterruptible Power Supply (unless needed) # # Utility Manager # # Windows Installer # # Windows Time # # # # The following services should be disabled. # # # # Net Logon # # NetMeeting Remote Desktop Sharing # # Remote Registry Service (MAKE SURE YOU DISABLE THIS ONE) # # Routing and Remote Access # # Server # # TCP/IP NetBIOS Helper Service # # Telnet # # # # Optional # # # # Workstation (I personally leave this one on automatic, Test and Test again see what you think ;) # # # # Info on each service and some dependencies are shown here: http://www.blackviper.com/WIN2K/servicecfg.htm # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # .: Other :. # # # # Some info about the most common Windows ports here: http://www.netice.com/Advice/Exploits/Ports/groups/Microsoft/default.htm # # # # A comprehensive port list can be found here : http://www.iana.org/assignments/port-numbers # # # # You can see some reviews and info about various windows firewalls here: # # # # http://www.free-firewall.org/ # # # # http://grc.com/lt/scoreboard.htm (Some good info written by a raving lunatic IMO) # # # # http://thedslzone.com/Software.html # # # # http://www.firewallguide.com/software.htm # # # # http://www.security-forums.com/forum/viewforum.php?f=19 # # # # Most can be got from here: http://www.tucows.com/firewall95.html # # # # and here: http://download.cnet.com/downloads/1,10150,0-10001-103-0-1-7,00.html?tag=srch&qt=firewall&cn=Utilities&ca=10001 # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # .: Conclusion :. # # # # The huge amount of things to be done to Windows 2000 after a default install shows how dreadfully insecure it really is, # # # # I by no means claim this is a compreshensive guide and I haven't delved into half of the detailed and really technical stuff. # # # # In saying that, all things here should be done with upmost care, there are mostly quite serious changes and should be done one # # # # at a time and tested. Test to see if your machine still works and test to see if it's acheived what you wanted. # # # # If you follow everything here hopefully by the end your machine should still work as you want it to but you will have no # # # # open ports and be fairly much secure. # # # # Remember to keep hotfixing (public beta testing) and keep up to date with security patches. # # # # I have tried to keep this document as simple to follow as possible but with enough technical detail to enable all but the # # # # computer illiterate to secure their machines. # # # # If this isn't enough check out the SANS Win2k reading room at http://rr.sans.org/win2000/win2000_list.php and the NSA # # # # security guidelines : http://nsa2.www.conxion.com/win2k/download.htm # # # # There are also some good tips in this book http://www.security-forums.com/forum/viewtopic.php?t=9717 on the subject # # # # Any comments or ammendments you feel necessary are welcomed at webmaster darknet org uk # # # # Greets to everyone who knows me on EFnet as ^Shaolin^ and DALnet as ShaolinTiger. This is dedicated to the one I love, Ashley. # # # # --------------------------------------------------------------------------------------------------------------------------------- # # # # .: Sources :. (In no particular order) # # # # http://accs-net.com/smallfish/dcom.htm # # # # http://www.blkviper.com/ # # # # http://www.gpick.com/tq/ # # # # http://www.securiteam.com/windowsntfocus/3E5PUR5QAY.html # # # # http://www.microsoft.com/technet/security/tools/w2kprocl.asp # # # # http://www.systemexperts.com/tutors/HardenW2K101.pdf # # # # http://www.novogate.com/board/719/30500-1.html # # # #####################################################################################################################################