Microsoft Windows 2000 Security Hardening Guide
Chapter 3 - Operating System Installation
This section provides the initial installation procedures for the Windows 2000 family of operating systems.
On This Page
Preparing for InstallationDuring Installation, the Setup program will ask for information on how to install and configure Windows 2000. Prepare for the Windows 2000 operating system installation by collecting hardware information and establishing configuration decisions prior to initiating the installation process. The following checklist provides some guidelines as to the information that needs to be defined prior to initiating the installation process. Table 3.1 Windows 2000 Pre-Installation Checklist
Windows 2000 Installation ProcessInstallation MethodsWindows 2000 can be installed as either an upgrade to an existing Windows operating system or as a new operating system installation. To ensure security Windows 2000 should be the only operating system on the computer and be installed on a clean partition. That is, any previous operating system must be wiped clean from all hard disk partitions within the computer prior to installing Windows 2000. There are three methods available to install the Windows 2000 operating system:
Initiating the Installation from a Bootable CD-ROMUsing a bootable CD-ROM is the simplest and fastest method of installing Windows 2000. To ensure that the machine is not compromised during setup, however, it is highly recommended that it be disconnected from the network until setup is complete and the most recent service pack is installed. Start Setup from a bootable CD-ROM as follows:
In the remainder of this chapter, we will point out the most secure way of installing the system. This is not intended as a complete walk-through of the setup process. Configuring Disk Partitions During the initial text-mode setup of the system, setup will ask where to install Windows 2000. Figure 1 shows the dialog presented. If there are multiple partitions or multiple hard disks they will be identified in the display. The example in Figure 1 below shows a 40 Gigabyte Hard disk that is not partitioned. For security purposes, it is highly recommended that this dialog be used to delete all other operating system partitions from the system. For workstations, we recommend using all space on a disk for the installation partition. For servers, we recommend using about 4 GB of space on one disk for the operating system. The remaining space in the system should be reserved for data files, services, utilities and so on. We highly discourage storage of user data files on the boot partition on servers, while on workstations this is acceptable practice which makes it easier for users to locate their data. The next step after creating the partition is to format it. For all systems where security is a requirement all partitions must be NTFS formatted. Only on systems using NTFS can any reasonable security be presumed. Assign an Administrator account password The Computer Name and Administrator Password dialog box shown in Figure 2 provides a means of setting the password for the default Administrator account. The specific guidance on how to set a good password is provided in the section 3.3, Choosing Good Passwords It is imperative that a good password is set on the built-in Administrator account during setup. Choose service components for Windows 2000 Server products In the Windows 2000 Components dialog box, select the necessary components for the server being installed. This dialog box allows addition or removal of components during installation. The default configuration of Windows 2000 Professional is acceptable, but Windows 2000 Server needs to be modified during installation.
Note that due to the prevalence of worms exploiting unsecured systems on most networks, it is highly recommended that system running IIS are installed on an isolated network segment, or with no network cable attached, until Service Pack 3 or higher is installed. Convert a Windows 2000 Server to a Domain ControllerTo build a domain controller, you must first install one of the Windows 2000 Server family of products, and then promote the system to a domain controller. This can be done using the DCPromo.exe tool. During promotion, you will be presented with a dialog labeled Permissions (see Figure 4). On this dialog, the radio button for Pre-windows 2000 compatible permissions is selected by default. When this option is selected, the Everyone group becomes a member of the Pre-Windows 2000 Compatible Access group. That latter group, in turn, has read access to all attributes of all objects in Active Directory. This presents a serious potential for security leaks. If you have a system that has already been promoted, you can verify whether this check box was selected by verifying the membership of the Pre-Windows 2000 Compatible Access group. If Everyone is a member of that group, remove it, and then reboot all domain controllers. A reboot is necessary because the access token governing this access is created at boot time. On new installations, where access by non-Windows 2000 servers and clients is not a requirement, this option should be selected. This is only the first example of an instance where we can tighten the security significantly in the absence of backward compatibility. Choosing Good PasswordsSo much of system security is dependent on choosing good passwords. This topic is covered in detail in this section. In order to understand how to select good passwords on Windows 2000, however, a basic understanding of how the operating system stores passwords is required. Windows 2000 Password RepresentationsBy default, Windows 2000 will never store a clear-text user password. Rather, passwords are stored using two different password representations, commonly called "hashes." The reason for using two representations is for backward compatibility. The LMHashThe LMHash, also known as the Lan Manager hash, is technically speaking not a hash at all. It is computed as follows:
As a result of the algorithm used to generate the LMHash, the hash is very easy to crack. First, even a password longer than 8 characters can be attacked in two discrete chunks. Second, the entire lower-case character set can be ignored. This means that most password cracking tools will start by cracking the LMHashes and then simply vary the alpha characters in the cracked password to generate the case-sensitive passwords. Note that in order to log on to a Windows 2000 system, whether remotely or locally, you will need to use the case-preserved password. The NTHashThe NTHash is also known as the Unicode hash, because it supports the full Unicode character set. The NTHash is calculated by simply taking the plaintext password and generating an MD4 hash of it. The MD4 hash is then stored. The NTHash is much more resistant to brute force attacks than the LMHash. Brute forcing an NTHash takes several orders of magnitude longer than brute forcing the LMHash of the same password. What constitutes a good password? There are some general guidelines for what constitutes a reasonable password:
This complexity is enforced via a password filter, and can be optionally required using group policy. Additionally, an administrator can customize the complexity requirements by writing a custom password filter. Such a filter could, for example, enforce that company names are not part of the password, or require additional complexity. For more information on how to write such a filter, refer to section on Password Filters in the Microsoft Windows Software Development Kit, at http://msdn.microsoft.com/library/en-us/security/Security/password_filters.asp. However, most passwords like these are still easily cracked. There are several steps that can be taken to make a password harder to crack
There are many ways to prevent storage of the LMHash. A system wide method will be discussed later in the section "Disable LMHash creation" in Chapter 5. However, the creation of an LMHash can be controlled on a per-account basis by constructing the password in certain ways. First, if the password is longer than 14 characters, the system is unable to generate an LMHash. In Windows 2000, passwords can be up to 127 characters. Second, if the password contains certain ALT characters, the system will also not be able to generate an LMHash. This latter point is tricky, because while some ALT characters significantly strengthen the password by removing the LMHash, others significantly weaken it since they are converted into a normal upper-case letter prior to storage. There are many characters, however, which will strengthen the password. Table 1 lists all the characters below 1024 which cause the LMHash not to be generated. Table 1 ALT characters which cause the LMHash to disappear
In many environments the LMHash cannot be disabled system wide. This could be the case, for example, in environments where the operating system is installed over the network by booting to a DOS disk. DOS does not support the NT hash algorithm and therefore requires the LMHash to be present. DOS also does not support ALT characters in the password. While we recommend that LMHashes be disabled system wide in all environments where it is feasible, the above techniques can be used to strengthen individual passwords in all environments. We particularly recommend using ALT characters on sensitive accounts such as service accounts and administrative accounts. In general, these accounts need greater protection than ordinary user accounts, and the users using them should be willing to use very complicated passwords. One caveat is that using ALT characters in a password does break the recovery console, however. This should be kept in mind before setting up passwords with ALT characters. Windows 2000 Service Pack ConsiderationsWindows 2000 Service Packs 2 and higher support high encryption (128-bit) as a default, and will automatically upgrade the operating system from standard encryption (56-bit) if it hasn't been upgraded already. It is not possible to disable or uninstall this feature. If the Service Pack is removed after installation, the operating system will continue to use 128-bit encryption; it will not revert to back to 56-bit encryption. There is, however, one exception to this. The Protected Store is a data store introduced with Internet Explorer 4.0. The Protected Store is in the process of being deprecated in favor of the Data Protection API. However, by default, data in the Protected Store, such as IE usernames and passwords, are protected using weak encryption, and this encryption is not upgraded during the service pack installation. To upgrade the encryption on the Protected Store, you must run the following command after installing Service Pack 2 or higher: Keymigrt.exe Keymigrt.exe –m The keymigrt.exe utility also takes the following switches.
keymigrt [-f] [-v] [-u] [-m] [-s]
CAPI Key upgrade utility
-f - Force key upgrade
-e - Force Encryption Settings upgrade
-v - Verbose
-u - Allow upgrade of UI protected keys
-m - Upgrade machine keys
-s - Show current state, but make no modifications
For more information on keymigrt.exe and to download the tool, consult Microsoft Security Bulletin MS00-032 at http://www.microsoft.com/technet/security/bulletin/ms00-032.mspx. Recommended Actions Prior to Installing Service Pack and Hotfix Updates Before installing any Service Pack or Hotfix updates:
Installing Service Pack and Hotfix Updates Windows 2000 Service Pack 3 can be installed from a Service Pack CD, from a network drive, of from the Windows 2000 Service Pack Web site at: http://www.microsoft.com/windows2000/downloads/servicepacks/ Detailed procedures for each installation method can be found in the Service Pack readme file. During the installation process, the Service Pack program installs its files in the computer and automatically creates a backup of the files and settings that the service pack installer changes and saves the backup files in a $NTServicepackUninstall$ folder within the %systemroot% folder.
|
In This Article
|
