Security for Microsoft Windows NT, 2000 and Applications

Getting Started

Windows NT and 2000 security is an enormous area and for those new to it, the problem is generally where to start.

Start by assessing the sensitivity and importance of the data stored, the required ease of access to this data by users, and the time and budget available to implement security. This will determine the level of security that you can implement. Start by locking down highest risk areas and patching against the most popular exploits and implement additional measures as resources allow.

The list below gives some suggestions for security measures that should generally be implemented on all servers, whether new or existing. Further measures may be implemented as resources allow. This list only gives information on what to do, not how to do it. Refer to the next section, Guides and Checklists, for information on how to implement measures that you are not sure of, and for details of further security measures.

1. Never install IIS unless you definitely need it; note that Windows 2000 server (but not Professional) installs IIS as part of a default installation, so always do a custom installation and remove IIS.
2. If you do require IIS, install it later while not connected to the network, and configure and patch before reconnecting.
3. Use the NTFS file system.
4. Keep operating system security hotfixes up to date (but take care and back up before applying them.)
5. Apply security patches to other major software e.g. IIS, SQL Server, Exchange.
6. Password security is one of your best defences. Use strong Administrator passwords — i.e. mix upper and lower case, numbers and special characters, and make it fourteen characters long.
7. Default password and account policies are practically non-existant. Implement better user password and lockout policies — consider using passfilt for password complexity, set a minimum password length of seven characters and educate your users.
8. Never make ordinary users members of Administrator groups.
9. Check for copies of the SAM that everyone can read and secure them (e.g. created by backup software.)
10. Turn on auditing and review your logs regularly.
11. If possible, implement the following registry key changes —
    • Restrictions for Anonymous Users
    • LAN Manager Authentication Level
    • Send Unencrypted Password to SMB Servers
12. Where time permits, review NTFS permissions and tighten security (particularly on NT.)
13. Review Share permissions regularly.

Guides and Checklists

Microsoft has produced a number of checklists for NT servers and for IIS which can be helpful as a starting point with security. In addition there are a number of security sites that provide guides to securing Windows NT. While the guides are generally aimed at NT, much of the information is equally applicable to Windows 2000, since without Active Directory Windows 2000 is similar in architecture to Windows NT. To date there is less information available on securing Active Directory.

OUCS NT/2000 Security Workshop - This four hour workshop was originally run as part of the OUCS Security Week in 2001. The slides are available from the link above, and the workshop can be repeated on demand. If you would be interested, please email.

Windows NT 4.0 Server Baseline Security Checklist - This checklist outlines the steps you should take to configure a baseline level of security on computers running Windows NT 4.0 Server, either on their own or as part of a Windows NT or Windows 2000 domain.

Windows NT 4.0 Workstation Baseline Security Checklist - This checklist outlines the steps you should take to configure a baseline level of security on computers running Windows NT 4.0 Workstation, either on their own or as part of a Windows NT domain.

Microsoft Domain Controller checklist - Short, clear guide from Microsoft covering securing an NT 4.0 server running as a domain controller

Windows NT 4.0 Member Server Configuration Checklist - Steps to take to secure an NT 4.0 member server, whether standalone or part of an NT or 2000 domain

Windows NT 4.0 Workstation Configuration Checklist - Steps to take to secure an NT 4.0 workstation, whether standalone or part of an NT or 2000 domain

Windows 2000 Server Baseline Security Checklist - This checklist outlines the steps you should take to configure a baseline level of security on computers running Windows 2000 Server or Advanced Server, either on their own or as part of a Windows NT or Windows 2000 domain.

Windows 2000 Professional Baseline Security Checklist - This checklist outlines the steps you should take to configure a baseline level of security on computers running Windows 2000 Professional, either on their own or as part of a Windows NT or Windows 2000 domain.

SecurityFocus - Click on Microsoft tab at the top, then NT. Good, clear guide to locking down NT

NSA Windows NT Security Guidelines - Trusted Systems Services’ definitive guide to NT Security, but at over 100 pages, it's not for the fainthearted.

NSA Windows 2000 Security Guidelines - NSA have released a number of documents giving guidelines for securing Windows 2000 and Active Directory.

