How to secure windows server? What are best security practices?

This is a guide to increase security for Windows 2000, and is mainly intended for ISP, Web Hosting companies running a server on the network, and not using Active Directory.

If you can, do a clean install of Win2000. An upgrade will leave all sorts of files behind that could potentially be exploited. For purposes of this document, it is assumed you will be performing these steps with an Administrator account.

We don't take any responsibility for anything that happens to your system as a result of this guide.

In this guide, we will try to tell you the simplest but most important things to do.

ACCOUNTS

The default Win2000 installation will come with two accounts: 'Administrator', and 'Guest'. You should disable 'Guest', rename 'Administrator', and create at least one account that you will use as your main account. The Guest account should be disabled by default (it wasn't under some versions of NT), but it's good to check anyway. Start -> Settings -> Control Panel -> Users and Passwords -> Advanced Tab -> Advanced Button -> click on 'Users' group. The Guest Account should have a little red circle with a white 'x' over it. If it doesn't, right-click on 'Guest', go to Properties, go to General Tab, and click on the box 'Account is disabled'. While you are in 'Users and Passwords' we can change a few other things. Rename the Administrator account by right-clicking on it and going to 'Rename'. Make it something you can remember, but avoid having 'Administrator' or 'Admin' as part of the name. Right-click on the new name, go to Properties, and clear out the 'Full Name' and 'Description' boxes. (A lot of people argue this step is like 'putting tape on a safe', in that it does not increase security all that much. In a regular network system this is probably true. In fact NSA guidelines for hardening an NT workstation even leave this step out. There are so many ways to get a list of user names that it isn't worth it, and could be counter-productive in that it gives you a false sense of security. However, on a non-networked workstation, there are just a few ways you can get user names off the net, and we will be patching the known ones up for the most part, so this step is still useful for this type of setup). Make a dummy Administrator account going to 'Action' and selecting 'New User'. Name it Administrator. Right-click on it, go to Properties, and go to the 'Member Of' tab. Make sure it is not a member of anything. If it is, highlight them and hit 'Remove'. Right-click on the dummy Administrator account, select 'Set Password', and give it a (very) strong password.

Create an account you will use every day. Click on 'Add' in the 'Users' tab. Put in the name and password when prompted (ALWAYS use a strong password, see below). At this point, you need to select what type of account this is. The standard advice is for your main account to be a 'Standard User (Power Users Group)'. This setting will allow you to add/remove programs, but restricts a lot of system settings. This setting is necessary for many programs written for Windows NT. Note that Power Users cannot install many programs written for NT, as they change system registry settings which Power Users do not have access to. For more security (but bigger headaches) you can also try the 'Restricted User (User Group)' setting for more security. This type of user can't even install or remove programs, and so are very safe from trojans. They should be able to run any program that was written to be compatible with Win2000. If you need administrative rights to access a program (such as Regedit), you can use the 'Run As' feature in Win2000. Just right click the program you want to run, and select 'Run As'. You can then type in the name and password of your renamed Administrator account. Log in with Administrator access as rarely as possible. A trojan that is run by mistake, or a malicious ActiveX or Java component run by a webpage, will have access to anything the account has access to. Many bugs that let hostile web pages damage your system have already been found, more are most likely out there. If a dangerous program runs as an Administrator, it will have access to your system files, such as the registry. Running as a Restricted User can mean the difference between having your individual User profile wiped out, versus having your entire system wiped out as an Administrator. Note that running a trojan as a Standard User can affect some system-wide settings, but not all.

PASSWORDS

Always put in passwords, strong passwords. Meaning a combination of lower-case, upper-case, numerals, and special characters like !@#$%. You should NOT use real words or any word that is in the dictionary in your password, as password-breaking programs will exploit this. For example, instead of 'RIOTGIRL' as a password, use 'R10tG1rl' instead. How many characters should you use? In Win2000, you can have up to 127 characters, which is obviously not going to be used that often. The method in which passwords are stored means that a 7-character password is probably the best for most people.

CONVERT YOUR DRIVES TO NTFS

Windows 2000 supports three different file systems (the overall structure in which files are named, stored, and organized): FAT, FAT32, and NTFS. Windows 9x systems were in FAT and FAT32. Windows NT and 2000 have the option to use NTFS. NTFS is by far the most secure. If you didn't set up your disks as 'NTFS' during installation, you need to do that now. Go into Windows Explorer, expand 'My Computer', right-click on your hard drive(s), and select 'Properties'. It should say somewhere in there 'File System: NTFS'. If it says 'File System: FAT' or 'File System: FAT32', you need to change it.

