Securing Windows 2000 Professional in a Peer-to-Peer Networking Environment

On This Page

	Introduction
	Before You Begin
	Securing the File System
	Securing User Accounts
	Using a Firewall
	Updating Security Patches
	Check Security with the Microsoft Baseline Security Analyzer
	Related Information

Introduction

Peer-to-peer networking can increase productivity by making it easy to share information and resources on your network. However, the ability of computer users to control access to their computer can leave them vulnerable to information theft, loss, or inadvertent sharing of information. That is why, in addition to enforcing a corporate computing policy, you should make sure you and your employees understand the basics of Windows peer-to-peer networking and security. Some basic best practices include:

With the increasing threat of malicious code-such as worms, viruses, and hacker threats-it is critical that all customers take immediate action to help lock down their desktop and portable computers. This document explains how to implement the security measures for a small or medium business environment where peer-to-peer networking is used. These recommendations help ensure that your computers running Microsoft Windows 2000 Professional are more secure from many current security threats, while ensuring that users can continue to be efficient and productive on their computers.

The following tasks are included in this document:

In addition to the advanced step-by-step guidance in this document, you will also find information about the top security recommendations that Microsoft is making to all customers, from home customers to enterprise customers.

IMPORTANT: All the step-by-step instructions included in this document were developed by using the Start menu that appears by default when you install your operating system. If you have modified your Start menu, the steps may differ slightly.

Top of page

Before You Begin

As with any security recommendations, this guidance strives to find the right balance between enhanced security and usability. The recommendations provided here will work successfully for Windows 2000 Professional deployments in a wide variety of environments. However, before implementing these recommendations, you should note that this document does not address the wide variety of needs and configurations that may be required in a large corporation. In addition, the guidance may not fully address the specific security needs of some organizations.

Meeting the Service Pack Requirement

The recommendations in this document apply only to computers running Windows 2000 Professional Service Pack 4 that are members of a WORKGROUP. If Service Pack 4 is not installed on a particular computer or if you do not know whether it is installed, you can go to the Windows Update page on the Microsoft Web site at http://go.microsoft.com/fwlink/?LinkID=22630, and have Windows Update scan your computer for available updates. If Service Pack 4 shows up as an available update, install it before proceeding with the procedures in this document.

Administrative Requirements

You must be logged on as an administrator or a member of the Administrators group in order to complete the following procedures. If your computer is connected to a network, network policy settings might also prevent you from completing these procedures.

Top of page

Securing the File System

A file system is the way that directories and files are organized on a computer. There are several ways to protect your file system from unauthorized access, alteration or deletion. This section provides the following step-by-step instructions for securing the file system:

Converting File Systems to NTFS

During the Windows 2000 setup process, computers are configured to use either the FAT32 or NTFS file system. FAT32 is an older technology used by previous versions of Windows. The NTFS file system is faster and more secure than FAT32. For optimal performance and security of the operating system, use NTFS on all file system partitions on your computer.

Checking the File System Type on Your Computer

Before converting the file system on your computer, you need to verify that you are not using NTFS already. Use the following steps to check the file system type on your computer. If these steps help you confirm that you are already using NTFS, you can skip Converting the File System to NTFS below.

Check the file system type for all disks on the computer. Even if the file system was configured as FAT32 when the operating system was installed, it can be easily converted to NTFS to provide additional security.

Converting the File System to NTFS

To convert the file system to NTFS, take note of the name of the disk otherwise known as the volume label (C Drive in the preceding example) and complete the following steps.

Note: If you are attempting to convert the drive where the operating system is installed, you might be prompted to schedule the conversion to occur the next time the system is restarted. If this occurs, type Y, and then restart the computer.

Using Antivirus Software

Computer viruses are programs that are loaded on to your system without your knowledge or approval. Viruses and other forms of malicious software have been around for years. Today's viruses can replicate themselves and use the Internet and e-mail applications to spread across the world within hours.

An antivirus software program will help protect your computer against many known viruses, worms, Trojan horses, and other malicious code. Antivirus software continually scans your computer for viruses and helps detect and remove them. Installing antivirus software only solves part of the problem - keeping the antivirus signature files up-to-date is critical to maintaining a secure desktop or portable computer.

Many new computers come with antivirus software already installed. However, antivirus software requires a subscription to stay up-to-date. If you don't have a current subscription for these updates, your computer is likely to be vulnerable to new threats.

User education regarding safe e-mail practices is another critical step in preventing virus attacks. Users should not open an e-mail or take action on an e-mail attachment unless they are expecting the file. All e-mail attachments should be scanned with the antivirus software prior to its execution.

