Account Settings
Windows 2000 comes with two default accounts: Administrator and Guest. Both of these accounts can be renamed by using the Local Security Settings tool. Select the policy items Rename Administrator Account and Rename Guest Account to make these changes. The Guest account should also be disabled. I also change the password on the Guest account to something very long and very random just in case.
Every Windows 2000 workstation server in the organization will have an Administrator account that is local to that machine and thus will require protection. To protect these accounts, a procedure should be established to define a password that is very strong. The password should be written down, sealed in an envelope, and stored in a locked cabinet.
Password Policy The system password policy is defined by using the Local Security Settings tool. This screen allows you to set password parameters and strength requirements. As with any computer system, these settings should be made in accordance with your organization's security policy.
If you choose to enable the Passwords Must Meet Complexity Requirements setting, you will be invoking the default password filter (PASSFILT.DLL). This will require all passwords to be at least six characters long, not contain any component of the user name, and contain at least three of the following: numbers, symbols, lowercase, or uppercase.
Unless absolutely necessary, you should not enable the Store Passwords Using Reversible Encryption setting.
Account Lockout Policy The account lockout policy is configured using the Local Security Settings tool as well. These settings should be made according to your organization's security policy.
NOTE: The account lockout policy is used to prevent an attacker from conducting a brute-force attack to guess passwords. It can also be used to cause a denial-of-service condition to the entire user community. Therefore, it may be wise to consider the consequences of prolonged lockouts of the user community when setting this policy.
The lockout will not be enforced against the Administrator account. The Administrator account will always be able to log in from the system console.
Service Packs and Hot-Fixes
As of this writing, there is one service pack for Windows 2000. Additional hot-fixes and service packs will come out over time. As with Windows NT updates, service packs and hot-fixes should be implemented within an organization after appropriate testing.
In this tutorial:
- Windows 2000 Security Issues
- Setting up the System
- Local Security Policy Settings
- Logon Message
- LAN Manager Authentication Level
- System Configuration
- File Systems
- Network
- Account Settings
- USER MANAGEMENT
- Setting File Permissions
- System Management
- Analysis
- Configuration
- Validation
- Export
- Auditing a System
- Log Files
- Looking for Suspicious Signs
- Missing Log Files or Gaps in the Log Files
- Unknown Processes