CHAPTER
17
Windows 2000
Security Issues
321
Copyright 2001 The McGraw-Hill Companies, Inc. Click Here for Terms of Use.
322
Network Security: A Beginner’s Guide
M
icrosoft Windows 2000 is rapidly replacing Windows NT in internal and exter
-
nal server installations. There is little doubt that Windows 2000 will become one
of the most prevalent (if not the most prevalent) operating system across the
Internet. It is obvious that Windows 2000 will be found in traditional Windows NT roles
such as file, print, and database servers for internal use and Web and application server
for Internet use. Additional features, such as a telnet server, may push Windows 2000
into functions that have been reserved for Unix systems. However it may be used, it is
clear that Windows 2000 will store and operate on sensitive information.
As we did in Chapter 15, we will discuss the basic steps to take during system setup
and how to properly manage users within a Windows 2000 domain. Finally, we will dis
-
cuss system management issues from a security perspective. The final section of this
chapter will try to identify key indicators that administrators should watch for when
looking for potential intrusions.
SETTING UP THE SYSTEM
Windows 2000 has added some significant security features over those available un-
der Windows NT. As you will see in the following sections, the capabilities of these
new tools are quite significant. Unfortunately, their use requires a homogenous Windows
2000 environment. When used in mixed Windows 2000 and Windows NT environments,
the system must default to the weaker Windows NT configurations to allow
interoperability.

Windows 2000 is not secure straight out of the box (although it is better than Win-
dows NT). Given this, there are some settings that should be made before the system
goes into production that will make the system more secure. The configuration settings
are divided into Local Security Policy Settings and System Configuration Settings.
Local Security Policy Settings
New to Windows 2000 is the local policy editor GUI. You can find this tool by going to
Control Panel | Administrative Tools | Local Security Policy (see Figure 17-1). This tool
allows you to set account policies as well as local security policies. We will talk more
about account configuration later. For now, let’s focus on the local security policies.
The Local Security Policy GUI is actually just a front end for changes to the Registry.
Therefore, the use of regedit or regedit32 are no longer required to make common Reg
-
istry setting changes. Generally, for these security changes, it is better to use the tool
than to go into the Registry to make your own changes.
Chapter 17: Windows 2000 Security Issues
323
Figure 17-2 shows the policy items that are configurable through the Local Security
Policy GUI. The following sections go into more detail about recommended changes to
the security policy.
NOTE:
Windows 2000 provides a number of security configuration templates that can be used to set
system configurations, local security policy, and user management settings on the system. If you
choose to use one of these templates, make sure you understand the changes that will be made to
your system.
Logon Message
Windows 2000 provides two settings to configure a logon message to be displayed to users:
▼
Message Text for Users Attempting to Log On
▲
Message Title for Users Attempting to Log On

Set both of these with the appropriate logon message for your organization.
Figure 17-1.
Local Security Policy Management GUI
Clear Virtual Memory Pagefile When System Shuts Down
The virtual memory pagefile contains important system information when the system is
running. This system information may include encryption keys or password hashes. To
force Windows 2000 to clear the system pagefile on shutdown, enable the Clear Virtual
Memory Pagefile When System Shuts Down setting.
Allow System to Be Shut Down Without Having to Log On
Individuals should not be able to shut down systems if they cannot log on. Therefore, the
Allow System to be Shut Down Without Having to Log On setting should be disabled.
LAN Manager Authentication Level
LAN Manager authentication is an authentication system that allows Windows 2000
servers to work with Windows 95 and Windows 98 clients (as well as Windows for
Workgroups). LAN Manager authentication schemes are significantly weaker than the
NT or Windows 2000 authentication systems (called NTLM v2) and thus may allow an in
-
324
Network Security: A Beginner’s Guide
Figure 17-2.
Local Security Policy configurable items
truder to perform a brute-force attack on the encrypted passwords using much less com
-
puting power. To force the use of NTLM v2 authentication, use the following settings:
1. Select the LAN Manager Authentication Level policy setting.
2. Select the appropriate level from the pull-down menu.
The value you set depends upon your environment. There are six levels defined as:
▼
Send LM and NTLM Responses—This is the default level. Send both
LAN Manager and NTLM responses. The system will never use NTLM

