TechNet Home > Home > Products & Technologies

Securing Windows 2000 Domain Controllers

Introduction

The loss of data or revenue that can result from a malicious attack on a computer system can be devastating to an organization. To protect your company's computer systems and data from the ever present threat of malicious code used in worms, viruses, and malicious attacks, it is critical that you implement security measures to help reduce the exposure to your company's assets.

The domain controllers in your network are the centerpiece of your Active Directory directory service. They contain all of your user account information, without which, users cannot log on to your network and access the resources that they need to perform their jobs.

Because of the information that domain controllers contain and their critical role in any environment, they are obvious targets of malicious attacks. For this reason, you should place your domain controllers in the most secure location possible; you should keep your domain controllers up-to-date with the latest security updates; and you should disable unnecessary services to minimize their exposure to worm, virus, and malicious attacks.

This guide provides step-by-step guidance to help you implement security measures that will help lock down the configuration of your domain controllers.

To improve the security of your environment, you will apply Group Policy, which is the change and configuration management technology included with Active Directory. This guide leads you through the following tasks:

•	Securing your domain controllers by using Group Policy.
•	Configuring Group Policy to provide for additional domain controller functionality.
•	Keeping your domain controllers up-to-date with the latest security updates.

Note: Configuring Group Policy on your domain controllers is only the first step toward enhancing the security of your domain controllers and your entire environment.

Review and complete the tasks in "Securing Windows 2000 Professional Clients in a Windows Server Environment" and "Securing Windows XP Professional Clients in a Windows Server Environment" of the Security Guidance Kit. Completing the tasks in these guides will greatly contribute to enhancing the security of your domain controllers.

After you complete these tasks, your domain controllers will contain a base level of security that can help protect your environment from a large number of security threats. Completing these tasks ensures that domain controllers run only the services they need to provide for your environment. Furthermore, configuring Automatic Updates helps you keep your domain controllers up-to-date by automatically downloading and installing the latest security updates as Microsoft releases them.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps might differ slightly.

Top of page

Before You Begin

To complete the tasks in this guide, you must be logged on to your domain controller as a member of the Domain Admins account. Keep in mind that some steps require you to restart your domain controller; so make sure you complete these steps during non-business hours to minimize the impact to your users.

This guide assumes that your client environment consists of computers running Microsoft Windows 2000 Service Pack 2 (SP2) or later, and Windows XP SP1. Several of the tasks and recommendations detailed in this guide are not compatible with older versions of Windows.

If your computers do not have these service packs installed or if you are unsure whether they are installed, go to the Windows Update page on the Microsoft Web site http://go.microsoft.com/fwlink/?LinkID=22630 and have it scan your systems for updates. If service packs show up as an available update, you should install them before proceeding with the tasks in this document. More information about using Windows Update is provided later in this document.

Top of page

Securing Your Domain Controllers

You can improve security on your domain controllers by using Group Policy. The following steps show you how to configure Group Policy to disable unnecessary or unused services on your domain controllers that might otherwise create unwanted exposure if left enabled. To configure Group Policy for your domain controllers, complete the following tasks:

•	Create a new Group Policy object (GPO), and link it to the Domain Controllers organizational unit (OU).
•	Import baseline security settings into the new GPO by using the security template that is included with this guide.
•	Verify your new settings by reviewing the Application log on your domain controllers.

Implementing the Domain Controllers Baseline Policy

You need to complete the following steps just one time. The security of all of your domain controllers is enhanced simultaneously after you configure the Domain Controllers Baseline Policy.

IMPORTANT: You must restart all your domain controllers for the Domain Controllers Baseline Policy to take effect. Make sure to complete these steps during non-business hours to minimize the impact to your users.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Tools: Active Directory Users and Computers. To access this tool, click Start, click Settings, click Control Panel; double-click Administrative Tools, and then double-click Active Directory Users and Computers.
•	Files: You need to download the MSS DCBaseline Role.inf file included with the Securing Windows 2000 Server Guide. After downloading this file, copy it to the systemroot\Security\Templates folder of the domain controller on which you are performing these steps. (For example, in a typical configuration, you would copy the .inf file to the C:\Windows\Security\Templates folder.)

•

To download the MSS DCBaseline Role.inf file

On the domain controller, open a Web browser and go to the Securing Windows 2000 Server page of the Microsoft Download Center Web site at http://go.microsoft.com/fwlink/?LinkId=22720.

At the bottom of the page, under Files in This Download, click Securing_Windows_2000_Server.exe.

In the File Download dialog box, click Save.

