You are previewing Securing Windows NT/2000 Servers for the Internet.
O'Reilly logo
Securing Windows NT/2000 Servers for the Internet

Book Description

In recent years, Windows NT and Windows 2000 systems have emerged as viable platforms for Internet servers. More and more organizations are now entrusting the full spectrum of business activities--including e-commerce--to Windows. Unfortunately, the typical Windows NT/2000 installation makes a Windows server an easy target for attacks, and configuring Windows for secure Internet use is a complex task. Securing Windows NT/2000 Servers for the Internet suggests a two-part strategy to accomplish the task:

  • "Hardening" any Windows server that could potentially be exposed to attacks from the Internet, so the exposed system (known as a "bastion host") is as secure as it can be.

  • Providing extra security protection for exposed systems by installing an additional network (known as a "perimeter network") that separates the Internet from an organization's internal networks.

  • Introduction--Windows NT/2000 security threats, architecture of the Windows NT/2000 operating system and typical perimeter networks.

  • How to build a Windows NT bastion host.

  • Configuring Windows and network services, encrypting the password database, editing the registry, setting system policy characteristics, performing TCP/IP configuration, configuring administrative tools, and setting necessary permissions.

  • Differences between Windows NT and Windows 2000 security including IPSec (IP Security Protocol) configuration.

  • Secure remote administration--SSH, OpenSSH, TCP Wrappers, the Virtual Network Console, and the new Windows 2000 Terminal Services.

  • Windows NT/2000 backup, recovery, auditing, and monitoring--event logs, the audit policy, time synchronization with NTP (Network Time Protocol), remote logging, integrity checking, and intrusion detection.

  • Securing Windows NT/2000 Servers for the Internet is a concise guide that pares down installation and configuration instructions into a series of checklists aimed at Windows administrators. Topics include:

    Administrators who carefully follow the detailed instructions provided in this book will dramatically increase the security of their Windows NT/2000 Internet servers.

