Securing Your Windows 2000 System

Overview

Windows 2000 needs a few customizations to help keep your computer safe.

Essentials

• Keep your system up to date:
  This is one of the easiest, most effective things you can do to keep your computer secure. To update manually, visit Windows Update. This will take you to the Microsoft Update web page. Select Express for easy access to all critical updates, then click Download and Install.
  
  If you don't want to need to remember to run Windows Update manually each week, you can also configure your computer to check for patches and download them automatically. When new patches have been released, your computer will prompt you with a Microsoft butterfly in the task bar and a pop-up window on your desktop. To enable automatic updates, double-click on Automatic Updates in the Control Panel (found at Start -> Settings -> Control Panel). Follow the wizard's prompts to choose the options you want.
  

• Install antivirus software:
  The vast majority of viruses are designed to affect Windows systems. The University of Illinois at Urbana-Champaign provides free site-licensed antivirus software that is configured to automatically update itself and protect your system.
  
  If your computer has not been connected to the Internet for a while, then the antivirus software may not have had the opportunity to perform its automatic updates. Make sure that you run a manual update as soon as you reconnect. To run a manual update, right-click on the VirusScan logo and select Update Now.

• Install a personal firewall:
  A properly configured personal firewall can be very effective in reducing the amount of network traffic that is allowed to reach your computer. Windows 2000 users can choose from a wide variety of personal firewalls, several of which are available for free. For more information, see Personal Firewalls.

• Choose a good password:
  Any computer that will have multiple users or be attached to a network needs to have good password protection for each user. Password tips and advice can be found in the CITES Guide to Passwords.
  
  In many versions of Windows, a user name can have a blank password, which allows anyone to log in to the computer simply by clicking. Make sure that all user accounts on the machine have passwords to protect access to your computer.

• Install anti-spyware software:
  Many of the nuisance-level problems afflicting Windows computers are caused by spyware rather than viruses. Spyware can cause effects ranging from a noticeable slowing of your computer to pop-ups and hijacked web browsers; spyware can also be malicious, reporting personal information from credit cards to passwords to other unauthorized websites. Fortunately, the campus has site-licensed anti-spyware software for students, faculty, and staff. For more information, see the CITES Anti-spyware pages.

More security

These steps can be done offline to increase basic security before you connect to the Internet. They're presented in order from simplest to most complex; you can start at the top of the list and work toward the bottom.

• Disable the guest account:
  If the guest account isn't disabled already, you should turn it off. The guest account allows anonymous access to your system and can be used for dangerous exploits. Right-click on My Computer and select Manage. In the Local Users & Groups view, make sure the Guest account is disabled. (There should be a small red X over the corner of the icon; right click and make sure the "Account is disabled" box is checked.)

• Disable Windows file sharing if it's not in use:
  If you aren't using Windows file sharing to connect to other computers or printers on your local network, it's safer to disable it.
  
  From the Control Panel (Start > Settings > Control Panel), double click the "Network and Dial-Up Connections" icon. Right-click "Local Area Connection" and select Properties. Make sure the "File and Printer Sharing for Microsoft Networks" box is not checked and then click OK.
  
  (Note: This is not the same as disabling client-server or peer-to-peer file sharing; this only affects Windows-native file sharing. For more information about the different types of file sharing and their risks and benefits, see File Sharing.)

• Don't give out too many "administrator" group memberships:
  The Administrator account is the most powerful account on a Windows system. Most users shouldn't log in with administrator privileges for everyday work; the administrator privileges should be reserved for actions like installing software and patching the system.
  
  If only the administrator and guest accounts have been created on the computer, you'll want to create an individual user name so that you can have a regular account for daily use without administrator privileges.
  
  Right-click on My Computer and select Manage. In the Local Users & Groups view, open the Users folder, and make sure most of the user names don't belong to the Administrators group.
  
  However, make sure that the administrator account does still have administrator privileges; it's important that at least one user has that ability at all times.
  

• Verify that all disk partitions are formatted as NTFS:
  If necessary, use the Convert utility to nondestructively convert your FAT partitions to NTFS.

• Disable unnecessary services and accounts:
  Because each service and account represents a potential entry point to your computer, disabling the features you don't use will greatly reduce your exposure to security risks. Remember, you can always enable a service later if you decide you really do need it.

• Adjust your Internet application settings:
  Even if you keep your operating system up to date, you still run the risk of allowing unauthorized access if your Internet applications (most commonly web browsers) are not configured correctly. Important things to check are whether the application will run executables (such as ActiveX) without asking, how the application handles cookies, and whether it connects to the Internet on its own.

• Restrict access to the registry:
  Especially if you haven't installed a firewall, follow the instructions on the CITES Security group's Windows Lockdown page to prevent registry access by remote and anonymous users. While this step may seem intimidating, it will help keep attackers from learning your account names and prevent them from locking out your users.