Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Synopsis

Its a fundamental security practice that you keep your system patched and up to date (see the CERT Security Improvement Modules). Weaknesses are continually discovered in all computer systems and Microsoft Windows is no exception. If you dont protect your system and apply vendor updates the consequences are all too predictable -- systems are regularly compromised because theyre not patched to address well known vulnerabilities and not configured to prevent access to vulnerable services. This paper is a brief security note to advise users of Windows NT, 2000 and XP workstations on how to apply patches and configure their systems to better protect them from compromise. This is emphatically not a comprehensive guide to Windows security but it is a first step in that direction.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Recommendations
To maintain your Windows NT, 2000 or XP system you will need to have access to the "Administrator" account -- unlike Windows 95, 98 and ME where all users have complete access to the entire system. Here are a few simple recommendations which will help to secure your system: 1. Secure the Administrator Account 2. Install and Maintain Anti-Virus Protection 3. Patching with the Microsoft Update Center 4. Personal Firewalls And once youve looked at those you may want to investigate these more advanced issues for servers: 1. Microsofts Baseline Security Advisor 2. Microsofts IIS Web Server 3. Microsofts MS/SQL Server This list is not comprehensive but if you follow the recommendations you will reduce your risk of compromise substantially. Microsoft has a similar checklist; see their 7 Steps to Personal Computing Security and their 3 step program to Protect Your PC.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Recommendation 1: Secure the Administrator Account.
The "Administrator" has the authority to do anything to your system and that does not require access to the console! The bad guys will search out network attached systems where the administrator account has no password, or a trivial password, and will take complete control of your system. Therefore, make sure the administrator has a non-trivial password thats difficult to guess (at least 8 characters, at least 3 different character types, avoid variations on dictionary entries -- random passwords are the best). [NB] Any user can change their password by pressing the "control-alt-del" sequence and selecting the "Change Password ..." button. The administrator can change anyones password: from the "Settings" menu find the "Control Panel" and then select "Users and Password". A well maintained system is trivial to compromise if the administrator account is not well protected. We see this far too often.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Recommendation 2: Install and Maintain Anti-Virus Protection.
You need to assure yourself that your system is clean, that no files have been compromised and that no new files you introduce to your system will do any damage. A tool like Norton Anti-Virus is highly recommended -- but make sure you have the most recent virus definitions. To maintain your anti-virus protection virus definitions should be refreshed on a weekly basis as new virus are unleashed almost daily. We have a campus wide licence for Norton Anti-Virus (NAV) and everyone covered by the licence ought to install it on their systems -- see University of Waterloo Site Licensed Software: Norton Anti-Virus License. Students wishing to use this software can obtain a licensed copy by purchasing the UW/IST Home CD. The CD includes several licensed packages including Norton Anti-Virus -- the price is very modest. We also have a NAV Update service and you can configure your system to use that service so you always have current virus definitions and dont have to do any manual updates. See: Anti-Virus Service for Windows users in the UW Community -- a description of the service. Symantec AntiVirus - Windows Installation Notes -- instructions. Anti-Virus protection is a first line of defence for Windows systems. We see far too many systems with no protection.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Recommendation 3: Patching with the Microsoft Update Center.