For a list of the software vendors that provide antivirus software compatible with Windows, see http://go.microsoft.com/fwlink/?LinkId=22712.

Protecting File Shares

Peer-to-peer networking allows you to create file shares so that network users can be limited to read-only access or so that network users can read, create, change, and delete files. If you are connected to the Internet, and are not operating behind a firewall, remember that any file shares you create might be accessible to any user on the Internet.

By default, Windows 2000 Professional grants Full Control, Change and Read permissions to everyone who can access your shared folders. You should use the procedure below to remove the Everyone group from share permissions on your shared folders, or at least change the permissions to deny Full Control and Change permissions where appropriate. If you do remove the Everyone group from the share permissions, grant share permissions to specific users, because deleting Everyone means you are not allowing anyone access to the shared folder.

Securing Shared Folders

Windows peer-to-peer networking allows you to share the contents of your file system with other computers on the network. The following set of steps assumes that you have already shared one or more folders in your file system. By changing some of the default file system settings, you can make unauthorized access to you your shared folders more difficult.

Disabling or Deleting Unnecessary Accounts

After installing Windows 2000 Professional, disable or delete any user accounts that you do not require.

Notes:

Top of page

Securing User Accounts

By using passwords, disabling or deleting unnecessary accounts, and setting account lockout, you can reduce the chances of unauthorized access to your computer.

Using Passwords

It is important to set passwords for all user accounts created on a Windows-based computer for two reasons. Firstly, leaving a password blank allows anyone to access the computer by using that user account.

Secondly, by default, local user accounts without a password can only log directly on to a computer at the console logon screen and cannot log on remotely. This restriction does not apply to domain accounts or to the local Guest account. If the Guest account is enabled and has a blank password, it can be used to log on and access any resource on a peer-to-peer network authorized for access by the Guest account.

Top of page

Using a Firewall

A firewall is software or hardware that creates a protective barrier between your computer and potentially harmful content on the Internet. It helps guard against hackers and many computer viruses and worms. If your computer is running Windows 2000 Professional, Microsoft recommends that you get and install either a hardware or software firewall before connecting to the Internet.

Microsoft does not manufacture stand-alone software firewalls or hardware that includes a firewall. The following resources provide more information about some firewall options.

Hardware Firewalls

Hardware firewalls are a good choice for versions of the Windows operating system prior to Windows XP. Some home-networking hardware, like wireless access points and broadband routers come with built-in hardware firewalls. These help protect most home networks. The Microsoft Broadband Networking Wireless Base Station is one example of a wireless access point with a built-in hardware firewall and other home networking features.

Software Firewalls

Software firewalls are available from several vendors, including BlackICE PC Protection, Computer Associates, McAfee Security, Symantec, Tiny Software, and ZoneAlarm.

To learn more about software firewalls made by other companies, hardware firewalls, and network routers, and for information about selecting a firewall for your computer, read Install a Firewall at http://go.microsoft.com/fwlink/?LinkId=22496.

If you have a different configuration, a small network, or want to learn more about firewalls, read Frequently Asked Questions about Firewalls at http://go.microsoft.com/fwlink/?LinkId=19713.

Top of page

Updating Security Patches

A good way to keep up-to-date on security patches is to subscribe to Microsoft Security bulletins which will arrive in your e-mail at about the same time as Automatic Update notifies you of available updates. Sign up to receive the security bulletins in e-mail at http://go.microsoft.com/fwlink/?LinkId=22339. In addition to staying informed through bulletins, there are a number of technologies that can help automate security patching.

Automatic Update

The Automatic Update feature in Windows 2000 Service Pack 4 can automatically detect and download the latest security fixes from Microsoft. Automatic Update can be configured to automatically download fixes in the background and then prompt the user to install them after the download is complete.

Top of page

Check Security with the Microsoft Baseline Security Analyzer

As part of Microsoft's Strategic Technology Protection Program, and in response to direct customer need for a streamlined method of identifying common security misconfigurations, Microsoft has developed the Microsoft Baseline Security Analyzer (MBSA).

In Windows 2000, Windows XP, and Windows Server 2003, the Microsoft Baseline Security Analyzer will report configurations that are not secure and patches that can be used to help fix the problem. The tests can be run locally or on remote computers.

Scanning for Updates and Patches

Scanning for Secure Configuration

Top of page

Related Information

For more information about securing Windows 2000, see the following:

For more information about related topics on securing Windows 2000, see the following:

Top of page