Hardening Windows W2K Server

This document is intended as a starting checklist to harden Windows 2000 Server and IIS for security vulnerabilities. This checklist is designed for those that are extremely familiar with Windows and IIS, as explanations for the checklist actions are not included.  It is strongly recommend that you visit the Microsoft Security and Privacy page, at http://www.microsoft.com/security/default.asp, for specific information about each step and the reason behind each action.

	Install 2000 Server operating system
	Install only options required
	Specify machine is part of a Workgroup and not a domain
	Install latest OS service patches as recommended at<br>http://v4.windowsupdate.microsoft.com/en/default.asp
	Install all needed "critical updates"
	Install all needed "Windows 2000 updates"
	Install latest Office updates as recommended at<br>http://office.microsoft.com/productupdates/
	Run Microsoft Baseline Security Analyzer (MBSA) that can be found at<br>http://www.microsoft.com/technet/treeview/?url=/technet/security/<br>tools/Tools/MBSAhome.asp. Select the applicable type of server configuration. <br>Note: This product will automatically set some of the setting below.
	Rename the "Everyone" Group to a different name
	Rename the "Administrator" account to a different name (do not use "admin")
	Run syskey.exe, select Encryption Enabled, then select Ok

Registry Changes
	HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogin\LegalNoticeCaption<br>change value to include your company name or site owner
	HKLM\Software\Microsoft\Windows NT\CurrentVersion\Winlogin\LegalNoticeText change<br>value to "Unauthorized Use Prohibited by 18, U.S.C."
	Run drwtsn32 uncheck all options except Append to "Existing Log File"
	Delete HKLM\System\CurrentControlSet\Control\Session Managaer\SubSystems\OS2
	Delete HKLM\System\CurrentControlSet\Control\Session Managaer\SubSystems\Posix
	Delete HKLM\System\CurrentControlSet\Control\Session Managaer\SubSystems\Optional
	Delete HKLM\Software\Microsoft\RPC\ClientProtocols\ncacn_ip_tcp
	Delete HKLM\Software\Microsoft\RPC\ClientProtocols\ncagd_ip_upd

Control Panel Changes
Control Panel\System/Advanced\Startup and Recovery
	Set display list to 10 seconds.
	Check "Automatic Reboot"
	Set Write Debugging Information to "none"
Control Panel\ Administrative Tools\Local Security Policy\Account Policies\Password Policy\
	Enforce password history to 8
	Minimum password length to 8
	Maximum password age to 30
Control Panel\ Administrative Tools\Local Security Policy\Account Policies\Account Lockout Policy
	Account lockout duration to 10 minutes
	Account lockout threshold to 5 
	Reset account lockout counter to 10 minutes
Control Panel\ Administrative Tools\Local Security Policy\Local Policies\Audit Policy
	Audit account logon events to Success, Failure
	Audit account management to Success, Failure
	Audit directory service access to Success, Failure
	Audit login events to Success, Failure
	Audit policy change to Success, Failure
	Audit privilege use to Success, Failure
	Audit process tracking to Success, Failure
	Audit system events to Success, Failure
Control Panel\ Administrative Tools\Local Security Policy\Local Policies\Security Options
	Allow System to Be Shut Down Without Having to Login On to Disabled
	Audit Use of Backup and Restore Privilege to Enabled
	Clear Virtual Memory Pagefile When System Shuts Down to Enabled
	Disable CTRL-ALT-DEL Requirements for Login to Disabled
	Do Not Display Last User Name in Login Screen to Enabled
	Message Text for Users Attempting to Log On to "Unauthorized use prohibited by 18, U.S.C"
	Message Title for Users Attempting to Log On to company or site owners name
	Prevent Users from Installing Printer Drivers to Enabled
	Recovery Console:  Allow Automatic Administrative Login to Disabled
	Restrict CD-ROM Access to Locally Logged-On User to Enabled
	Restrict Floppy Access to Locally Logged-On user to Enabled
	Set Unsigned Driver Installation Behavior to Do not allow (NOTE: May prevent software installs)
	Unsigned Non-Driver Installation Behavior to Do no allow (NOTE: May prevent software installs)
	Additional restrictions for anonymous connections to No access without explicit anonymous permissions
Control Panel\Network and Dial-up Connections\applicable connections\Properties\General 
	Deselect all components except "Internet Protocol (TCP/IP)"
Control Panel\Network and Dial-up Connections\applicable connections\Properties\General\, select Internet Protocol (TCP/IP), select Properties, select Advanced\Wins  
	Disable NetBIOS over TCP/IP 
	Disable LMHOSTS lookup
Control Panel\Network and Dial-up Connections\applicable connections\Properties\General\, select Internet Protocol (TCP/IP), select Properties, select Advanced\Options\TCP/IP filtering
	Disable or filter all TCP, UDP, and IP ports as needed
Control Panel\ Administrative Tools\Computer Management\Local Users and Groups\Users
	Guest account\General Tab\Cannot change password
	Guest account\General Tab\Password never expires
	Guest account\General Tab\Account disabled
	Guest account\Dial-in Tab\Remote Access Permission\Deny access