Detection and Recovery

CERT Windows NT Intruder Detection Checklist - This is CERT’s checklist suggesting steps to help determine whether as system may have been compromised. Although specific to NT, much of the information will be equally relevant to 2000. It includes details of some batch files to assist in the checking process.

CERT Steps for Recovering from a UNIX or NT System Compromise - This is CERT’s checklist suggesting steps for recovering from the compromise of a UNIX or NT system. Again much of the information will also apply to Windows 2000.

The Windows Update site can also be useful. It automatically detects the operating system and patches that you have installed on your PC and tailors available patches accordingly. It also allows you to install a number of patches simultaneously. It divides patches into categories, and in particular will group together "Critical" patches.

For vital systems, especially servers, you will probably want to install some patches that are not included in the "Critical patches" package. However, this site is relatively simple to use and can be a good way to install the most important patches quickly. In addition, it is relatively easy for end users to use and may therefore be a good way of updating workstations.

Another place to point end users at is the Microsoft Personal Security Advisor, a web application intended to present a summary of potential and actual security risks together with explanations. It is aimed at end users and should not be used on servers. It does not scan for IIS and personal web services patches.

Guidelines for Installation

When installing patches, if possible read the bulletins to determine whether you actually need to install the patch. You may not need to install every patch (for example if you have not installed the vulnerable component) and on a production system it is generally recommended to install only necessary patches. In addition, some bulletins, especially regarding IIS, contain information on configuration changes required, rather than a simple patch. It is also worth keeping Internet Explorer patched, since on occasion it can introduce vulnerabilities.

When installing service packs and hotfixes onto the Windows NT platform, in general the service pack must be installed, followed by the individual patches or hotfixes. For operating systems, only one service pack is required — it is not necessary to install previous service packs first. Originally it was necessary to reboot between each patch, but Microsoft have now released a tool called QChain which allows you to install multiple hotfixes with a single reboot.

If you install any extra Windows NT components that prompt for the original Windows NT CD, you must reinstall the service pack followed by the hotfixes. In general you should reinstall the service pack before rebooting the PC. In the case of the Security Rollup Package the order is likely to be Service Pack, Security Rollup Package, followed by any later hotfixes. As the list of hotfixes grows, it is a good idea to create a batch file to install them using QChain to avoid multiple reboots. Reinstalling hotfixes then becomes relatively simple. Hotfixes should generally be installed in the order that they are released.

With more recent software such as Windows 2000 Microsoft has been including the service pack on the installation media, so your CD may have a slightly different version of the operating system depending upon when you bought it. It is also possible to merge the service pack files into the main installation files before installation. Therefore with Windows 2000 you may not need to install the earlier service pack at all. Windows 2000 is also more intelligent about service packs than Windows NT, and should not be necessary to reinstall the service pack so often. The position with hotfixes is less clear and it is probably safest to reinstall these if new Windows 2000 components are installed that request the operations system CD. QChain can also be used with Windows 2000.

With some other software (such as SMS) it is necessary to install each service pack in turn, but again Microsoft tend to update the release CD to include the latest, or last-but-one service pack.

Managing Service Packs and Hotfixes for Windows NT 4.0 and 2000

A service pack is a periodic update to the operating system that contains fixes to vulnerabilities and bugs. To date, Microsoft has released six service packs for Windows NT

4.0 and two service packs for Windows 2000. Updates addressing specific vulnerabilities and bugs introduced between Service Packs are called hotfixes. Service packs are cumulative, meaning they include all hotfixes from previous service packs, as well as new fixes.

In addition to installing the latest service packs, it is important to install new hotfixes, as these patches will often address current attacks that are proliferating throughout networks. Although

Microsoft recommends applying a hotfix only if a system experiences the specific problem, it is recommended that all security-related hotfixes be installed immediately after installation of the latest service pack. If a service pack is reapplied at any time, the hotfixes must also be re-installed.

Checking System Patch Status

A major challenge for network administrators is keeping up to date on the latest patches.

