Special Publication 800-43 Systems Administration Guidance for Securing Microsoft Windows 2000 Professional System Recommendations of the National Institute of Standards and Technology Murugiah Souppaya Anthony Harris Mark McLarnon Nikolaos Selimis This page intentionally left blank NIST Special Publication 800-43 Systems Administration Guidance for Securing Microsoft Windows 2000 Professional System Recommendations of the National Institute of Standards and Technology Send Comments to [email protected] C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 November 2002 U.S. Department of Commerce Donald L. Evans, Secretary Technology Administration Phillip J. Bond, Under Secretary for Technology National Institute of Standards and Technology Arden L. Bement, Jr., Director This page intentionally left blank Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-43 Natl. Inst. Stand. Technol. Spec. Publ. 800 -43, 192 pages (November 2002) CODEN: XXXXX Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply reco mmendation or endorsement by the National Institute of Standards and Techn ology, nor is it intended to imply that the entities, materials, or equipment are necessa rily the best available for the purpose. U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 2001 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov — Phone: (202) 512-1800 — Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 Acknowledgements The authors Murugiah Souppaya of NIST and Anthony Harris, Nikolaos Selimis, and Mark McLarnon of Booz Allen Hamilton wish to thank Timothy Grance and John Wack, staff at NIST, the National Security Agency, Steve Lipner, Jesper Johansson, and Kirk Soluk from Microsoft, and the entire Security Professional community for providing valuable contributions to the technical content of this guide. Additionally, the authors also thank the Defense Information Systems Agency (DISA), the Center for Internet Security (CIS), and SysAdmin Network Security Institute (SANS) for their valuable contributions to the baseline and their continued efforts to improve security in this and in other similar efforts. Trademark Information Microsoft, MS-DOS, Windows, Windows 2000, Windows NT, SMS, Systems Management Server, Internet Explorer (IE), Microsoft Office, Outlook, and Microsoft Word are either registered trademarks or trademarks of Microsoft Corporation in the United States and other countries. Symantec and Norton AntiVirus are registered trademarks of Symantec Corporation. Netscape and Netscape Communicator are registered trademarks of Netscape Communications Corporation. McAfee, VirusScan, Network Associates, and NAI are registered trademarks of Network Associates Technology, Inc. F-Secure is a registered trademark of F-Secure Corporation. Qualcomm and Eudora are registered trademarks of Qualcomm Incorporated. IBM and LanDesk are registered trademarks of IBM Corporation. All other names are registered trademarks or trademarks of their respective companies. NIST SPECIAL PUBLICATION 800-43 Table of Contents Executive Summary ..............................................................................................................ES-1 1. Introduction...................................................................................................................... 1-1 1.1 Authority .................................................................................................................. 1-1 1.2 Purpose and Scope................................................................................................. 1-1 2. Windows 2000 Security Components Overview........................................................... 2-1 2.1 Kerberos Support .................................................................................................... 2-1 2.2 Smart Card Logon Support ..................................................................................... 2-1 2.3 PKI Support............................................................................................................. 2-2 2.4 IPsec Support.......................................................................................................... 2-2 2.5 PPTP And L2TP Support ........................................................................................ 2-3 2.6 Encrypting File System Support .............................................................................. 2-3 3. Stand-Alone Versus Domain Member ........................................................................... 3-1 3.1 Stand-Alone............................................................................................................. 3-1 3.2 Domain.................................................................................................................... 3-1 4. Security Configuration Tool Set..................................................................................... 4-1 4.1 Windows 2000 Security Templates ......................................................................... 4-1 4.2 Analysis and Configuration...................................................................................... 4-2 4.3 Group Policy Distribution......................................................................................... 4-5 4.4 Secedit .................................................................................................................... 4-6 4.4.1 Secedit Syntax............................................................................................. 4-6 4.4.2 Secedit Advantages..................................................................................... 4-6 4.5 Creating Security Templates ................................................................................... 4-6 4.6 Summary of Recommendations .............................................................................. 4-9 5. Auditing and Event Logging........................................................................................... 5-1 5.1 Systemwide Auditing............................................................................................... 5-1 5.2 Individual File Auditing ............................................................................................ 5-3 5.3 Summary of Recommendations .............................................................................. 5-4 6. Windows 2000 Professional Installation ....................................................................... 6-1 6.1 Why Choose NTFS? ............................................................................................... 6-1 6.2 How to Convert Non-NTFS Partitions ..................................................................... 6-1 6.3 Other settings.......................................................................................................... 6-2 6.4 Creating and Protecting the ERD ............................................................................ 6-2 6.4.1 How to Create an ERD ................................................................................ 6-3 6.4.2 How to Protect ERD..................................................................................... 6-3 6.4.3 How to Protect ERD Backup........................................................................ 6-4 6.5 Summary of Recommendations .............................................................................. 6-5 7. Updating and Patching Guidelines................................................................................ 7-1 7.1 Windows 2000 Professional Updates...................................................................... 7-1 7.2 Windows 2000 Patching Resources........................................................................ 7-3 7.2.1 Internet Security Portals .............................................................................. 7-3 7.2.2 Windows Update Web Site .......................................................................... 7-4 7.3 Summary of Recommendations .............................................................................. 7-5 vii NIST SPECIAL PUBLICATION 800-43 8. Windows 2000 Pro Configuration Guidelines............................................................... 8-1 8.1 Securing the File System Using ACLs .................................................................... 8-1 8.1.1 File
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages192 Page
-
File Size-