_________SWAT MAGAZINE ISSUE TWENTY SEVEN MARCH 2000 __________ / \___________________________________________/ \ / Securing Windows 2000 \ / By TempesT \ ----------------------------------------------------------------------- This article is going to be for theses people that are going to be using windows 2000, for what ever reason. First I will start this by presuming that you have just going to do a clean install of win2k. This will be a list type thing so if it is not a new install then just skip to the part that interests you. 1. First when you are installing win2k, select the file system you want to use as NTFS, this is much more secure than FAT / FAT32 as you can supply users and groups to access / deny access to certain disks and directory's even down to securing individual files. This means that if some one does get a service running on your computer they are restricted to what on your hard drive they can access. 2. Chose a GOOD (read very strong) password. Your password should be about 12 chars long with numbers, letters and ASCII. It is best not to use ASCII found on your keyboard but instead chose one that is not one your keyboard, like '¿' (ASCII code 168), which is not found on your keyboard. You can use these chars by pressing ALT and then the number code on the keyboard I.E '¿' = ALT + 168. This makes brute forcing incredibly hard, as it will take AGES on a really fast computer. 3. Now you have finished installing win2k and you are sitting at a blank desktop First thing is first you want to sort out the user accounts on your computer. First go into CP (control panel) and start 'Users and password's' then make a new account called some thing really strange like BOBandJIM10 as the user name and then give it a secure password (step 2) and add it into either the Administrator group or Power User. I have this account as Administrator because I will run from an account like this one and I like having the power over my computer were as some people say it is safer to run as a normal user (power user). 4.OK now you have done this open up the 'administrative tools' section and then 'computer management'. Under the system tools subdirectory go to Local Users and groups and open up the guest account. Select the following boxes 'User cannot change password', 'password never expires' and the important one 'account is disabled'. Now no one can use the guest account. Remove it from the member of guest as well so it doesn't belong to any groups. Set the guest password to some thing really obscure and VERY long like 30 chars. 5. If you created the account in step 3 to be in the Power user / user group, then skip this step. Open up the Administrator account and select the boxes 'User cannot change password' and 'password never expires'. Then in the member of tab remove them from the administrator group. Then change the password to some thing really long. This is now your dummy account if any one try's to brute force an account they will first try the administrator account and when / IF they eventually get it they will have an account that does absolutely nothing. But you can be sure that they will give up long before they get in my giving it a really good password. OK now that the accounts are set up now to sort out programs (services) 6. Right there are lots of services that should not be running with windows 2000 for starters you should stop all the messenger type services called 'messenger', 'alerter' and 'system event notification' this should all be changed so they start up manually and then stop them. Theses services are for network communication and so you don't need them. Other ones to stop are the 'runs' as this lets people who do not have administrator tights run things as administrator. Also make sure that telnet is disabled as this just lets people connect to your computer (and if you don't know what telnet is you should really start to worry). Also kill the server services as this gets ride of all your shares and closes a lot of ports Also disable any other services that you a) don't like the look of b) are using a LOT of memory and you are not sure what they do. 7.Virii are a really bitch these little critters can f*ck up your computer big time if you don't stop them. So get a virus scanner, well in actual fact get about 2 or 3 don't have them all running at once just have one running. Then when you have got a bit of spare time there are 2 things to do the first more important one is start writing for SWAT and in the background have the virus scanner running. First of all get the virus definitions from somewhere like tucows or from the manufactures web site, then run each program in order. This is because when you read reviews on virus scanners you find that each scanner misses about 40% of viruses and by running 3 different scanners you should hopefully get all viruses that might be on your computer. 8.I cannot stress this point enough IF YOU ARE RUNNING A Microsoft OS THEH USE A FIREWALL. At the moment the only fire wall that runs under windows 200 is @guard but by the time this is released that might have changed. First make a rule to block allow ingoing ICMP connections TPC, UDP connections and block all out going TCP and UDP connections. The reason for this is that then you can at least ping people with out your firewall getting annoyed. Then put on the active learning modes that you can add rules to let your programs work. Add another rule which blocks all incoming connections on ports 134 - 140 these are the default windows port and need to be shut as there are quite a few exploits that use these ports. All so put a password on your firewall settings so a friend can't come round and remove some firewall rules or add some. Now on to your hard disk(s) 9. Now back to the hard disk first you want to compress / encrypt all your NTFS drives as this stops people using NTFS4DOS on your hard drive. All so you want to change the user controls first you want to add the use that you will be using to have full access to the hard drive and the user system to the root 'c:\' / documents and setting 'c:\documents and settings' and the windows directory 'c:\winnt'. Then get rid of all other users from the security tab and under no *cicurmanstance* ever should you use the 'everyone' group this lets every one access it. All so make sure that you are the owner of all objects, because that way no one else apart from you can modify any of these objects. 