When prompted for a location, expand the Save in list box, select Desktop, and then create a new folder in which to save the file by doing the following:

1.	Right-click the white space within the Save As dialog box, point to New, and then click Folder.
2.	Type a descriptive name for the folder (replace the highlighted text, New Folder, with your descriptive name), double-click the new folder so that it is selected in the Save in list box, and then click Save.

After the download is complete, in the Download complete box, click Close.

In the new folder on your desktop, double-click the Securing_Windows_2000_Server.exe file to open the WinZip Self-Extractor.

In the WinZip Self-Extractor dialog box:

1.	Click Browse, select the folder you created for the download, click the folder to open it, and then click OK.
2.	In the WinZip Self-Extractor dialog box, click Unzip. You will receive a confirmation message that the files unzipped successfully.

In the set of extracted files and folders, double-click the Tools and Templates folder to open it, open the Security Guide folder, and then open the Security Templates folder.

In the Security Templates folder, right-click the MSS DCBaseline Role.inf file, and copy this file to the systemroot\Security\Templates folder of the domain controller on which you are performing these steps.

•

To create a new GPO in the Domain Controllers OU

1.	Click Start, click Settings, click Control Panel; double-click Administrative Tools, double-click Active Directory Users and Computers, and then click your domain to expand the domain tree.
2.	Right-click the Domain Controllers OU, and then click Properties. Note: Screenshots in this document reflect a test environment. The domain and server names in your environment might differ slightly from the ones shown in these screenshots.
3.	In the Domain Controllers Properties dialog box, click the Group Policy tab, and then click New to create a new GPO.
4.	Name the policy Domain Controllers Baseline Policy, and then click Close.

•

To import the baseline security settings into the Domain Controllers Baseline Policy

1.	Right-click the Domain Controllers OU, and then click Properties.
2.	In the Domain Controllers Properties dialog box, click the Group Policy tab, and then select the Domain Controllers Baseline Policy.
3.	Click Up to move the new GPO to the top of the list, and then click Edit. IMPORTANT: Be sure you are editing the newly created Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.
4.	Under Computer Configuration, double-click the Windows Settings folder, right-click Security Settings, and then select Import Policy.
5.	In the Import Policy From dialog box, select the MSS DCBaseline Role.inf file, and then click Open.
6.	Close Group Policy, click OK to close the Domain Controllers Properties dialog box, and then exit Active Directory Users and Computers.
7.	Restart your domain controllers one at a time. Do not reboot all of your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After configuring the Group Policy security settings, be sure to verify that the policies have been applied successfully.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Tools: Event Viewer and Services.

Verify that the Application log on each of your domain controllers contains an Event ID 1704.

•

To check the Application event log

Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Event Viewer.

In Event Viewer, click Application Log and then look for the most recent event of:

•	Type: Information
•	Source: SceCli
•	Event ID: 704

If you double-click this event, you see an Event Properties window similar to the following:

Event Properties

Click OK, and then close Event Viewer.

Next, verify that unnecessary services are disabled on your domain controllers.

•

To check for disabled services

Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Services.

Verify that the Alerter, Messenger, and Task Scheduler services are not running, and that their Startup Type is set to Disabled.

Note: The three services listed in step 2 are enabled by default in Windows 2000. These are not the only services disabled by the Domain Controllers Baseline Policy, but checking their configuration is a good indication that your new Group Policy settings have taken effect.

Close the Services tool.

Top of page

Enabling Additional Services on Domain Controllers

The Domain Controllers Baseline Policy that you implemented in the previous section disables several services that are not used to provide base domain controller functionality. Making this configuration change greatly enhances the security of your domain controllers; however, the change prevents certain services, which domain controllers typically provide in small and medium businesses, from operating properly.

The following steps show you how to modify your Group Policy in order to re-enable these additional services. Review the following tasks, and complete them on your domain controllers only if your network requires the additional functionality that is provided by these services:

•	Enabling DHCP services
•	Enabling WINS services
•	Enabling Print services
•	Enabling Certificate services
•	Enabling IAS services
•	Enabling and securing the Task Scheduler service

Enabling DHCP Services

If your domain controller is configured as a Dynamic Host Configuration Protocol (DHCP) server, you need to modify Group Policy settings for the domain controller to provide DHCP services to your environment. This section provides step-by-step instructions for configuring Group Policy in order to re-enable the DHCP service.