Microsoft now provides a Network Security Hotfix Checker (Hfnetchk.exe) tool that lets administrators scan their servers -- including remote ones -- to ensure that that they are up to date on all security patches for Windows NT 4.0, Windows 2000, IIS 4.0, IIS 5.0, IE and SQL Server. Detailed information on Hfnetchk, including download location, is available in Knowledge Base article Q303215 at
http://www.microsoft.com/technet/treeview/default.asp?url=/technet/security/tools/hfnetchk.asp.

The HFNetChk tool allows administrators to scan local and remote systems to check service pack and patch level. It uses a database automatically downloaded from Microsoft and reports on the patch level of IIS 4.0, IIS 5.0, Internet Explorer and SQL Server as well as the operating system itself. It is most useful in a domain environment, but you can in generaly scan any PC to which you can connect to as an administrator, or of course, access locally.

To make the output from HFNetChk look prettier, you can download the free Hotfix Reporter tool from Maximized Software, which will run HFNetChk and format the output into html for you. Another free tool is the Windows Hotfix Checker (WHC), a GUI front-end called for HFNetChk, available from Michael Dunn at The Code Project. It will give you a GUI for scanning local and remote computers using NFNetChk, and will even help you install hotfixes on your local PC.

Windows NT 4.0 Patches

To achieve the highest level of Windows NT security, install Service Pack 6a and the post Service Pack 6a hotfixes. For a complete list of available service packs and hotfixes go to
http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/.

Microsoft has provided the Security Rollup Package (SRP) as a mechanism for managing the rollout of security related fixes. The SRP includes the functionality from many security patches released for Windows NT 4.0 since the release of Service Pack 6a. The SRP includes post-Service Pack 6a fixes that were delivered via Microsoft security bulletins as well as a small number of fixes that were not addressed through this forum. For a complete listing of all fixes in the SRP, refer to Microsoft Knowledge Base Article (Q299444), "Post-Windows NT 4.0 Service Pack 6a Security Rollup Package (SRP)," at http://support.microsoft.com/support/kb/articles/q299/4/44.asp.

Fixes not included in the SRP: Fixes for newer vulnerabilities may not be included in the SRP. These must be applied separately and may be downloaded from http://www.microsoft.com/ntserver/nts/downloads/recommended/SP6/. In addition, the following vulnerability affecting Windows NT 4.0 systems is not included in the SRP..

Enhanced Security Level Hotfix - When changing the domain password with the C2 security registry entry enabled a "Stop 0x1E" error message may occur. The problem occurs if the administrator has Service Pack 6a (SP6a) installed and the following registry entry is set:

Hive: HKEY_LOCAL_MACHINE

Key: SYSTEM\CurrentControlSet\Control\Session Manager

Value: EnhancedSecurityLevel

Type: REG_DWORD

Data: 1

This key ensures that Object Manager can change the attributes of a kernel object in the

Object table for the current process if the previous mode of the caller is kernel mode. When attempting to change the password after setting this registry value, the following error message will be received: Stop 0x0000001e (0xc0000005, 0x8019bb12, 0x00000000, 0x0000022c)

A supported fix that corrects this problem is now available from Microsoft, but it is not available for public download. To resolve this problem immediately, contact Microsoft Product Support Services to obtain the fix. This hotfix is also available from NSA. For a complete list of Microsoft Product Support Services phone numbers and information on support costs, please go to the following address on the World Wide Web: http://support.microsoft.com/directory/overview.asp.

Windows 2000 Patches

To achieve the highest level of Windows 2000 security, install Service Pack 2 and the post Service Pack 2 hotfixes. For a complete list of available service packs and hotfixes, refer to

http://www.microsoft.com/windows2000/downloads/default.asp

List of NT/Windows 2000 Security Measures

This list of NT/Windows 2000 security measures is by no means exhaustive. There are approximately 400 known vulnerabilities with Windows NT/2000 and associated applications.

This list addresses less than 10 percent of those vulnerabilities. It should also be understood that alleviating one's network of these vulnerabilities does not render the network "secure".

Ensure that the file system is NTFS versus FAT. NTFS allows file access control to be set; FAT does not.

