Security Considerations for Migrating from NT to Win2K, Part 1

Email this Article

Printer-Friendly

View Reader Comments

[April 30, 2001]
Security Considerations for Migrating from NT to Win2K, Part 1
By: Shawn Porter
Feature
InstantDoc #20551
Web Exclusive from Windows IT Pro

SideBar Where to Find Service Pack 1 and Hotfixes, Terminal Services: Friend and Foe

Learn how to secure key Win2K areas

Whether you're looking for stronger security or greater reliability, you might be considering upgrading your Windows NT 4.0 servers to Windows 2000. The good news is that Win2K is inherently more secure than NT—but that doesn't mean you can simply deploy Win2K and expect to have a completely secure system. Keeping on top of your system security is as important in Win2K as it is in NT. However, in Win2K, you have much less up-front security work to do, and as long as you have a plan, good security is within your reach.

In this multipart series about security considerations for migrating from NT to Win2K, you'll discover the most important concerns to keep in mind during migration. In the first installment, you'll learn about the steps you take to initially configure Win2K: Patch the system, disable services, and enable basic security policies. In future installments, you'll learn about new features, such as Encrypted File System (EFS), Active Directory (AD), and IP Security (IPSec), and you'll learn how to approach and implement security with these new features.

Patch the System
The first task you perform after you install Win2K is to apply service packs and hotfixes. Shortly after Win2K's release, Microsoft released Service Pack 1 (SP1) for Win2K. SP1 fixes many security concerns, and you should install SP1 immediately after you install Win2K, before you do any system configuration. After installing SP1, consider installing the 20 or 30 hotfixes Microsoft has released since SP1. You might not need every hotfix, but reviewing them all to determine whether they apply to your installation is a good idea. The Web-exclusive sidebar "Where to Find Service Pack 1 and Hotfixes" gives you a few good starting points for finding SP1 and the hotfixes Microsoft has released since SP1.

Disable Services
After you patch your system, you need to disable any services you're not using. Disabling unused services is a general rule of securing NT and Win2K systems and, like closing ports, can go a long way toward securing your system. The top three services that you can typically disable with no repercussions are

Telnet—Attackers can use this service's remote command-line access to run commands.
Simple TCP/IP service—You typically need this service only when you have UNIX systems on your network.
Remote Registry service—Attackers can use this service to fingerprint your system.

The top three services that I recommend disabling unless you need them are

Microsoft IIS—Also disable its related services, such as FTP and Web hosting.
TCP/IP NetBIOS Helper Service—NetBIOS support has been a concern previously because of several security vulnerabilities. Although the Win2K implementation has few reported problems, if you don't need the TCP/IP NetBIOS Helper Service, don't take the risk of leaving it enabled for intruders to exploit.
Internet Authentication Service (IAS)—Although no known IAS vulnerabilities exist, if you don't have VPN access, enabling this service is pointless.

Many other services are good candidates for disabling. Take the time to review services and disable any that you're not using. For more information about services you can disable, see Randy Franklin Smith's Windows IT Security articles "Dangerous Services, Part 1," InstantDoc ID 16301, "Dangerous Services, Part 2," InstantDoc ID 16363, and "Dangerous Services, Part 3," InstantDoc ID 16476 at http://www.WindowsITsecurity.com. An added benefit of disabling unused services could be a minor increase in performance and faster boot times. Because Win2K includes Win2K Server Terminal Services, which was previously available only in a separate version of NT, you might want to look at this service in detail and decide whether you want to use it. The Web-exclusive sidebar "Terminal Services: Friend and Foe" discusses this service and the security considerations involved in using it.

Enable Basic Security Policies
The topic of AD configuration and security is too big for me to cover in this article. (For more information about AD, see "Related Articles." Also, a future installment in this series will cover AD.) Let's look at how you can increase Win2K security when you don't have AD installed. In NT, you enable auditing and security features in User Manager or in the individual user account settings. In Win2K, you use the Microsoft Management Console (MMC) Local Security Settings snap-in to configure auditing and security features. To open the Local Security Settings snap-in, click Start, Programs, Administrative Tools, Local Security Policy. With this tool, you can control many security settings, some for general security, some for Kerberos security, and some for AD security. Let's cover the few general security features you can set up quickly and without AD installed. In the left pane of the Local Security Settings window, which Figure 1 shows, you see four basic groups: Account Policies, Local Policies, Public Key Policies, and IP Security Policies. I discuss only Account Policies and Local Policies here because the other policies are dependent on Kerberos and IPSec, which are beyond the scope of this article and which I plan to cover later in this series.

Prev. page [1] 2 next page

You must log on before posting a comment.

If you don't have a username & password, please register now.

ADS BY GOOGLE SPONSORED LINKS

Order Your SharePoint Fundamentals CD!: Learn how to uncover rich information management capabilities with this free SharePoint CD.

Evaluating Your Database Infrastructure: The wind of change is in the air for your corporate databases. SQL Server 2008 and other new technologies can mean it is possible to deploy more powerful and effective databases.

True High Availability for SQL Servers: SQL Server DBA’s must ensure that they have some form of protection in place. This seminar gives useful tips on HA and resources that are available for your disaster recovery planning.

Virtualization Congress Oct. 14-16: Don't miss Virtualization Congress, the premiere EMEA conference dedicated to hardware, OS and application virtualization. Oct. 14-16 in London.

FEATURED LINKS

Coming This Fall –SharePoint Live Event Series: Join SharePoint experts Wendy Henry and Michael Noel for best practices regarding infrastructure, design, redundancy, site administration, and ECM. Early Bird Price of $99

Find a new job on the all new IT Job Hound!: Search jobs, post your resume, and set up job e-mail alerts!

Master SharePoint with 3 eLearning Seminars!: Learn how to customize field types, create scheduled services, and go further with the Content Query Web Part with MVP Andrew Connell. Register today!

Virtualization for Mission-Critical BI with SQL Server: Join this Aug. 20th web seminar to learn a different approach to virtualization for BI-based application infrastructure. Ask questions of live experts!

Windows IT Pro Is Your Definitive Source for BI Tools: Our tools are BI-lateral (relating to both the front and back ends of BI). Build the best platforms and reports with help from SQL Server Magazine. Master data-delivery with solutions in Windows IT Pro. Choose the resource that's right for you.

	SQL Server Magazine Register Subscribe FAQ for Windows WinInfoNews
	Contact Us / Customer Service Editorial Calendar Media Kit Affiliates / Licensing Technical Resources Directory
	Windows IT Pro Office & SharePoint Pro Windows Dev Pro IT Library Connected Home Windows Excavator SuperSite IT Job Hound ITTV

	Copyright © 2008 Penton Media, Inc. All rights reserved. Terms and Use Privacy Statement Reprints and Licensing

Search

Related Whitepapers

Related Events

Related eBooks

Related Essential Guides

Related Resources

vLabs Links

SQL Job Openings

ADS BY GOOGLE SPONSORED LINKS

FEATURED LINKS