Configuring Group Policy to Enable DHCP Services

You must edit the Domain Controllers Baseline Policy to re-enable the DHCP Server service on your domain controllers. Following these steps enables the DHCP Server service on all domain controllers that provide DHCP services.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

•

To configure Group Policy to enable DHCP services

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then click your domain to expand the domain tree.
2.	Right-click the Domain Controllers OU, and then click Properties.
3.	In the Domain Controllers Properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit. IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.
4.	Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.
5.	In the details pane (right pane), double-click DHCP Server, click Automatic, and then click OK.
6.	Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.
7.	Restart any domain controllers that provide DHCP services, being sure to restart them one at a time. IMPORTANT: Do not reboot all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable the DHCP Server service, verify that the service is running.

•

To verify that the DHCP Server service is running

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Services.
2.	Verify that the DHCP Server service is started and configured to run automatically.

IMPORTANT: Also verify that client computers are obtaining DHCP server IP addresses from your domain controller.

Enabling WINS Services

If your domain controller is configured as a Windows Internet Name Service (WINS) server, you need to modify Group Policy settings for your domain controller to provide WINS services to your environment. This section provides step-by-step instructions for configuring Group Policy to re-enable the WINS service.

Configuring Group Policy to Allow WINS Services

You must edit the Domain Controllers Baseline Policy Group Policy object to enable the WINS service on your domain controllers. Following these steps enables the WINS service on all of your domain controllers.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

•

To edit Group Policy to enable the WINS service

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then click your domain to expand the domain tree.
2.	Right-click the Domain Controllers OU, and then click Properties.
3.	In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit. IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.
4.	Under Computer Configuration, expand the Windows Settings folder, click Security Settings, and then click System Services.
5.	In the details pane, double-click WINS, click Automatic, and then click OK.
6.	Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.
7.	Restart any domain controllers that provide WINS services, being sure to restart them one at a time. IMPORTANT: Do not reboot all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable the WINS service, verify that the service is running.

•

To verify that WINS is running

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Services.
2.	Verify that the Windows Internet Name Service (WINS) is started and configured to run automatically.

Enabling File and Print Services

Access to file shares on your domain controller is not affected by the Domain Controllers Baseline Policy that you implemented in the previous sections. No modifications are necessary for your domain controllers to provide secure file-sharing services.

However, if your domain controller is configured as a Print server, you need to configure Group Policy to enable the Print Spooler service for your domain controller to provide Print services to your environment.

Configuring Group Policy to Enable Print Services

You must edit the Domain Controllers Baseline Policy Group Policy object to enable the Print Spooler service on your domain controllers. Following these steps enables the Print Spooler service on all of your domain controllers.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

•

To configure Group Policy to enable print services on your domain controller

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then click your domain to expand the domain tree.
2.	Right-click the Domain Controllers OU, and then click Properties.
3.	In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit. IMPORTANT: Be sure you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.
4.	Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.
5.	In the details pane, double-click Print Spooler, click Automatic, and then click OK.
6.	Close Group Policy, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.
7.	Restart any domain controllers that provide Print services, being sure to restart them one at a time. IMPORTANT: Do not reboot all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable the Print Spooler service, verify that the service is running.

•

To verify that the Print Spooler service is running

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Services.
2.	Verify the Print Spooler service is started and configured to run automatically.

IMPORTANT: Also verify that client computers can print to the printer shares on your domain controllers.

Enabling IAS Services

If any of your domain controllers is configured as an Internet Authentication Service (IAS) server, you need to modify Group Policy settings for the domain controller to provide IAS services to your environment. This section provides step-by-step instructions for configuring Group Policy to re-enable IAS services.

Configuring Group Policy to Enable IAS Services

You must edit the Domain Controllers Baseline Policy to re-enable IAS services on your domain controllers. Following these steps enables Certificate Services on all domain controllers that provide IAS services.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

•

To configure Group Policy to enable IAS services

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.
2.	Right-click the Domain Controllers OU, and then click Properties.
3.	In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit. Important: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.
4.	Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.
5.	In the details pane (right pane), double-click IAS, click Automatic, and then click OK.
6.	Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.
7.	Restart any domain controllers that use ISA, being sure to restart them one at a time. IMPORTANT: Do not restart all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable IAS services, verify that the service is running.

•

To verify the IAS service is running

1.	Click Start, click Control Panel, click Settings, double-click Administrative Tools, and then double-click Services.
2.	Verify that the IAS service is running and configured to start automatically.

Enabling Certificate Services

If any of your domain controllers is configured as a certification authority (CA) server, you need to modify Group Policy settings for the domain controller to provide Certificate Services to your environment. This section provides step-by-step instructions for configuring Group Policy to re-enable Certificate Services.

