Securing Your Windows 2000 Server System

Overview

If your server is running Windows 2000 Server Edition, you need to make a few changes to help keep your server and client machines safe. This page is written with the assumption that you're a system administrator running an on-campus server; some of the following resources may not be available from off campus.

Essentials

• Keep your system and software up to date:
  This is one of the easiest, most effective things you can do to keep your computer secure. You can either update manually with Windows Update, or configure your systems to download updates automatically from the campus WSUS server, which provides critical Microsoft patches from an on-campus location. You can choose whether the WSUS server prompts you to confirm installations or whether patches are automatically installed.
  
  If you run common applications such as the Microsoft Office suite (Word, Excel, Outlook, etc.), you should also check the Office Update page regularly. Microsoft Office applications frequently need security patches.
  

• Install antivirus software:
  The vast majority of viruses are designed to affect Windows systems. The University of Illinois at Urbana-Champaign provides free site-licensed antivirus software that is configured to automatically update itself and protect your system.
  
  If you are a campus system administrator, you can also use ePolicy Orchestrator to coordinate distributing antivirus updates from your server to the client machines that you supervise. More information about ePolicy Orchestrator is available from the CITES Security Services Archive and requires Bluestem authentication to identify yourself as a campus system or network administrator. The list is maintained through Contact Manager. If you need to be added to the list of people authorized for access to the archive, but aren't listed in Contact Manager, contact securitysupport@uiuc.edu.

• Install anti-spyware software:
  Many of the nuisance-level problems afflicting Windows computers are caused by spyware rather than viruses. Spyware can cause effects ranging from a noticeable slowing of your computer to pop-ups and hijacked web browsers; spyware can also be malicious, reporting personal information from credit cards to passwords to other unauthorized websites. Fortunately, the campus has site-licensed anti-spyware software for students, faculty, and staff. For more information, see the CITES Anti-spyware pages.

• Use a firewall:
  A properly configured personal firewall can be very effective in reducing the amount of network traffic that is allowed to reach your server and systems connected to it. You can take advantage of campus firewall protection by joining your server to one of the available firewall groups; see Campus Firewalls for more information.

• Choose a good password:
  Any computer that will have multiple users or be attached to a network needs to have good password protection for each user. Password tips and advice can be found in the CITES Guide to Passwords.
  
  In many versions of Windows, a user name can have a blank password, which allows anyone to log in to the computer simply by clicking. Make sure that all user accounts on the machine have passwords to protect access to your computer.

More security

These steps can be done offline to increase basic security before you connect to the network. These are presented in order from simplest to most complex; you can start at the top of the list and work your way down.

• Use the Microsoft Baseline Security Analyzer (MBSA) to detect and correct common security misconfigurations
  Microsoft provides a tool called the Microsoft Baseline Security Analyzer (MBSA) to assist with detecting potential security flaws and correcting them. The MBSA tool checks for issues such as missing patches, user accounts without passwords, available updates to installed Microsoft software, and more.

• Disable the guest account:
  Right-click on My Computer and select Manage. In the Local Users & Groups view, make sure the Guest account is disabled. (There should be a small red X over the corner of the icon; right-click and make sure the "Account is disabled" box is checked.)

• Don't give out too many "administrator" group memberships:
  The Administrator account is the most powerful account on a Windows system. Most users shouldn't log in with administrator privileges for everyday work; the administrator privileges should be reserved for actions such as installing software and patching the system.
  
  If only the administrator and guest accounts have been created on the computer, you'll want to create an individual user name so that you can have a regular account for daily use without administrator privileges.
  
  Right-click on My Computer and select Manage. In the Local Users & Groups view, open the Users folder, and make sure most of the user names don't belong to the Administrators group.
  
  However, make sure that the administrator account does still have administrator privileges; it's important that at least one user has that ability at all times.

• Verify that all disk partitions are formatted as NTFS:
  If necessary, use the Convert utility to nondestructively convert your FAT partitions to NTFS.

• Disable unnecessary services and accounts:
  Because each service and account represents a potential entry point to your computer, disabling the features you don't use will greatly diminish your exposure to security risks. Remember, you can always enable a service later if you decide you really do need it.

• Restrict access to the registry:
  Especially if you haven't installed a firewall, follow the instructions on the CITES Security group's Windows Lockdown page to prevent registry access by remote and anonymous users. While this step may seem intimidating, it will help keep attackers from learning your account names and prevent them from locking out your users.