Question:

Answer:

Security Lockdown Procedures for Windows 2000 Professional

This document is a guide/checklist of steps to perform when securing a computer running Windows 2000 Professional from potential hackers. We recommend that you perform all security and critical updates before applying the security template to your computer. The remaining steps can be performed in any order. We also recommend that you rename the Administrator account on your computer. Pick a name that you can remember. Also, set the Administrator's password to meet the complexity requirements of a Hokies password.

• Configuring the Administrator Account
• Verifying Backup of All Data Files
• Verifying Latest Service Pack and Critical Updates are Installed
• Installing the Security Template
• Installing the Virginia Tech IPsec Firewall
• Configuring LiveUpdate Schedule for Symantec AntiVirus 8/9/10 Corporate Edition
• Changing Schedule for Automatic Updates (Windows Update)
• Stopping Windows Messenger Service (Net Send) Messages from Popping Up
• Setting Specific Drive Permissions

Configuring the Administrator Account

We recommend that you change the Administrator account password and remove all open folder shares to significantly reduce your vulnerability to hackers. We also recommend you rename the Administrator account and delete its description.

• Change the Adminstrator Account Password.
  1. Pick a secure password. For tips on selecting a good password, read Choosing Good Passwords (http://computing.vt.edu/accounts_and_access/pickinggoodpasswords.html).
     Important: Do not use your Hokies password for your Administrator account.
  2. Click the Start button, select Settings, then select Control Panel.
  3. Double-click the Administrative Tools icon.
  4. Double-click the Computer Management icon.
  5. From the Computer Management list, select Local Users and Groups.
  6. Double-click the Users folder.
  7. Right-click Administrator.
  8. Select Set Password.
  9. In the New Password text box, type the secure password you have selected.
  10. In the Confirm Password text box, type the same password.
  11. Click OK.
• Rename the Administrator account:
  1. In the Computer Management window, right-click Administrator, and select Rename.
  2. Type a new name for the Administrator account. Make sure it is not an obvious name like your PID or your first name.
  3. Press the Enter key.
• Delete the Description field for the Administrator account:
  1. In the Computer Management window, right-click Administrator, and select Properties.
  2. From the Description text box, delete all information.
  3. Click OK.
• Disable the Guest account and check for open folder shares.
  1. Disable the Guest account.
     1. In the Computer Management window, right-click Guest, and select Properties.
     2. Place a check in the Account is Disabled check box.
     3. Click OK.
  2. Remove Everyone from the share permissions on your shared folders.
     1. From the Computer Management list, double-click Shared Folders.
     2. Double-click Shares.
     3. Folder names ending with a dollar sign ($) are system related. Leave them alone. For all other shared folders:
        1. Right-click the shared folder in the right window pane, and select Properties.
        2. Select the Share Permissions tab.
        3. From the Name list, select Everyone.
        4. Click the Remove button.
        5. Select the General tab.
        6. Select the Allow option.
        7. Under User Limit, type: 1
        8. Select the Security tab.
        9. From the Name list, select Everyone.
        10. Clear the Read & Execute check box.
        11. Click Apply.
        12. Click OK.
        13. Close the Computer Management window.

Verifying Backup of All Data Files

If you use the Tivoli Storage Manager (TSM):

1. Start Tivoli Storage Manager.
2. Click the Restore button.
3. Double-click File.
4. Double-click the C: drive.
5. Select the files you want to restore.
6. Click the Restore button.
7. Select the restore location. You may restore to Originial Location or Following Location.
8. Click the Restore button.
9. Click OK.

If you do not use TSM, save your files to a Zip disk, floppy disk, or CD.

Verifying Latest Service Pack and Critical Updates Are Installed

For instructions, refer to Verifying Latest Service Pack and Critical Updates Are Installed in Windows 2000 (http://www.answers.vt.edu/ask4help/desktop/vtkb2393.htm).