Microsoft makes patch management on Windows systems very easy -- as "Administrator" use Internet Explorer and go to the Microsoft Update Center, click on the link for "Product Updates" and follow the instructions to update your system. If you have Microsoft Office applications installed (like Word, Excel, Outlook, etc.) you must also visit the Office Update Center [NB] If there are any "CRITICAL UPDATES AND SERVICES PACKS" outstanding you would be well advised to apply those right away. Select them and click the Download icon. [NB] Installing hot fixes and service packs involves several button clicks and often a reboot. The first time through the process it is a little daunting. But lots of people are doing it and it works well enough for them. [NB] Theres always a risk that a patch may muck up your system. But its a certainty that failing to apply a critical patch will leave you open to compromise! [NB] Patches that have been out for a while have a very low risk of failure -- theyve been tested by others. If you have been apply patches for a while you will find the routine tedious and ask for automation. Windows 2000, XP and 2003 machines can be configured to automatically retrieve and apply patches from a "Software Update Server" (SUS) -- thats what the Windows Update site is. IST offers a campus wide Software Update Service and its not hard to configure a system to take advantage of it. Alternatively you can configure your machine to take retrieve and install patches from Microsoft -- see HOW TO: Configure and Use Automatic Updates in Windows XP and HOW TO: Configure and Use Automatic Updates in Windows 2000. The Microsoft Baseline Security Advisor (MBSA) discussed below will identify the same patches that ought to be applied. At this writing MBSA will not track updates to Office products. We see Windows compromises on a regular basis where the bad guys exploit outstanding problems where patches are available. Patching your system is a very important line of defence.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Recommendation 4: Personal Firewall
These days every Windows station is a "server" that can be abused. But most Windows machines are client only systems that should provide no services to others. A "firewall" is a technology to restrict access to services. Heres how you can lock your machine down so its client only. On Windows XP you should use the Internet Connection Firewall (ICF) to control access to services -- it takes a very few button clicks to configure. ICF locks down all services to the machine itself -- that provides good security and is highly recommended. I use it on my workstation and it works very well. For detailed instructions see our article on Windows Internet Connection Firewall. Windows 2000 does not support ICF. However, it does support TCP/IP filtering sufficient for a client-only configuration. See the Microsoft TechNet article on How to configure TCP/IP filtering in Windows 2000. We have some rough (very rough) notes on IPSec for Windows 2000 and XP. Weve made it a practice to limit on-campus only access to the Microsoft services but our recent experiences with Welchia and Blaster lead us to believe we need more restrictive rules to be more like ICF. Nevertheless, for Windows 2000 IPSec is the most effective tool set for limiting access to services. Windows NT4 does not support IPSec filtering. Various vendors sell firewall software. One of the most popular is ZoneAlarm by Zone Labs. I have used ZoneAlarm on Windows 2000 Professional and it works well -- albeit after an awkward tuning period. There are other firewall products that work as well. I cannot comment on using ZoneAlarm on a server and on Windows XP I much prefer ICF. NT4 is at end of life: users should plan an upgrade to Windows XP or 2003. Users of Windows 2000 desktop should consider an upgrade to Windows XP if only for the ICF filtering provided. If you have a home network connected to a high speed network (like Sympatico or Rogers Wave) you probably are already familiar with personal firewall devices -- the "network routers" by vendors LINKSYS, NETGEAR, D-LINK and others sold at computer stores like FutureShop and RadioShack are firewall devices. They are supposed to be very easy use and configure. On managed workstations we recommend a combination of IPSec and ICF -- ICF to lock down the machine with very few exceptions and IPSec to control access to those exceptions.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Recommendation 5: Microsofts Baseline Security Advisor
Microsofts Baseline Security Advisor (MBSA) is a very good tool to evaluate the security of your Windows NT, Windows 2000 or Windows XP system. It will determine the patches (also known as "service packs" and "hot fixes") that ought to be applied as well make recommendations about several important security settings. We use this on our systems and follow the recommendations it makes. It works very well for us and has been an invaluable aid for securing our systems. [NB] MBSA comes as a standard install kit -- an earlier tool was web based. You need access to an Administrator account to install the package and you need to be an Administrator to scan a computer for problems. When you conduct a scan the tool will download and run content retrieved from Microsoft -- the latest best advice configuration. [NB] We are fairly aggressive about patches. If the vendor recommends that patches be applied youd need very good reasons for ignoring that advice. Our practice is to try the patches on a few systems before pushing them out to other systems. On occasion Microsoft has published a patch that fails or otherwise causes some problem -- however any patch which has been out for several weeks is, or should be, fairly safe to apply. [NB] We also follow their recommendations about security settings and have yet to see any adverse impact on a workstation. The recommendations can be a little fussy to apply but are all well worth the effort. Our experience is these are the same recommendations that are made by other security organisations. Microsofts Baseline Security Advisor (MBSA) was released in April/2002 and replaces an earlier web based tool, Microsofts Personal Security Advisor (MPSA), which was targeted at workstations. MBSA is very good at security work stations as well as servers and each release covers more more important issues.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Recommendation 6: Microsofts IIS Web Server