v2 session security.
■
Send LM and NTLM, Use NTLM v2 If Negotiated.
■
Send NTLM Response Only.
■
Send NTLM v2 Response Only.
■
Send NTLM v2 Response Only, Refuse LM.
▲ Send NTLM v2 Response Only, Refuse LM and NTLM.
NOTE:
Before making the change to this policy setting, determine the operating requirements for
your network. If you have Windows 95 or Windows 98 clients on your network, you must allow LAN
Manager responses.
Additional Restrictions for Anonymous Connections
This policy setting allows the administrator to define what is allowed via an anonymous
connection. The three choices are
▼
None, Rely On Default Permissions
■
Do Not Allow Enumeration of SAM Accounts and Shares
▲
No Access Without Explicit Anonymous Permissions
These settings can prevent null user sessions from gaining information about users on
a system.
System Configuration
There are several differences between Windows 2000 and Windows NT when it comes to
system configuration. Windows 2000 does introduce new security features but it is help
-
ful to understand the advantages and disadvantages of each of the new features. In the

following sections, we will discuss four primary areas:
▼
File systems
■
Network settings
Chapter 17: Windows 2000 Security Issues
325
326
Network Security: A Beginner’s Guide
■
Account settings
▲
Service packs and hot-fixes
As a general rule, the specific settings should be governed by the organization’s secu
-
rity policy and system configuration requirements.
File Systems
All file systems on Windows 2000 systems should be converted to NTFS. Since FAT file sys
-
tems do not allow for file permissions, NTFS is better from a security point of view. If any of
your file systems are FAT, you can use the program CONVERT to change it to NTFS. This
program requires a reboot but it can be done with information already on the drive.
It should also be noted that Windows 2000 ships with a new version of NTFS, NTFS-5.
NTFS-5 comes with a new set of individual permissions:
▼
Traverse Folder/Execute File
■
List Folder/Read Data
■ Read Attributes
■ Read Extended Attributes

■ Create Files/Write Data
■ Create Folders/Append Data
■ Write Attributes
■ Write Extended Attributes
■ Delete Subfolders and Files
■ Delete
■
Read Permissions
■
Change Permissions
▲
Take Ownership
Before putting Windows 2000 into production, administrators and security staff
should understand the new permissions and review the permissions structure on files
and directories.
Encrypting File System
One weakness in the NTFS file system is that it only protects files
when used with Windows NT or Windows 2000. If an intruder can boot a system using
another operating system (such as DOS), he or she could then use a program (such as
NTFSDOS) to read the files and thus go around the NTFS access controls. Windows 2000
adds the Encrypting File System (EFS) to protect sensitive files from this type of attack.
EFS is designed to be transparent to the user. Therefore, the user does not have to ini
-
tiate the decryption or encryption of the file (once EFS is invoked for the file or directory).
To invoke EFS, select the file or directory you wish to protect, right-click, and select Prop
-
erties. Select the Advanced button on the General screen and select Encrypt Contents to
Secure Data.
When a file is designated to be encrypted, the system chooses a key to be used by a
symmetric key algorithm and encrypts the file. The key is then encrypted with the public

key of one or more users who will have access to the file. It should be noted here that the
EFS has a built-in mechanism to allow for the recovery of encrypted information. By de
-
fault, the local Administrator account will always be able to decrypt any EFS files.
Because of the way EFS interfaces with the user and the operating systems, some com
-
mands will cause a file to be decrypted and other will not. For example, the Ntbackup
command will copy an encrypted file as is. However, if the user executes a Copy com
-
mand, the file will be decrypted and rewritten to disk. If the destination location for the
file is a non-NTFS 5.0 partition or a floppy disk, the file will not be encrypted when writ
-
ten. Also, if the file is copied to another computer, it will be re-encrypted with a different
symmetric algorithm key. Thus, the two files will appear different on the two different
computer systems even though the unencrypted contents of the file will be the same.
Shares
As with Windows NT, Windows 2000 creates administrative shares when it
boots. These are the C$, D$, IPC$, ADMIN$, and NETLOGON (only found on domain
controllers) shares. The complete list of current shares can be examined by the Computer
Management tool by selecting Control Panel | Administrative Tools (see Figure 17-3).
While these shares can be used to attempt to brute-force the administrator password, it is
not recommended that you turn any of these off.
Chapter 17: Windows 2000 Security Issues
327
Figure 17-3.
Computer Management shows existing shares
328
Network Security: A Beginner’s Guide
Network
Networking with Windows 2000 has changed significantly from Windows NT. In addi