Installing the Security Template

1. Go to the Security Template page (http://filebox.vt.edu/ais/software/pc/security/Security%20Template.inf).
2. In the User Name text box, type your PID.
3. In the Password text box, type your PID password.
4. Click OK.
5. Click the Save button.
6. Save the file to your desktop.
7. From the File menu, select Close.
8. On your computer's desktop, right-click the My Computer icon, and select Explore.
9. From the Folders list, select Desktop.
10. Right-click Security Template.inf, and select Copy.
11. From the File menu, select Close.
12. On your computer's desktop, double-click the My Computer icon .
13. Go to C:\WINNT\security\templates.
14. In the Templates folder, right-click in the white space, and select Paste.
15. From the File menu, select Close.
16. From the Start menu, select Run.
17. In the Open text box, type: mmc
18. Click OK.
19. From the Console menu, select Add/Remove Snap-in.
20. Click the Add button.
21. From the Available Standalone Snap-ins list, select Security Configuration and Analysis.
22. Click the Add button.
23. Click the Close button.
24. Click OK.
25. Under the Console Root folder, right-click Security Configuration and Analysis.
26. Select Open Database.
27. In the File Name text box, type your computer's name. To find your computer's name:
    1. Right-click the My Computer icon on your computer's desktop, and select Properties.
    2. Select the Network Identification tab.
    3. Your computer's name is listed beside "Full Computer Name".
    4. Click OK.
28. Click the Open button.
29. Select the Security Template.inf file.
30. Click the Open button.
31. Right-click Security Configuration and Analysis, and select Configure Computer Now.
32. Click OK.
33. From the Console menu, select Exit.
34. If prompted to save console settings to Console1, click the No button .
35. Restart your computer.

Installing the Virginia Tech IPsec Firewall

For instructions, refer to Configuring the Virginia Tech IPSec Firewall in Windows 2000 (http://www.answers.vt.edu/ask4help/desktop/vtkb2490.htm).

Configuring LiveUpdate Schedule for Symantec AntiVirus 8/9/10 Corporate

For instructions, refer to Scheduling Symantec AntiVirus 7/8/9/10 Corporate Edition for Windows 2000/XP to Run LiveUpdate Automatically (http://www.answers.vt.edu/ask4help/thirdparty/vtkb1426.htm).

Changing Schedule for Automatic Updates (Windows Update)

1. Click the Start button, select Settings, then select Control Panel.
2. Double-click the Automatic Updates icon.
3. Select either the Download the Updates Automatically and Notify Me when They are Ready to be Installed option or the Automatically Download the Updates, and Install Them on the Schedule that I Specify option.
   Note: If you select the automatic update then you will need to schedule a day and time for the updates to run.
4. Click OK.
5. Close the Automatic Updates window.

Stopping Windows Messenger Service (Net Send) Messages from Popping Up

Follow the instructions in Starting or Stopping Messenger Service (Net Send) in Windows 2000/XP (http://answers.vt.edu/ask4help/desktop/vtkb1950.htm).

Setting Specific Drive Permissions

1. On your computer's desktop, double-click the My Computer icon.
2. Right-click the C: drive, and select Properties.
3. Select the Security tab.
4. From the Name list, select Everyone.
5. Click the Remove button.
6. Click the Add button.
7. Press and hold the Ctrl key and click Administrators, SYSTEM, Users and Power Users.
   Note: If you renamed the Administrators account, select that account.
8. Verify that all the selections are highlighted.
9. Click the Add button.
10. Click OK.
11. In the Name section, select the Administrator account
12. Next to Full Control, place a check in the Allow check box.
13. In the Name section, select the SYSTEM account.
14. Next to Full Control, place a check in the Allow check box.
15. In the Name section, select the Users account.
16. Next to Read & Execute, place a check in the Allow check box.
17. In the Name section, select the Power Users account.
18. Next to Modify, place a check in the Allow check box.
19. Click OK to apply these settings.
20. Restart your computer.