    Table of Contents

    1. Securing Windows NT/2000 Servers for the Internet
      1. Dedication
      2. Preface
        1. Contents of This Book
        2. Conventions Used in This Book
        3. Free Software Described in This Book
        4. Comments and Questions
        5. Acknowledgments
      3. 1. Windows NT/2000 Security
        1. Internet Threats
        2. Building a Secure Site on the Internet
          1. Hardening the Bastion Host
          2. Configuring the Perimeter Network
            1. The perimeter network architecture
          3. Components in the Perimeter
            1. A perimeter network example
        3. The Windows NT/2000 Architectures
          1. Windows NT/2000 Subsystems and Services
          2. Windows NT Networking
            1. NetBIOS
            2. Server Message Block (SMB)
            3. NT networking architecture
        4. Windows NT/2000 in the Perimeter Network
          1. Least Privilege
          2. Separate Ports
        5. Cryptography Basics
          1. Public Key Cryptography
          2. Symmetric Key Cryptography
            1. Stream ciphers
            2. Block ciphers
          3. Hash Algorithms
      4. 2. Building a Windows NT Bastion Host
        1. Installation
          1. Installing the Windows NT Operating System
          2. Installing Service Packs
          3. Installing Additional Software
          4. Reapplying the Service Pack
          5. Installing Hotfixes
        2. Using the Security Configuration Editor
        3. Basic Configuration
          1. Configuring Network Services
          2. Disabling NetBIOS
          3. Configuring Windows NT Services
          4. Configuring System Processes
          5. Renaming the Administrator Account
          6. Configuring the Guest Account
        4. Advanced Configuration
          1. Protecting the System Accounts Database
          2. Setting Miscellaneous Registry Values
            1. Setting Winlogon options
            2. Protecting base objects
            3. Disabling 8.3 filename creation
          3. Disabling Dump File Creation
          4. Disabling Unused and Potentially Dangerous Components
            1. Disabling unused subsystems
            2. Protecting unused services and drivers
            3. Protecting unneeded executables
        5. Setting System Policies
          1. Specifying the Account Policy
          2. Setting Privileges and Rights
        6. TCP/IP Configuration
          1. Configuring TCP/IP Security Settings
          2. Protecting Against SYN Flooding
            1. How SYN flooding works
            2. The SYN attack protection feature
            3. TCP SYN/ACK retransmission
            4. Winsock application backlog
          3. Configuring the TCP Keep-Alive Timer
          4. Configuring Path MTU Discovery
          5. Configuring Source Routing
          6. Configuring Dead Gateway Detection
          7. Configuring Router Discovery
          8. Configuring ICMP Redirects
          9. Configuring Open Ports
        7. Configuring Administrative Tools and Utilities
        8. Setting Permissions
          1. Setting File-Level Permissions
          2. Setting Registry Permissions
      5. 3. Building a Windows 2000 Bastion Host
        1. Differences Between the Systems
          1. Installing Windows 2000
          2. Installing Service Packs and Hotfixes
          3. Configuring Windows 2000 Services
          4. Disabling NetBIOS
          5. Configuring System Processes
          6. Protecting the System Accounts Database
          7. Configuring Complex Passwords
          8. Configuring TCP/IP Security Settings
          9. Configuring Router Discovery
          10. Configuring Open Ports
        2. IPSec in Windows 2000
          1. IPSec Features
            1. Message integrity and anti-replay
            2. Confidentiality
            3. Security Associations
            4. IPSec modes of operation
            5. Host authentication
          2. Configuring IPSec
            1. Filters and filter lists
            2. Policies and rules
            3. Verifying your IPSec connection
          3. Using IPSec Network Access Control
      6. 4. Setting Up Secure Remote Administration
        1. Symantec pcAnywhere
          1. Configuring pcAnywhere
          2. Configuring pcAnywhere Registry Settings
        2. Windows 2000 Terminal Services
          1. Configuring Terminal Services for Remote Administration
          2. Copying Files over RDP
        3. Open Source (SSH, Cygwin, TCP Wrappers, and VNC)
          1. Getting Started with the Secure Shell
            1. SSH encryption
            2. SSH example
            3. SSH port forwarding
          2. The Cygwin Library
            1. Using Cygwin
            2. Installing and configuring Cygwin
          3. Configuring the SSH Daemon
            1. Setting up the SSH server
            2. Testing the configuration
            3. Installing the SSH daemon as an NT service
          4. TCP Wrappers
          5. Setting Up the SSH Client
          6. Virtual Network Computing ( VNC)
            1. Dealing with VNC security issues
            2. Connecting to a remote computer with SSH and VNC
      7. 5. Backing Up and Restoring Your Bastion Host
        1. Defining Your Backup Policy
        2. Backup Methods
          1. Local Backups
          2. Backups over the Network
        3. Types of Backups
          1. Making a Golden Image
          2. Performing a Full System Backup
          3. Performing Incremental Backup
          4. Performing Differential Backup
        4. Backup Software
          1. Windows NT Backup
          2. Windows 2000 Backup
      8. 6. Auditing and Monitoring Your Perimeter Network
        1. System Auditing in Windows
          1. The Event Logs
            1. The log files
            2. Security audit failure
            3. Additional registry settings
          2. Configuring Auditing
            1. File and object access auditing
            2. Auditing of the registry
        2. Time Synchronization Using NTP
          1. Installing NTP on Windows
          2. Deploying NTP
        3. Remote Logging and Log Management
          1. Remote Logging Using Syslog
            1. The syslog client—NTsyslog
            2. Windows syslog daemons
          2. Log Management
        4. Integrity Checking
          1. General Problems with Integrity Checking
          2. Windows-Specific Issues
            1. Security descriptors
            2. NTFS alternate data streams
            3. Registry awareness
          3. Tripwire
        5. Network-Based Intrusion Detection Systems
      9. 7. Maintaining Your Perimeter Network
        1. Setting Up Policies and Procedures
        2. Performing Third-Party Audits
          1. The Black-Box Approach
          2. The White-Box Approach
        3. Staying Informed
          1. Mailing Lists
            1. Bugtraq
            2. NTBugtraq
            3. Firewalls
            4. Firewall Wizards
            5. Windows 2000 Security Advice
          2. Vendor-Specific Information
      10. A. Well-Known Ports Used by Windows NT/2000
      11. B. Security-Related Knowledge Base Articles
      12. C. Build Instructions for OpenSSH on Cygwin
      13. Index
      14. Colophon