9.5 However if you lose access to hard drive / *partion* or any file that is running / on NTFS and NOT encrypted then you can get access back very easily first right click on the drive that you wish to get access to, then go to properties then security. Now check that you are the owner of that object (objects will be explained in another text) by going to advance then owner. If you are not owner just select your user name and then take ownership of this object. Once you have done this you are the owner of that object and can modify ALL of its security settings. Then go back to the main security page press add user then select the use you will be using then give it full control over that object (I think that you must be a member of the administrator group for this to work). Heh no more problem. 10. Shares (uck!). I hate these things. Never ever use them under windows they are just bad news. Do net have any thing to do with them. If you stopped the 'server' service then you don't have to worry bout them as they no longer exist on your computer not even hidden shares and ipc and that lot. If however you do want to use shares then for gods sake hide them, you can do this by putting a '$' after the share name this means that the person that wants to use that share has to know the name of it and not just someone scanning your computer can find it. 11. Try and keep your programs on separate *partions* as your winnt files as this is just a small tip also change your windows install directory to some thing like 'winnt1' and 'program files' to 'program f1les' this will stop the simpler virus from affecting you as they have been written to access file in theses specific directories but it wont stop any good virus. This will also reduce defrag and scandisk times. This is more of a tip than a security Problem but it might make your computer a little bit fast and I don't know any one that wants there computer not to run fast. 12. Keep Windows up to date. This is very important as people are always finding holes in windows and then Microsoft realise a patch for it and so you should really keep up to date with all the latest security patches and just general stability fixes. All though I must say that this is a good product it is almost like Microsoft did not make it, but apparently there are 64,368 or some thing like that, number of possible bugs in it. Most of the time they are fairly small updates, which only take about 2 miniatures to download, and are generally worth it. System Polices (Local Security Policy) You can find this little program by going to 'Control Panel' > '*Administrive* tools' > 'Local Security Policy' This is quite a handy little untitled that lets you make all those nice little registry security tweaks with out have to plow though the massive registry. I am going to work down this from the top with 'Account policies' to eventually 'IP security policies'. 'Account Policies' > 'Password Policy' This is so you can set up password options like how many *charhtures* long a password MUST be, password age and other stuff. Enforce Password History - This is so you can not keep on switching between 2 passwords, you can set the computer to remember the last 10 (you set this number) passwords you use and will not let you use this password again until you have used another 10 passwords. This could be useful if you are not very creative with you passwords so you just use the same one all the time. The higher this number the better :-) Maximum Password Age - This is the number of days that a password is valid for so that you must change your password after this amount of time. This stops people sticking with the same password for years. I set this to about 90 days, which is fairly long, but I just can't be bothered to change it every month. You might want to adjust this to about 60 days to be safer. Minimum Password Age - If you set this option to about 3 days that means that you can not change your password more than once every 3 days. Use this if you think some one has access to your computer and have seen what you type for you password and then try to change it. I think that you should set this as about 2 days so that it is not to long. Minimum Password Length - I like this the most. Its so your forced to use a password that long and you can't just put a password as '1234' because you can't be bothered to make a proper password. I suggest you put this to about 10 or 11 for best affect. Password must meet complexity Requirements - This is so that you have to use letters and numbers, I don't think I makes you use ASCII (if you know how please email me) This when used with minimum password length can make some very strong passwords and the stronger you password the more harder it is to brute force and the harder it is to try and watch it getting typed in. All ways put this on. Store passwords using reversible encryption for all uses in the domain - I have to damn idea what this is used for but I don't like the sound of reversible encryption. Experiment with this is you want but I have left it disabled. 