Limit the information available from a null connection. Null connections (anonymous users) are included in the built-in Everyone security group; thus, anonymous users have access to any resources that the Everyone group has access to. Windows NT Service Pack 6a limits much of what an anonymous user can do. Prevent anonymous users from being able to enumerate account names and shares by setting the following registry key:

Hive: HKEY_LOCAL_MACHINE

Key: System\CurrentControlSet\Control\Lsa

Name: RestrictAnonymous

Type: REG_DWORD

Value: 1

Remove the Everyone group from the "Access this Computer from the Network" user right. Replace it with the Authenticated Users group. In Windows NT 4.0, this can be. accomplished under User Manager -> Policies -> User Rights. In Windows 2000, this can be done via the Security Configuration Toolset and Group Policy.

Do not allow remote registry access. There are many registry keys that allow the

Everyone group, and therefore anonymous users, read and/or set value permissions.

If an unauthorized user was able to remotely edit the registry, he could modify registry keys in an attempt to gain elevated privileges. Restricting remote registry access is accomplished by setting security permissions on the HKLM\SYSTEM\CurrentControlSet\Control\SecurePipeServers\winreg key. It is highly recommended that only Administrators and System have remote access to the registry.

Ensure that the Guest Account is disabled. Ensure that all accounts (service and user) have passwords regardless if the account is enabled or disabled. Disable LanMan authentication. LanMan passwords are used for backwards compatibility with older Windows operating systems (e.g., Windows 9x) and are simply the NT/2000 password converted to all uppercase and encrypted in a different way. LanMan passwords are easier to crack than NTLM hash because they are treated as two 7-character passwords. It is recommended that LanMan passwords be disabled. If Windows 9x boxes reside on the network, Directory Client Services (available on the Windows 2000 CD) must be installed on these systems in order to allow NTLM version 2 authentications. To disable LanMan authentication, set the following registry key:

Hive: HKEY_LOCAL_MACHINE

Key: System\CurrentControlSet\Control\Lsa

Name: LMCompatibilityLevel

Type: REG_DWORD

Value: 5

Close ports 135, 137, 138, and 139 either at the premise router or firewall. For networks containing Windows 2000 systems, also block port 445. These ports are needed in an internal network, but not externally. Blocking these ports will stop many attacks against Windows NT and Windows 2000. Also, remove unneeded protocols (e.g. NetBeui, IPX).

Out-of-the-box permissions on Windows NT system files and registry keys are overly permissive. Replace the Everyone group with the Authenticated Users group on critical system folders and files (e.g. WINNT, system32) and registry keys (e.g., HKLM\Software\Microsoft\Windows\Run and HKLM\Software\Microsoft\Windows NT\CurrentVersion\AEDebug).

Restrict permissions on network shares. When a share is created, the default access control is Everyone having Full Control. Restrict the share permissions to only those groups that need access. Remove all services that are not required (e.g., Telnet, FTP, Web). Ensure proper placement of services on the network (e.g. RAS or Web service should not be on a Domain Controller).

Enable auditing. At a minimum, audit logons and logoffs, failed attempts at exercising user privileges, and system events such as shutdowns. Review Trust Relationships between domains. Remove unnecessary trusts.

Service Pack Management Software

There are currently a few packages that help you to manage the installation of service packs and hotfixes remotely if you don't wish to use SMS. There may be more available in the future — for example, Maximized Software are currently developing Hotfix Reporter Pro which looks as if it may offer some or all of the features found in the products given below. We have no recommendations about any of these products, but if you are interested, check the references given.

• ECM Security Update Manager from Configuresoft
• Service Pack Manager 2000 from Gravity Storm Software
• Patchlink Update from Patchlink Corporation
• HFNetChk Professional from Shavlik Technologies (yes, they developed HFNetChk for Microsoft)
• UpdateEXPERT from St. Bernard Software

Microsoft Download Pages

• Windows NT Critical & Recommended Downloads

• Windows NT Terminal Server Edition Critical & Recommended Downloads

• Windows 2000 Critical Downloads

• Windows 2000 Recommended Downloads

• Security Bulletins and Patches from Microsoft

Windows Security Web Resources

The following is a list of some of the best web resources for gathering security information about Windows 2000, Windows NT, and the Internet.

• Microsoft TechNet—For information about Win2K and NT corporate security, Microsoft's security site is the place to start. You'll find links to the latest service packs and security articles, as well as a link to subscribe to the company's E-Mail Notification service.