Many Windows NT, 2000 and XP systems are configured with a web server -- the "Internet Information Server" or IIS. This has been the source of far too many exploits -- the most famous being the "CodeRed" worm which persists to this day searching out IIS servers that arent patched or are otherwise poorly configured. If your system is running an IIS web server heres what you should do. 1. Shutdown your web server (if you dont need it) First and foremost, if you have no need of an IIS web server then you are far safer if you dont run the server at all -- nobody has ever broken into a web server thats shutdown! It then becomes one less thing to worry about. You could remove the entire IIS subsystem from your computer but youre probably better off to just shut it down. 2. Patching your IIS Web server Patches and hot fixes for IIS are found by the MBSA tool discussed earlier. The earlier web based tool (which is no longer available) was notably in that it didnt track hot fixes for IIS. They used to recommend a "hot fix checker" especially for IIS -- thats no longer required for Windows 2000 and XP. [NB] For Windows NT systems see Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool Is Available (Q303215) of 13-Aug-2001. See also the Frequently Asked Questions about the Microsoft Network Security Hotfix Checker (Hfnetchk.exe) Tool (Q305385) of 13-Aug-2001. The referenced patches are all available from their respective Microsoft Security Bulletins on the following Microsoft Technet Web site: http://www.microsoft.com/technet/security/current.asp 3. Locking down your web server. On 23-Aug-2001 Microsoft published a tool to lock down your web server and close many of the common exploits. See the IIS Lockdown Tool. You would be well advised to lock your web server down too.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Recommendation 7: Microsofts SQL Server
Some Windows NT, 2000 and XP systems are configured with an SQL server (a "database server"). This has been the source of several exploits -- the most famous being the "Slapper" worm (see our Vulnerability Notes for more information). If you believe you need an SQL server heres what you should do: 1. Shutdown your SQL server (if you dont need it) First and foremost, if you have no need of a SQL server then you are far the safest if you dont run the server at all. Next, if you need an SQL server youre better off using an existing server on some other machine -- use it instead. Database applications need not be running on the same machine as the database. Finally, if youre installing the SQL server make sure you immediately disable it until such time as all patches and hardening has been complete. 2. Patching and Lock Down Patches and hot fixes for the SQL sever are found by the MBSA tool discussed earlier. All outstanding patches must be applied as soon as possible and no SQL server should be made available until all patches have been applied. The MBSA tool will detect several security problems you might overlook -- be especially aware that a good password should be applied to the "sa" account. Thats a well known problem, it is covered in the Microsoft installation instructions but many ignore the issue. The MBSA tool notes several security settings that you should investigate. 3. Constrain who can reach the server If you require an SQL server you really ought to consider implementing an IPSec filter to constrain who may access the server. Usually you only need to access the server from the same machine, or perhaps from a few machines on the local network, or perhaps from a few systems around the Internet. Seldom, if ever, do you need to expose your SQL server to the entire world. Our IPsec Notes will help get you started with this important technology. With a little effort the Microsoft SQL server can be secured. If its not secured it will be compromised.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo Penetration Tests
Many security vendors provide free tools to evaluate your system (and encourage you to buy their product). They test how well youve hardened your system with a "penetration test". 1. At Symantec Security Check youll find some very good free services. The free services provided include a "Scan for Security Risks" (that does a penetration test), a "Scan for Viruses" (thats like the Norton Anti-Virus tool weve recommended elsewhere) and a tool to "Trace a Potential Attacker" (given an IP number). Theyre all very good. If you have hardened your system the "Scan for Security Risks" is a welcome method to check your work. It will also determine if your system has nasty services installed by some of the more common Trojan horses. If you havent installed Norton Anti-Virus the "Scan for Viruses" will scan your filing system searching for infected files -- but you should install Norton Anti-Virus (or some other popular virus detection system). The Symantec tools download Active X content to your system. Thats an area where one should, in general, be very cautious. However, Symantec is a trustworthy organisation and I have used these tools. They work well for me and I have no problem recommending them to others. [IMAGE] Unfortunately even Symantec makes mistakes. See Symantec Security Check ActiveX Buffer Overflow" of 2003/06/25 -- a security problem was discovered (and has been resolved) in the Active X component used to implement the security check!! 2. Other security vendors provide similar tools -- try the popular ShieldsUp! test at Gibson Research Corporation. Its another very good penetration test. The information provided here is not an endorsement of, or advertisement for, Symantec or Gibson Research.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03

Windows NT/2000/XP Hardening Information Systems and Technology University of Waterloo See Also
A short reading list for the brave and/or curious. 1. Microsoft Security (by) Microsoft -- primary vendor site for security related issues. See also: A 3 step program to Protect Your PC. 7 Steps to Personal Computing Security Security Tools and Checklists 2. Windows NT Security and Configuration Resources (by) CERT Coordination Center. See also: Windows NT Configuration Guidelines Home Network Security Computer Virus Resources 3. Information Security Reading Room (at) SANS Institute. See also: Windows 2000 Issues and Windows Issues. This is intentionally a short list -- theres lots on the web for you to find. These are good starting points. You should review our Computer and Network Security site -- youll find useful "How to" articles like this one, information on vulnerabilities were tracking and much more.
(by) Reg Quinton, Information Systems and Technology 2002/03/15 - 2006/05/03