Services
Configure the following Windows Services to start automatically:
	DNS Client
	Event Log
	Logical Disk Manager
	IPSec Policy Agent
	Plug and Play
	Protected Storage
	Remote Registry Service
	RunAs
	Security Accounts Manager
	Task Scheduler
Configure the following Windows Services to start manually
	Application Management
	ClipBook
	COM+ Event System
	Logical Disk Manager Administrative Service
	Distributed Link Tracking Server
	Fax Service
	File Replication
	Indexing Service
	Internet Connection Sharing
	Net Logon
	Netmeeting Remote Desktop
	Network Connections
	Network DDE
	Network DDE DSDM
	NT LM Security Support Provider
	Performance Logs and Alerts
	Qos RSVP
	Remote Access Auto Connection Manager
	Remote Access Connection Manager
	Remote Procedure Call (RPC) Locator
	Smart Card
	Smart Card Helper
	Unit Power Supply
	Utility Manager
	Windows Installer
	Windows Management Instrumentation Driver Extensions
Disable the following Windows Services:
	DHCP Client
	Intersite Messaging
	Kerberos Key Distribution Center
	Messenger
	Print Spooler
	Routing and Remote Access
	Simple Mail Transport Protocal (SMTP)
	Telephony
	Telnet
	Terminal Services
	Windows Time	
General Changes
For the Everyone Group that was renamed
	C Drive:  Document and Settings folder rights: Read & Execute, List Folder Contents, Read
	C Drive:  WinNT folder rights: none
	Web folder: Read & Execute, List Folder Contents, Read
Remove all rights for the Everyone group, that was renamed, from following c:\winnt\system32 files
	arp.exe
	at.exe
	cacls.exe
	cmd.exe
	command.exe
	debug.exe
	edit.com
	edlin.exe
	finger.exe
	ftp.exe
	ipconfig.exe
	nbtstat.exe
	net.exe
	netstat.exe
	nslookup.exe
	ping.exe
	posix.exe
	rdisk.exe
	rcp.exe
	rexec.exe
	regedit.exe
	regedt32.exe
	route.exe
	rsh.exe
	runone.exe
	syskey.exe
	tracert.exe
	telnet.exe
	xcopy.exe
	(And any others not needed)
IIS
	Stop Administrative Web Site
	Stop Default SMTP Virtual Server
	Stop FTP Site if installed
	Delete the "iisstart.asp" in the WWWRoot directory
	Delete the "iissamples" folder under the "inetpub" directory
	Delete the "iisadmin" folder under the "inetpub" directory
	Delete the "iishelp", "issadmin" and "iissamples" virtual directory for all current webs. NOTE: These directories should be deleted on any future webs also.
Display Properties
	Set screen saver to "Logon Screen Saver"
	Set screen saver to 5 minutes
	Check password protect
Install remote control program if desired
	Disable Guest account
	Uncheck Internet Locator services if an option
Install Firewall software
	Disable or close all unnecessary ports
	Be sure to grant access IP access to any machine that will be used to administer the server remotely
Install AntiVirus program
	Enable "start program on Windows startup" option
	Turn on all activity logs (detection, quarantine, etc)
	Disable "audible alert" option
	Check that "how to respond when a virus is found" is set for an automatic solution. (Norton for example uses the a default of  "ask me what to do".)
	Enable scan of "master boot records"
	Enable scan of "boot records"
	Scan all inbound file types
Web Content
	Create directory for web content (do not use default web directory)
	Load content
	Set directory, and .NET if applicable, permissions 
	Use SiteRecons URL Comments page (http://www.siterecon.com/URLComments.aspx) to verify not inappropriate comments are embedded in your pages.
Vulnerability Scan
	Use a vulnerability scanner or scanning services to verify your site is secure and no vulnerability exist. A web search for the term "vulnerability scanner" will yield numerous companies to select from. 
NOTE: Other security steps may be required based on you system, architecture, and specific needs!

Site and server security requires daily procedures to insure a proper defense. Security patched must be applied upon release, and the system and firewall logs need to be reviewed daily to track activity and intrusion attempts.

About the Author
Lew Newlin is CTO of Information Solutions, Inc. that operates SiteRecon.com. SiteRecon specializes in security, <a href='http://www.SiteRecon.com/Email-Monitoring-Service.aspx'>email monitoring</a>, and web site monitoring for Internet service providers and businesses.