• The Systems Administration, Networking, and Security (SANS) Institute—The SANS site offers Internet security news, common Internet vulnerability lists, and a SANS Windows Security Digest that you can subscribe to. To check out an early warning system for Internet attacks, try the Internet Storm Center link.

• Security Administrator—The Security Administrator site ( formerly WindowsITsecurity.com) is part of the Windows 2000 Magazine Network. The site offers Win2K and NT security news, weekly security columns, and discussion forums that let you find quick answers to specific security questions.

• NTBugtraq—The NTBugtraq site and its sister Web site, NTSecurity, provide the best way to obtain up-to-date notifications about Win2K and NT security bugs and exploits. To put yourself on the NTBugtraq mailing list, send an email message to listserv@listserv.ntbugtraq.com. In the body of the message, type the text "subscribe ntbugtraq firstname lastname" or "subscribe ntbugtraq anonymous."

More Pointers to information about the most recent security patches, updates, and information.

Microsoft has a wealth of security-oriented content on its enormous Web site, although the information is spread across various areas of the site. One of the better Microsoft security resources is the company's Security site.

Microsoft Security Toolkit
If you're looking for information specifically about securing your Windows environment, Microsoft has finally released its Security Toolkit, which the company promised last fall. The Microsoft Security Toolkit applies to Win2K Server, Win2K Advanced Server, Win2K Professional, NT 4.0 Server, NT 4.0 Workstation, and NT Server Terminal Server Edition. The toolkit includes best-practices data about securing Internet-connected Windows machines, high-severity security patches, and other tools and information. You can order the toolkit free of charge from the Microsoft Web site.

Microsoft Baseline Security Analyzer
A slightly more recent free security download is the MBSA, which provides an easy-to-use, XP-influenced UI. The MBSA checks your XP, Win2K, or NT machine for common security misconfigurations, such as weak or missing passwords, and can scan for security problems in Microsoft IIS 4.0 or greater and SQL Server 7.0 or greater. You can run the MBSA only on XP and Win2K machines, although you can check NT 4.0 machines remotely over a network.

Microsoft Windows 2000 Security Operations Guide
The Win2K Security Operations Guide is a 192-page document that provides a comprehensive, step-by-step approach to locking down Win2K systems while minimizing vulnerabilities and providing best practices for managing system patches, auditing, and intrusion detection. This must-read guide is available for free from the Microsoft Web site.

IIS Lockdown Wizard
Microsoft IIS administrators will want to look at the IIS Lockdown Wizard, which lets you secure IIS. Microsoft has updated this tool several times since its initial release, so make sure you have the most recent version, 2.1. This version adds server-role templates for IIS-dependent products such as Microsoft Exchange Server, Commerce Server, BizTalk Server, Small Business Server (SBS) 2000 and 4.5, SharePoint Portal Server, SharePoint Team Services, and FrontPage Server Extensions. The tool is integrated with the previously separate URLScan tool.


Microsoft Applications

Vulnerabilities in applications such as Outlook, Microsoft Exchange, SQL Server, and IIS may open a network to attack. Therefore, it is important that applications be kept current with the latest patches and service packs. Microsoft provides several tools for improving application security. Some of these tools are listed below, along with a web reference to follow for more information.

URL Scan Security Tool – Allows web server administrators to restrict servers to ensure that they only respond to legitimate requests. http://www.microsoft.com/technet/security/URLScan.asp

IIS Lockdown Tool - A Microsoft tool for securing IIS 4.0 or 5.0 web server. http://www.microsoft.com/technet/security/tools/locktool.asp

Improved Outlook E-mail Security Update - A new version of the Outlook E-mail Security Update is available that provides protection against additional types of e-mail-based attacks.
http://office.microsoft.com/downloads/2000/Out2ksec.aspx

HFNetChk Security Tool – In addition to operating system patches, checks security patches for IIS 4.0, IIS 5.0, IE, and SQL Server. http://www.microsoft.com/technet/security/tools/hfnetchk.asp

Microsoft Personal Security Advisor - A Microsoft tool for checking that workstations are current with all security patches and configured for secure operation.