Keep Score of System Security

By Jim Rapoza  |  Posted 2002-07-22 Print this article Print

The consensus baseline security settings for Windows 2000 make it possible for IT administrators to configure Windows 2000 workstations with a high level of security.

The consensus baseline security settings for Windows 2000 make it possible for IT administrators to configure Windows 2000 workstations with a high level of security, although without the use of central group policies (such as those in Active Directory), this process could prove to be very time-consuming.

The security settings were announced last week by the Center for Internet Security; the SANS Institute; and several government agencies including the National Security Agency and the National Institute of Standards and Technology. Like many other security benchmarks available at, the Consensus Baseline Security Settings provide detailed steps that administrators can take to make systems more secure. Some of the recommendations go without saying—or at least have been said many times before—but their breadth and depth provide a solid guideline for IT administrators.

Also included is a reporting tool that lets administrators quickly gauge systems compliance with these guidelines. Using the Security Scoring Tool along with the recommendations, eWeek Labs was able to efficiently boost the security settings of several Windows 2000 Professional workstations.

Administrators should keep in mind, however, that the recommendations are explicitly for Windows 2000 Professional workstation implementations. Systems being used as servers would fail many of the recommended settings such as disabling Web and SMTP services.

Many of the settings are clearly optional, as they could disable enterprise applications or make it difficult to work with them. These include disabling Remote Registry Service—a security risk, but nonetheless used by many applications and support personnel.

We found the best way to work with these recommendations was to implement them systematically, then run the scoring tool to gauge progress. The settings recommendations included several registry changes for disabling things such as debugging and autoplays.

In addition to providing an overall score, the Security Scoring Tool generates several useful reports that contain links to patches and other related information. The scoring tool also includes Microsoft Corp.s HFNetChk, which scans Windows systems for missing patches and updates.

East Coast Technical Director Jim Rapoza can be reached at

Related stories:
  • U.S. Consensus Standards Likely Enforced
  • Settings Aim to Secure Windows 2000
    Jim Rapoza, Chief Technology Analyst, eWEEK.For nearly fifteen years, Jim Rapoza has evaluated products and technologies in almost every technology category for eWEEK. Mr Rapoza's current technology focus is on all categories of emerging information technology though he continues to focus on core technology areas that include: content management systems, portal applications, Web publishing tools and security. Mr. Rapoza has coordinated several evaluations at enterprise organizations, including USA Today and The Prudential, to measure the capability of products and services under real-world conditions and against real-world criteria. Jim Rapoza's award-winning weekly column, Tech Directions, delves into all areas of technologies and the challenges of managing and deploying technology today.

    Submit a Comment

    Loading Comments...
    Manage your Newsletters: Login   Register My Newsletters

    Rocket Fuel