Until recently, few system administrators believed that Windows NT was a reasonable platform to use as a web server or as any other type of system exposed to the Internet. Most Internet servers have historically been based on Unix, and most experienced system administrators have regarded Windows NT as unsecure — suitable for use as a file or print server, but not to be trusted for critical business applications.
Unix still tends to be the first choice as a platform for an Internet server, but as Windows NT becomes more secure, and as more administrators gain experience with it, Windows NT (and now Windows 2000) systems are emerging as viable platforms for Internet servers. More and more organizations are now entrusting the full spectrum of business activities to Windows NT. Today, about 20% of all web servers on the Internet are using Windows NT,[1] many of them for e-commerce.
This book assumes that you’ve already made the decision to use Windows NT or Windows 2000. It presents very specific instructions for installing and configuring your software in a way that will make your system as safe as possible, particularly when it’s used as an exposed host on a public network — for example, as a web server on the Internet.
Tip
If you follow the advice given in this book, your Internet server will be quite secure against known Internet threats. Nevertheless, remember that new threats are always coming along. Remember also that for systems requiring extremely tight security you need to consider using additional measures.
This book is not a complete security primer or even an exposition on every aspect of Windows NT/2000 security. I’ve deliberately pared down the text so it presents installation and configuration instructions in a highly concise, checklist-type format. I see this book as one you’ll read through, and then carry around with you to check your work as you secure your Windows NT or 2000 server, step-by-step. I’ve assumed that you’re already familiar with basic Windows NT/2000 operations and that you already know a fair amount about the security of these systems. This is not a book for novices. If you don’t have basic knowledge about Windows NT/2000 and network security already, I strongly recommend that you pick up one or all of the references listed here and that you start following some of the mailing lists mentioned in Chapter 7.
Tip
Email addresses and URLs change. The information in this book was current at the time of publication. I’ll try to keep references and other contact information in the book up-to-date on the O’Reilly web site (http://www.oreilly.com/catalog/securwinserv/ ).
Building Internet Firewalls, Second Edition by Elizabeth D. Zwicky, Simon Cooper, and D. Brent Chapman, O’Reilly & Associates, 2000 (ISBN 1-56592-871-7). This is a practical and detailed guide that provides step-by-step explanations for designing and installing firewalls, as well as configuring Internet services to work with a firewall.
Inside Microsoft® Windows® 2000, Third Edition by David A. Solomon and Mark E. Russinovich, Microsoft Press, 2000 (ISBN 0-7356-1021-5). If you want to understand Windows NT/Windows 2000 internals, this is the book for you.
TCP/IP Illustrated Volume 1: The Protocols by W. Richard Stevens, Addison-Wesley, 1994 (ISBN 0-201-63346-9). This is the definitive guide to the TCP/IP protocol suite. It’s one of the best books I’ve read and I recommend it to anyone who wants to understand TCP/IP network communication.
MS Windows NT Server from a UNIX Point of View, Microsoft Corporation, 1997 (http://www.microsoft.com/ntserver/nts/techdetails/overview/WpGlobal.asp ). This white paper presents some of the core design decisions that were made while building the Windows NT operating system, as well as a very good technical introduction to the operating system.
Windows 2000 Server Resource Kit, Microsoft Corporation, 2000 (ISBN 1-57231-805-8). This resource kit consists of seven books (over 700 pages!) and a CD-ROM that contains useful tools and utilities. The books are very technical and cover most aspects of Windows administration in great detail.
Conceptually, this book is divided into three parts. The first chapter serves as an introduction to perimeter network design and discusses Windows-specific issues in such an environment. It provides the background necessary to understand the rest of the book. Chapters Chapter 2 and Chapter 3 are practical guides about how to secure Windows NT and Windows 2000 to a very high level. Chapter 4 through Chapter 7 focus on system management topics such as remote administration, backups, and remote logging.
The following list provides a brief overview of each chapter:
Chapter 1, provides an introduction to Internet security issues and the concept of a perimeter network and its components (focusing on the bastion host). It includes an overview of the Windows NT/2000 architecture and the specific security issues related to this architecture.
Chapter 2, recommends a strategy for building a Windows NT bastion host.
Chapter 3, summarizes the differences between Windows NT and Windows 2000 and provides an introduction to the IP security protocol (IPSec) implementation in Windows 2000.
Chapter 4, presents three secure remote management solutions. Two are commercially supported solutions and one is based on platform-independent products and protocols.
Chapter 5, discusses the issues involved in backing up a bastion host and gives a brief overview of the built-in backup software available in Windows.
Chapter 6, explains the Windows auditing and event log system mechanism. It presents a strategy for remote logging and time synchronization, and it introduces intrusion detection.
Chapter 7, describes some methods that will assist in maintaining the security of the perimeter network and its components.
Appendix A, lists commonly used TCP/IP ports in Windows NT/2000 and in Microsoft Back Office Applications.
Appendix B, lists helpful articles from the Microsoft Support Knowledge Base.
Appendix C, contains instructions for building the OpenSSH binaries from scratch. (Note that a precompiled version is available from the O’Reilly web site.)
Get Securing Windows NT/2000 Servers for the Internet now with the O’Reilly learning platform.
O’Reilly members experience books, live events, courses curated by job role, and more from O’Reilly and nearly 200 top publishers.