Configuring Group Policy to Enable Certificate Services

You must edit the Domain Controllers Baseline Policy to re-enable Certificate Services on your domain controllers. Following these steps enables Certificate Services on all domain controllers that provide Certificate Services.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Consider impact to users: You will need to restart your domain controllers to complete these steps. You should complete these steps during non-business hours to minimize the impact to your users.

•

To configure Group Policy to enable Certificate Services

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.
2.	Right-click the Domain Controllers OU, and then click Properties.
3.	In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit. IMPORTANT: Be sure that you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.
4.	Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.
5.	In the details pane, double-click CertSvc, click Automatic, and then click OK.
6.	Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.
7.	Restart your domain controllers one at a time. IMPORTANT: Do not restart all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable Certificate Services, verify that the service is running.

•

To verify that Certificate Services is running

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Services.
2.	Verify that Certificate Services is running and configured to start automatically.

Enabling and Securing the Task Scheduler Service

If any of your domain controllers use scheduled tasks to automatically run scripts or programs, you need to modify Group Policy settings for the domain controller to run the Task Scheduler service.

To help improve the security of your domain controllers, after you re-enable the Task Scheduler service, restrict any tasks that are scheduled using AT commands from using the Local System account. If you maintain the default account configuration, your domain controllers are open to attacks by malicious users.

This section provides the following step-by-step instructions:

•	Configuring Group Policy to enable Task Scheduler.
•	Securing the Task Scheduler service by modifying the AT Service Account.

Configuring Group Policy to Enable Task Scheduler

You must edit the Domain Controllers Baseline Policy GPO to enable the Task Scheduler service on your domain controllers. Following these steps enables the Task Scheduler service on all of your domain controllers.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Consider impact to users: You will need to restart your domain controllers to complete these steps. Rebooting all your domain controllers simultaneously might temporarily prevent users from logging on to the network or accessing network resources. To minimize the impact on your users, you should complete these steps during non-business hours.

•

To configure Group Policy to enable Task Scheduler on your domain controllers

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, double-click Active Directory Users and Computers, and then double-click your domain to expand the domain tree.
2.	Right-click the Domain Controllers OU, and then click Properties.
3.	In the properties dialog box, click the Group Policy tab, click the Domain Controllers Baseline Policy, and then click Edit. IMPORTANT: Be sure you are editing the Domain Controllers Baseline Policy and not the Default Domain Controllers Policy. Incorrect modifications to the Default Domain Controllers Policy can adversely affect your environment and can be difficult to troubleshoot.
4.	Under Computer Configuration, double-click the Windows Settings folder, double-click Security Settings, and then click System Services.
5.	In the details pane, double-click Task Scheduler, click Automatic, and then click OK.
6.	Close the Group Policy Object Editor, click OK to close the properties dialog box, and then exit Active Directory Users and Computers.
7.	Restart any domain controllers that use the Task Scheduler, being sure to restart them one at a time. IMPORTANT: Do not reboot all your domain controllers simultaneously because users might have difficulty logging on to the network or accessing network resources if no domain controller is available.

Verifying New Settings

After you modify your Group Policy settings to enable the Task Scheduler service, verify that the service is running.

•

To verify that the Task Scheduler service is running

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Services.
2.	Verify that the Task Scheduler service is running and is configured to start automatically.

Securing Task Scheduler by Modifying the AT Service Account

You can also use AT commands to schedule tasks in Task Scheduler. By default, tasks that you schedule by using AT commands run under the Local System account and run regardless of which user is logged on to the computer. Often, these tasks run in the background and are unnoticed by administrators.

The Local System account is a special, predefined account that is used to start and run many services on your domain controllers. This account allows full access to your domain controllers and also has access to network resources. Hence, many security-related attacks try to exploit services that run by using the Local System account.

To help improve the security of your domain controllers, you can limit a malicious user's ability to run programs that use the Local System account. This guide recommends that you modify the configuration of Task Scheduler so that any tasks that are scheduled using AT commands do not run using the Local System account.

After you complete the following steps, any tasks that are scheduled by using AT commands only run using the account that you specify.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Repeat these steps: You must complete these steps on each one of your domain controllers.

•

To modify the AT Service Account configuration

Click Start, click Settings, click Control Panel, and then double-click Scheduled Tasks.

From the Advanced menu, select AT Service Account.

Click the This Account option, type the name and password for an account that does not provide administrative privileges to your domain controller, and then click OK.