-
tion to the standard Windows port (135, 137, and 139), Windows 2000 adds Port 88 for
Kerberos, Port 445 for SMB over IP, Port 464 for Kerberos kpasswd, and Port 500 (UDP
only) for Internet Key Exchange (IKE). What this means is that if you want to remove
NetBIOS from a Windows 2000 system, you actually have to disable File and Print
Sharing for Microsoft Networks on the specific interface. You can do this from the Net
-
work and Dial-up Connections window. Select the Advanced menu and then select Ad
-
vanced Settings to see the Adapters and Bindings tab (see Figure 17-4).
The network continues to be a key part of Windows 2000. Windows 2000 domains re
-
move the concept of PDCs and BDCs. There are now only domain controllers (DCs). Win
-
dows 2000 domains still maintain the centralized control of the user database. However,
the active directory structure now allows for a hierarchical concept. This means that
Figure 17-4.
Removing the bindings for NetBIOS
Chapter 17: Windows 2000 Security Issues
329
groups can be created above or below other groups and the domain can be separated into
organization units with local control.
NOTE:
Before Windows 2000 is deployed within your organization, the domain structure should be
properly planned. Just moving an existing domain structure from Windows NT to Windows 2000 is not
appropriate and can cause future problems.
It should also be noted that Windows 2000 does make a change in the way trust rela
-
tionships work within a domain and between domains. In Windows NT, it had to be ex
-

plicitly established for each direction. In a Windows 2000 system, trust relationship is
bi-directional by default. Trust in Windows 2000 is also transitive. This means that if Do
-
main A has a trust relationship with Domain B and Domain B has a trust relationship with
Domain C, then Domain A also has a trust relationship with Domain C and vice versa.
Account Settings
Windows 2000 comes with two default accounts: Administrator and Guest. Both of these
accounts can be renamed by using the Local Security Settings tool. Select the policy items
Rename Administrator Account and Rename Guest Account to make these changes. The
Guest account should also be disabled. I also change the password on the Guest account
to something very long and very random just in case.
Every Windows 2000 workstation server in the organization will have an Administra-
tor account that is local to that machine and thus will require protection. To protect these
accounts, a procedure should be established to define a password that is very strong. The
password should be written down, sealed in an envelope, and stored in a locked cabinet.
Password Policy
The system password policy is defined by using the Local Security Set
-
tings tool (see Figure 17-5). This screen allows you to set password parameters and
strength requirements. As with any computer system, these settings should be made in
accordance with your organization’s security policy.
If you choose to enable the Passwords Must Meet Complexity Requirements setting,
you will be invoking the default password filter (PASSFILT.DLL). This will require all
passwords to be at least six characters long, not contain any component of the user name,
and contain at least three of the following: numbers, symbols, lowercase, or uppercase.
Unless absolutely necessary, you should not enable the Store Passwords Using Re
-
versible Encryption setting.
Account Lockout Policy
The account lockout policy is configured using the Local Security

Settings tool as well (see Figure 17-6). These settings should be made according to your
organization’s security policy.
NOTE:
The account lockout policy is used to prevent an attacker from conducting a brute-force at
-
tack to guess passwords. It can also be used to cause a denial-of-service condition to the entire user
community. Therefore, it may be wise to consider the consequences of prolonged lockouts of the user
community when setting this policy.
The lockout will not be enforced against the Administrator account. The Administra
-
tor account will always be able to log in from the system console.
Service Packs and Hot-Fixes
As of this writing, there is one service pack for Windows 2000. Additional hot-fixes and
service packs will come out over time. As with Windows NT updates, service packs and
hot-fixes should be implemented within an organization after appropriate testing.
330
Network Security: A Beginner’s Guide
Figure 17-5.
Using the Local Security Settings tool to establish password policy
TEAMFLY























































Team-Fly
®

Chapter 17: Windows 2000 Security Issues
331
USER MANAGEMENT
The management of users on a Windows 2000 system is critical to the security of the system
and the organization. Proper procedures should be in place within the organization to
identify the proper permissions each new user should receive. When an employee leaves
the organization, procedures should be in place to make sure that the employee loses access
rights to the organization’s systems.
Adding Users to the System
When adding new users to the system, make sure you follow your User Management
procedures. These procedures should define who may request new accounts and who
may approve these requests. New users are added to a system or domain through the
Figure 17-6.
Using the Local Security Settings tool to establish account lockout policy