P1: GSB/FFX P2: GSB/FFX QC: IML/FFX T1: IML
WL040C-63 WL040/Bidgoli-Vol III-Ch-64 June 23, 2003 16:45 Char Count= 0
HOWSECUREISW2K? 801files and folders; set up user shares to D: as needed. In do-
main controllers use D: to hold Active Directory files and
folders; do not set up user shares to this partition. Set up
the E: drive in domain controllers to hold user files and
folders, and set up the user shares to this drive that are
needed to allow users to access the resources they need to
access.Format Each Partition as an NTFS Partition
If any volume is FAT-formatted, enter the following:convert <partition letter>:/fs:ntfsFor example, to make the d: partition into NTFS partition,
enterconvert d:/fs:ntfsthen reboot the system.Ensure that W2K Systems Are Part of a Domain
As mentioned earlier, workgroups provide few barriers
to attackers. To check whether your system is part of a
domain or workgroup, right click on My Computer to
Properties, and then click on Network Identification.
If your W2K system has been upgraded from Windows
NT 4.0, that is, it is not a native installation, use secedit to
bring the default level of security to the level that is present
in a native installation. secedit allows W2K security
templates to be used in analyze and configure modes. In
workstations and member servers, change your current
directory to c:\%systemroot%\security\templates, then
enter a command such as the following:secedit/analyze/cfg securews.inf
/db%TEMP%\secedit.adb/verbose/log%TEMP%
\scelog.txtInstall the Latest Service Pack (SP) and Hot Fixes
On W2K workstations and servers, SP3 is the most recent
one. You can obtain this SP from http://www.microsoft.
com/windows2000/downloads/servicepacks/sp3/
The following related steps should also be taken:Install the latest hot fixes, many of which fix the most
recently discovered security-related vulnerabilities.
Download post-SP3 hot fixes from http://www.
microsoft.com/download/
Download and run HfNetChk. This free Microsoft-
provided tool enables system administrators to deter-
mine whether all W2K hot fixes have been installed.
This tool works in connection with NT, W2K, SQL
Server 7.0 and 2000, IIS, and IE 5.1. This tool is run
from a command line. HfNetChk can be obtained from
http: // www. microsoft. com / downloads / details. aspx?
displaylang = en & FamilyID = 34935A76 - 0B20 - 4F91 -
AODE - BAAF969CED2B.Lock Down Access to the System Drive (and, in the
Case of Domain Controllers, the Drive on Which
Active Directory Resides)
In general, do not assign anything more than Read-
Execute permissions to Everyone, but always assign Full
Control to Creator Owner and Administrators.Assign Authenticated Users Read-Execute access to
c:\%systemroot% (which normally is c:\winnt or
C:\w2ksrv) and c:\%systemroot%\system 32
Assign Everyone Read-Execute access to the sysvol,
sysvol\sysvol, and ntds folders (wherever they may
reside in the file system). Remove all access (but do not
assign any Deny access)toc:\%systemroot%\repair for
the Everyone groupAvoid Sharing Folders Whenever Possible
Allow Creator Owner and Administrator to have Full Con-
trol over each share. Remove Everyone’s access (but do not
assign any Deny access), then assign Authenticated Users
the Change level of share access. Change, which allows
users to add files and subfolders, modify data, and delete
files and subfolders, will not necessarily be the level of ac-
cess Authenticated Users will get, however. If NTFS per-
missions for the files and folders that users can access via
the share are more restrictive (e.g., they may allow only a
Read and Execute), they will determine the actual level of
user access to these resources.
To check or change permissions for domain shares or
to delete shares, go from Administrative Tools to DFS to
the DFS root. Open up the tree under DFS root until you
get to the share you want to get to, then right click to Prop-
erties. Go to Administrative Tools, then either Computer
Management and Local Users and Groups or to Domain
Security Policy, then Active Directory Users and Groups
(depending on the particular version of W2K):Rename the default Administrator account to an innocu-
ous name, change the account description to “User ac-
count,” enter a ridiculously long (up to 104 characters)
and as difficult to guess a password as possible. Write
the password down on the piece of paper that you keep
in your personal possession (e.g., in your wallet or purse
whenever you are at work). Never share this password
with others and do not leave the slip of paper on which
this password is written anywhere where others might
see it. Use the default Administrator account, which in
W2K does not lock after excessive bad logon attempts,
only for emergency access.
Create one additional account that is a member of the
Administrators group for yourself and another for each
person who needs to administer your system. Create
an unprivileged account for each Administrator also.
Use the unprivileged account when you are engaged in
normal activities such as Web surfing, obtaining ftp ac-
cess, and downloading mail. Use the superuser account
only when you are involved in system administration
duties.
Create a new, unprivileged account named “Administra-
tor.” Ensure that this account is in only the Guest group.
Look at your logs frequently to determine whether