IMPORTANT NOTE: You NEED to have your disks in FAT if you have a dual-boot system with Win95, Win98 or WinME installed, as Win9x systems can not read files on NTFS disks. If you convert the disk/partition that your older Windows is on, the older Windows won't even start. One option is to convert only the hard drive/partition on which you have Win2000 to NTFS, but remember your older Windows will not be able to read any files on it. If you need to change to NTFS, go to Start -> Run (or just type the Windows key + 'r'). At the command line, type in: convert c: /fs:ntfs Replace 'c:' with every drive you wish to convert. Follow instructions, which will probably include restarting your computer. Make sure you do this at a time the power will not go out. It will take a few seconds to a few minutes, depending on how much stuff is on the drive. After converting, you should run Disk Defragger (Start -> Programs -> Accessories -> System Tools).

DRIVE PERMISSIONS

HC sets up and manages security permissions on your behalf, so you don't have to worry about assigning proper user permissions on proper folders, but still, there are few things for you to do.

First, we need to replace the default permission for 'Everyone' or anonymous users to access your drives (including anonymous users/guests). Go into Windows Explorer, expand 'My Computer', right-click on your hard drive(s), and select 'Properties'. Go into the 'Security' tab. Select 'Everyone', Hit Remove. Click Add button, select 'Administrators' and 'SYSTEM', Hit Add, Hit Ok. Select 'Administrators' and 'System' ony-by-one and enable check box labeled 'Full Control', and click OK.

Next, we need to deny access to our dummy Administrator account, in case someone actually manages to log on with it. If you have not created a dummy Administrator account, don't follow the rest of these instructions or you may lock yourself out of your computer. Hit the 'Add' button, and select 'Administrator'.

IMPORTANT: Do NOT hit 'Administrators', as this is the entire GROUP of (real) Administrators. You want the USER 'Administrator' . It will have an entry in the 'In Folder' section next to the name; the 'Administrators' GROUP will NOT. Hit 'OK'. Back in the main Security Tab, hit Advanced. Select Administrator. Hit View/Edit. For 'Apply Onto:', make sure 'This folder, subfolder and files' is selected. Then click all boxes under 'Deny'. Hit OK three times. (If you have any other Names in the top box besides 'Administrator' and 'Authenticated Users', remove them unless you know they belong for some reason. There should not be anything else in a clean install.) You have to repeat this for every drive / partition.

AUDITING

If someone does break in, you may not know it unless you have auditing enabled and actually check your logs. Start -> Programs -> Administrative Tools -> Local Security Policies -> Local Policies -> Audit Policy Under “Audit account logon events records logons” select “Audit success” (to see if someone stole a password) and failure (for random password hacks). “Audit policy changes tracks security policy changes” - “Audit success and failure”. “Audit privilege use can identify when a user tries to use a right not assigned to them” - “Audit failure”. “Audit system events can monitor if someone clears the event log” - “Audit success and failure”. Learn how to use Event Viewer, which lets you examine the logs. Info is shown at http://www.microsoft.com/windows2000/en/server/help/default.asp?url=/windows2000/en/server/help/event_overview_01.htm but the best way is to just run it and look. Note that under default conditions, you can only view the security logs from an administrator account. To run Event Viewer, go to Start -> Run and type in eventvwr and go to the 'security log' tab. You should make a shortcut to keep Event Viewer on your adminstrative account desktop for easy access (and to remind you to look at it). Do it as shown in the section above for creating a shortcut to the Backup program, but the path this time is: %SystemRoot%/system32/eventvwr.exe It is a good idea to put Event Viewer into your adminstrator account startup folder so it automatically starts when you boot up: Start -> Settings -> Task Bar & Start Menu -> Advanced -> Add -> type in %SystemRoot%/system32/eventvwr.exe and hit 'Next', find the 'Startup' folder (under Start Menu -> Programs) and double-click on it, hit 'Finish.' It only takes a second to check the log and exit the program. Otherwise (take it from me) you will probably never bother.

SERVICES

Services are background programs your computer uses to run correctly. Many services are unnecessary, and some are actually dangerous. A secure system needs to disable certain services. Many services are included by default as Microsoft expects your system to be operated in a network. This includes allowing remote users to access your registry, view your clipbook, browse your directory, or connect to it via Telnet. These can open large holes in your system, and should be removed. This also has the advantage of improving system performance, as each service can take up megabytes of RAM. Rather than repeating basic info on services, as well as lengthy descriptions of what each service does, this guide recommends you read the following. The 'Windows 2000 Services tweak guide' is a good introduction to services, and also describes what to do if you accidentally disable a service that you actually need to run your computer: http://www.3dspotlight.com/tweaks/win2k_services/index.shtml. The following article (broken into parts) is more focused on the security aspect of services: http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16301 http://www.windowsitsecurity.com/Articles/Index.cfm?ArticleID=16363.  