'Account Policies' > 'Account lockout Policy' You can use this to set-up if you don't want any one brute forcing you computer directly. Account lockout duration - the amount of time that you get locked out of your account, for what ever reason most probably incorrect password. I have this set to 10 miniatures that way if I lock my self out it gives me time to go and get some food, where as some one brute forcing directly or just trying tertian passwords at the console (in front of the computer) will get passed and stop. Account lockout threshold - the number of time that you can get a failed login with out it locking the account. I set this to about 5 so that if I am tiered / it is very dark I can still make a couple of mistake where as some one trying to get in only has 5 try's and no one is going to get you 10 / 11 character password in 5 tries. Reset account logout after - is the number of miniatures that if you don't try a password for is 5 (you can change this number) minutes. Use this if you are sensible that on your 4th login attempt you know that you are going to be lockout for 10 miniatures you wait 5 miniatures instead, without trying to logging. Set this to what ever you want the longer the better but ember not to long. Local polices > Audit policies This is where you can set-up logging. Say if you have a little sister, little brother, wife, or girlfriend that you don't want using your computer but the have to any way, you can log every thing they do. This all so has a bad side that people who have access to your computer might be able to look at the logs and see what your doing. A bit like big brother getting watched by parents if you see what I mean. OK I started going though this I it became very *repitive* so now I am just going to put a small function of it, also I recommend that you enable all of these settings and check your logs on a regular basis Audit account logon events - this little thing logs when some one does login in successfully and when some one just tries to get it. Useful if you think some one if using your computer while you is away. You can set this to just log successful logon or non-successful logins, but I use both. Audit account management - this little thing logs account changes and so is very useful. Have this on all the time. Audit process tracking - I am not sure what this does, if you know please get *inconntact* with me. Audit system events - I think this is stuff like User right assignments these are you can restrict a lot of stuff according to what a user is called and what groups they belong to. Take ownership of objects - these lets you decided who can take control of objects (files, folder, drives) that use NTFS. If you are the owner of an object then you can assign rights to it even if you have no rights. Assign this to the account that has administrator privileges. Log on locally - this specifies the users that are aloud to log on locally specify the account with admin rights. Increase scheduling probity - scheduling is NASTY. It is mean as any thing that is scheduled to run, runs with system privileges which for an attacker but sucks if you are trying to secure your box. Make sure only the admin type account has access to scheduling. Force shutdown from remote system - you should disable this as if some one manages to get in to your box then they just add a copy of netbus / BO2k or another RAT tool to your start menu or in your registry then force you to reboot. Once you start up again then you have just run a copy of the server and so that gives them a RAT tool on your system. Access this computer from a network - OK this is a good thing to remove all the users from as then no one can log in remotely. This means that even if some one has local access to your box and added a new user, Go home and try and login as it then they still cant, as they do not have remote access to your system. Change system time - If you need help with this, then I really wonder how clever you are and if you can read at all. Anyway make sure members of the administrator group can change the system time. Shut down the System - remove all other users / groups than the ones you have access to some that no one can come into your room and turn of your computer, however that don't stop them pulling the plug :-( Deny access to this computer from a network - this specifics users that cannot login remotely even if somewhere else it says they can. Some thing to ember about NT / 2k deny permissions ALWAYS take priority over allows. Add workstation to domain - some one specifics you to log on to one of there predefined domains so that they have a valid user/pass to get on to that box and have a nose around. Security Options this are other non-user / group specific security settings Prompt user to change password before expiration - set this to some thing like 3 days or some thing so that you know that you are going to be changing you password soon and so you get some time to think about a GOOD password. Restrict CD-rom access to locally logd on user - use this so that remote people can't get access to your cdrom drive. I am not sure if it is that much of a security risk if that get access to you pure garage CD but some people might. Restrict floppy disks access to locally log on user. As well how ever the floppy can be swapped and if you have set up your computer so it boots from the hard disk then you being the person you are does not check what your m8 was doing while sitting at your box. He slipped in a disk with a RAT on. Do not display the last logd on user name - As Rhino9 said there are 2 halves to a correct login the user and the password. Each is useless with out the other and so by people not knowing which users are on your system they can't even start to try and brute force it. This protects from local users that well ... don't like you any more. That is pretty much it for the moment as 1) I can't be bothered to right any more 2) It is l8 and I have to think up an excuse why I have not done my homework for tomorrow 3) It leaves you to use these ideas and work oppon them your self All ways remember security is how you implement and security is only a deterrent if people want to get in then they WILL get in it is just a question of how long. Your box will never be 100% secure they only time that it is when it is switched of. And who the fuck is going to spend so much time trying to brake into your box any way. If the police are going to they will nick it and take it of out of your way so that they can have other hackers (good hackers?) brake in and get what they want. Email me at TempesT@888.nu Icq 66884347 ----==== E . O . F ====---