Configuring servers for security is an important part of mitigating risks to enterprise networks. Although Windows 2000 servers have a reputation for being notoriously insecure, if you take the time it is actually possible to lock them down so tightly that leading scanners will not even recognize that they are Windows servers. The best way to do this is to automate the security on your servers by using security templates, sometimes referred to as .inf files.

Let's Get Started

By using Microsoft's Management Console (MMC), Windows 2000 servers can be set up to automatically configure and enforce the following types of security policies:

• Account policies
• Local policies
• Event log policies
• Restricted groups
• System services
• Registry policies
• File system policies

The MMC allows you to apply security settings to files, directories, groups, and users enterprise-wide from one location. Since you likely have various types of Windows 2000 servers on your network, the best way to automate security for all of them is to set up a specialized security template for each type of Windows 2000 server. For example, some of the possible types of Windows 2000 servers you may have on your network are:

• Windows 2000 file & print servers
• Windows 2000 DNS servers
• Windows 2000 DHCP server
• Windows 2000 Exchange server
• Windows 2000 SQL server
• Windows 2000 Sharepoint servers

In Part 1 of this article, I'll tell you how to setup a basic Windows 2000 server security template. In each subsequent article of this series, I'll teach you how to set up a new Windows 2000 server template until you have a library of security templates that you can apply to your enterprise servers.

Load the Snap-In Console
To use the MMC to configure security, you'll first need to load the "snap-in" console on your Windows 2000 server. To do this, Click Start --> Run and type MMC in the text box, and then click OK.

Add/Remove the snap-in console.

A Console1 box should appear. In the top menu bar under Console1, click Console and then select Add/Remove Snap-in. The Add/Remove Snap-in Box should then appear as illustrated below. Next, click the Add button. You will then be prompted to select which Add Standalone Snap-in you would like to add. You will want to select the Security Templates Snap-in as illustrated below.

Select security templates in add standalone snap-in box.

Click Security Templates and then click the Add button. Click the Close button and then click OK. The Security Template snap-in is now loaded. To see the modules within Security Templates, click + to expand the view as illustrated below.

Expand the security template.

To further expand the templates, click the + next to C:\WINNT\security\templates. If you installed Windows 2000 in a different location, the path will display your custom location instead of C:\WINNT\security\templates.

Configure the Security Policies to Meet Your Requirements
Now it's time to modify the security settings to meet your unique requirements. Expand the template view by continuing to click the + underneath each category in the template name as illustrated below.

Expand the security template categories.

In each category, Account Policies will be listed at the top. You will see the following categories:

• BASICDC
• basicsv
• basicwk
• COMPATWS
• HISECDC
• MITREWS
• OCFILESS
• OCFILESW
• SECUREDC
• SECUREDNS
• SECUREWS
• setup security

Select the basicsv category.

Next, you open the particular policy setting that you would like to view or change by clicking on the top level category in the left pane, and then by clicking the particular policy in the right pane of the template window. For example, if you click on Password Policy in the left pane, and then click on Minimum password age a Template Security Policy Setting box will appear as illustrated below and you can type in how many days you would like passwords to last before they expire.

Select the security policy that you would like to configure.

To configure the account lockout policies, click on Account Lockout Policies in the left pane, and the policy that you would like to stipulate in the right pane as shown in Figure 7. Select a Template Security Policy Setting box to define a setting, and then stipulate the setting parameter.

Configure the account lockout policies.

You should now continue through all of the Password Policy and Account Lockout Policy settings and configure each one to meet your organization's security requirements.

On a Windows 2000 network, network authentication can be setup to use either Windows NT LAN Manager (NTLM) or Kerberos. It is best to set NTLM or Kerberos settings for the entire domain, and not for individual servers. Therefore, for now, we are going to leave the Kerberos policies undefined. We will discuss how to define Kerberos policies when we set up the policies for a Domain Controller later on in the this series. For now, you will not want to either enable or disable the Kerberos policies. Just leave these settings alone. For your basic Windows 2000 server, I recommend that you don't enable "Reversible Encryption" in your password policy. Reversible encryption is used primarily with Internet Information Services (IIS) and Challenge Handshake Authentication Protocol (CHAP). (CHAP is an authentication protocol for dial-in users.)

Recommendations and Requirements

Though you will want to select settings that meet your own unique business requirements, I have put together some default recommendations that could be applied to create a baseline Windows 2000 security template for all your Windows 2000 production servers. Default Windows 2000 Account Policy security setting recommendations are listed in the table below. Keep in mind that all of these recommendations may not be appropriate for your organization and that you should review them carefully before implementing.

Account Policy Setting Recommendations for Windows 2000
Policy Name	Policy Feature	Setting
Password policy	Enforce password history	3 passwords remembered
	Maximum password age	120 days
	Minimum password age	0 days
	Minimum password length	8 characters
	Passwords must meet complexity requirements	Enabled
	Store password using reversible encryption for all users in the domain	Disabled
Account lockout policy	Account lockout duration	0 (minutes -- forever)
	Account lockout threshold	3 invalid logon attempts
	Reset account lockout counter after	60 minutes
Kerberos policy (only if you are using Kerberos)	Enforce user logon restrictions	Disabled
	Maximum lifetime for service ticket	Not defined
	Maximum lifetime for user ticket	Not defined
	Maximum lifetime for user ticket renewal	Not defined
	Maximum tolerance for computer clock synchronization	Not defined

You have now learned how to apply security to the Account Policies for your basic Windows 2000 server. Before you put these policies into production, you should be sure to test them and have them reviewed by your Change Control review process. You should remember that what you are trying to do is preserve the integrity, confidentiality, and availability of your data. Often times, not enough emphasis is put on availability. Tightening up your policies too much may prevent your data from being available to the right people. Not tightening up your policies enough may result in security intrusions. Therefore, you'll want to think through the possible settings carefully before making any decisions.

Upshot

Not securing your Windows 2000 production servers poses a big risk to your organization. However, the good news is that contrary to popular belief it's easy to do and you can lock up Windows 2000 tight if you take the time. Regardless of whether you take any time or not to strengthen and automate your security policies, something you should also do is take the time to install the latest security patches.

In the next part in this series, we will configure some of the other security policy settings so you can further strengthen the security posture of your Windows 2000 servers.