Services that we have disabled include: Clipbook Computer Browser DHCP Client (Warning: some internet connections need this service) Fax Service Internet Connection Sharing IPSEC Policy Agent Net Logon Netmeeting Remote Desktop Sharing Remote Registry ServiceRouting and Remote Access SNMP Service SNMP Trap Service TCP/IP NETBIOS Helper Service Telnet (Many Routers/DSL modems need this to communicate with your computer, however you should know if one does as it is usually manual -- if you have never done it you probably don't need it) If you are running an IIS server, see the following on what services are required/not required: http://support.microsoft.com/support/kb/articles/q189/2/71.asp (Also see the following article on securing an IIS 5 server: http://www.microsoft.com/technet/security/iis5chk.asp )

UPDATE WINDOWS

Go to Start -> Windows Update. If you don't have a Windows Update icon in your start menu (some installs don't do this, I don't know why), you can make one. Do it as shown in the section above for creating a shortcut to the Backup program, but the path this time is: %SystemRoot%/system32/wupdmgr.exe Under the name, type in 'Windows Update', or whatever. Drag it to the Start button, when it shows the menu release. It will be put into the upper menu. Make sure you get the latest Service Pack (SP2 is out at time of this writing), as well as any critical updates. To find out other security patches that may affect you (that are not listed in Windows Update), go to http://www.microsoft.com/technet/mpsa/start.asp and scan your machine. Look at the 'view details' section under 'Hotfixes' to see what patches you might need, and where to download them. Note that many of the recommended patches will not affect your particular system (you can read the description of the patches to see if they do). Note that Windows Update does not show all the updates available. It also takes a few weeks from the time that updates are created until they are posted on Windows Update. For details on how to receive email updates when new patches are available, see: http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/bulletin/notify.asp Note that other email notification services are also available, a list of which can be seen at http://www.infosyssec.com/infosyssec/index.html. Make sure your programs are updated as well. One service that scans your system for updates is at http://catchup.cnet.com/ (but be careful with this site -- it sometimes doesn't recognize some software (particularly new or beta versions video card drivers), and may want you to 'update' them to an older version.)

UPDATE HOSTING CONTROLLER

Make sure your Hosting Controller is updated as well. Keep visiting http://hostingcontroller.com for latest security and software updates.

ENABLE TCP/IP FILTERING

I'll add this in for completeness sake, but enabling TCP/IP filtering is often a pain if you don't know what you are doing (and even when you are). Basically, you are instructing Windows to let some connections in based on what ports they are accessing, and denying the rest. (Outgoing connections are not affected; neither are most incoming connections that are responding to a connection you have already established). Let's repeat this as it's important -- you are telling Win2000 what ports you are NOT blocking, not those ports you want to block. Big difference. If you turn filtering on and you don't tell it want you want to let through, it blocks everything. This is part of what a firewall does, and what the free firewalls mentioned above already do. This is just another layer of protection (in case, for example, a malicious program shuts down your primary firewall). The problem here is that if you don't know what ports are necessary, your computer might stop responding. For example, if you filter out tcp port 80, you won't be able to access web pages (http protocol). Filtering is usually best when the computer is used for a specific purpose and you know it will only access certain ports (i.e. web or ftp server), and is much harder to accomplish when the computer is used for a variety of purposes (i.e. a general-purpose home computer) as the number and types of ports you need to access are much more numerous and varied. If you do want to play around with this, go to: Start -> Settings -> Control Panel -> Network and Dial-up Connections You need to go into all the connections listed here ('Local Area Connection' if you use DSL/Cable for example), then hit 'Properties', double-click 'Internet Protocol (TCP/IP)' -> Advanced -> Options, double-click 'TCP/IP Filtering'. To enable filtering, click the 'Enable TCP/IP Filtering (all adapters)' button. By default, 'Permit All' is selected. To filter, select the box called 'Permit Only'. Ports used by MS services (if you are using a network) are described in part here: http://support.microsoft.com/support/kb/articles/q150/5/43.asp Third-party applications could use different ports, which you might need to find out. A partial list is at: http://www.iana.org/assignments/port-numbers

Ports used by HC DCOM services, which runs when you have both HC Primary and Secondary setup installed, ranges between 135-5000 (Dynamically assigned by MS DCOM Manager).For a list of ports you computer is using now, go to: Start -> Programs -> Accessories -> Dos Command Line and type in netstat -a at the command line. Two freeware tools that are useful to find open ports on you computer are: 'Active Ports' program at: http://www.ntutility.com/freeware.html and “TCPView” at http://www.sysinternals.com/ntw2k/source/tcpview.shtml

  • 44 Korisnici koji smatraju članak korisnim
Je li Vam ovaj odgovor pomogao?

Vezani članci

My server is behind firewall. What ports do I need to keep open?

If your servers are behind firewall, the following common ports need remain open. IMail...

How To Enable SSL on Windows Server?

This article demonstrates how to quickly set up Secure Sockets Layer (SSL) in a Windows 2000...

HC Hangs - Script Time Out

  Question : HC was working fine, but suddenly it has stopped working. When I try to add...

How to protect a directory with login and password with the help of Hosting Controller?

This article guides through the steps needed to create password protected web directories....

I forgot my HC user password, how do I reset the password?

There are two method of resetting password. 1. The password can be refreshed using the...

Powered by WHMCompleteSolution