AT Service Account configuration

IMPORTANT: Be sure that the account you use does not belong to any of the administrative groups (for example, Enterprise Admins, Domain Admins, or Administrators). It is recommended that you create a specific service account for this purpose and periodically monitor the account's group membership.

If you need to run a task that uses administrator credentials, you must schedule the task by using the Add Scheduled Tasks wizard in Task Scheduler.

Top of page

Keeping Your Domain Controllers Secure

To keep your domain controllers up-to-date, you must routinely download and install the latest Microsoft security updates. These updates are provided to help resolve known issues and to help protect your computer from known security vulnerabilities.

The following steps provide you with automatic and manual methods for keeping your domain controllers up-to-date with available security updates. You will complete the following tasks:

•	Configure Automatic Updates to automatically download and install security updates on the schedule you specify.
•	Review how to use Windows Update to manually download and install security updates.

IMPORTANT: You should keep all computers on your network up-to-date with the latest security updates. Configuring Automatic Updates and using Windows Update on your domain controllers will keep only your domain controllers up-to-date. Make sure that Automatic Updates and Windows Update are configured and used with all the computers on your network that are running Windows 2000, Microsoft Windows Server 2003, and Windows XP.

Configuring Automatic Updates

You can configure your Windows 2000 domain controllers to automatically download and install the latest Microsoft security updates while your computer is turned on and connected to the Internet.

Requirements

•	Credentials: You must be logged on as a member of the Domain Admins group.
•	Repeat these steps: You must complete these steps on each of your domain controllers.

•

To configure your domain controllers to automatically download and install security updates

1.	Click Start, click Settings, click Control Panel, double-click Administrative Tools, and then double-click Automatic Updates.
2.	Select the check box labeled Keep my Computer up-to-date. With this setting enabled, Windows Update software may be automatically updated prior to applying any other updates.
3.	Select the option Automatically download the updates, and install them on the schedule that I specify.
4.	Select the day and time for the updates to occur, and then click OK to close the Automatic Updates window. IMPORTANT: Security updates often require that your domain controllers be restarted. Choose a day and time that minimizes the impact to your users.

Using Windows Update

Windows Update is the online extension of Windows that helps you keep computers connected to the Internet up-to-date. You can run Windows Update to ensure that Automatic Updates has installed all the latest security updates. Windows Update is useful if Microsoft notifies you of a new security issue and you want to immediately ensure that your computers are up-to-date.

Requirements

•	Credentials: You must be logged on as a member of the Server Operators group or Domain Admins group.
•	Repeat these steps: You must complete these steps on each of your domain controllers.

•

To run Windows Update to manually download and install security updates

1.	Click Start, click Programs, and then click Windows Update.
2.	In Internet Explorer, click Scan for Updates, and then wait until the scan is 100% complete.
3.	Windows Update will automatically select any necessary critical security updates missing from your domain controller. If any updates are available, click Review and Install Updates, click Install Now, and then follow the installation instructions on your screen.
4.	Repeat these steps until no critical updates are available for your domain controller.

Note: Security updates often require that you restart your domain controller. When running Windows Update, be sure to consider the impact that restarting your domain controllers can have on your users.

Top of page

Related Information

For more information about securing Windows 2000, see the following:

•	Microsoft Security Web site on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=102.
•	Authoritative Security Guidance for the Enterprise on the TechNet Web site at http://go.microsoft.com/fwlink/?LinkId=22698.
•	Microsoft Guide to Security Patch Management on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=16286.

For more information about Windows 2000, see the following:

•	Windows 2000 Home page on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=4297.
•	Windows 2000 Group Policy white paper on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkId=203.

Top of page

Securing Windows 2000 Domain Controllers

On This Page

Introduction

Before You Begin

Securing Your Domain Controllers

Implementing the Domain Controllers Baseline Policy

Verifying New Settings

Enabling Additional Services on Domain Controllers

Enabling DHCP Services

Configuring Group Policy to Enable DHCP Services

Verifying New Settings

Enabling WINS Services

Configuring Group Policy to Allow WINS Services

Verifying New Settings

Enabling File and Print Services

Configuring Group Policy to Enable Print Services

Verifying New Settings

Enabling IAS Services

Configuring Group Policy to Enable IAS Services

Verifying New Settings

Enabling Certificate Services

Configuring Group Policy to Enable Certificate Services

Verifying New Settings

Enabling and Securing the Task Scheduler Service

Configuring Group Policy to Enable Task Scheduler

Verifying New Settings

Securing Task Scheduler by Modifying the AT Service Account

Keeping Your Domain Controllers Secure

Configuring Automatic Updates

Using Windows Update

Related Information