The consensus baseline security settings for Windows 2000 make it possible for IT administrators to configure Windows 2000 workstations with a high level of security, although without the use of central group policies (such as those in Active Directory), this process could prove to be very time-consuming.
The security settings were announced last week by the Center for Internet Security; the SANS Institute; and several government agencies including the National Security Agency and the National Institute of Standards and Technology. Like many other security benchmarks available at www.cisecurity.org, the Consensus Baseline Security Settings provide detailed steps that administrators can take to make systems more secure. Some of the recommendations go without saying—or at least have been said many times before—but their breadth and depth provide a solid guideline for IT administrators.
Also included is a reporting tool that lets administrators quickly gauge systems compliance with these guidelines. Using the Security Scoring Tool along with the recommendations, eWeek Labs was able to efficiently boost the security settings of several Windows 2000 Professional workstations.
Administrators should keep in mind, however, that the recommendations are explicitly for Windows 2000 Professional workstation implementations. Systems being used as servers would fail many of the recommended settings such as disabling Web and SMTP services.
Many of the settings are clearly optional, as they could disable enterprise applications or make it difficult to work with them. These include disabling Remote Registry Service—a security risk, but nonetheless used by many applications and support personnel.
We found the best way to work with these recommendations was to implement them systematically, then run the scoring tool to gauge progress. The settings recommendations included several registry changes for disabling things such as debugging and autoplays.
In addition to providing an overall score, the Security Scoring Tool generates several useful reports that contain links to patches and other related information. The scoring tool also includes Microsoft Corp.s HFNetChk, which scans Windows systems for missing patches and updates.
East Coast Technical Director Jim Rapoza can be reached at [email protected]
- U.S. Consensus Standards Likely Enforced
- Settings Aim to Secure Windows 2000