Special Publication 800-43 System Administration Guidance for Securing Microsoft Windows 2000 Professional System Recommendations of the National Institute of Standards and Technology Murugiah Souppaya Anthony Harris Mark McLarnon Nikolaos Selimis Version 2002.01.28 Send Comments to [email protected] NIST Special Publication 800-43 System Administration Guidance for Securing Microsoft Windows 2000 Professional System Recommendations of the National Institute of Standards and Technology Murugiah Souppaya, Anthony Harris Mark McLarnon , Nikolaos Selimis Send Comments to [email protected] C O M P U T E R S E C U R I T Y Computer Security Division Information Technology Laboratory National Institute of Standards and Technology Gaithersburg, MD 20899-8930 January 2002 U.S. DEPARTMENT OF COMMERCE Donald L. Evans, Secretary TECHNOLOGY ADMINISTRATION Phillip J. Bond, Under Secretary for Technology NATIONAL INSTITUTE OF STANDARDS AND TECHNOLOGY Arden L. Bement, Jr., Director ii Reports on Computer Systems Technology The Information Technology Laboratory (ITL) at the National Institute of Standards and Technology (NIST) promotes the U.S. economy and public welfare by providing technical leadership for the Nation’s measurement and standards infrastructure. ITL develops tests, test methods, reference data, proof of concept implementations, and technical analysis to advance the development and productive use of information technology. ITL’s responsibilities include the development of technical, physical, administrative, and management standards and guidelines for the cost-effective security and privacy of sensitive unclassified information in Federal computer systems. This Special Publication 800-series reports on ITL’s research, guidance, and outreach efforts in computer security, and its collaborative activities with industry, government, and academic organizations. National Institute of Standards and Technology Special Publication 800-43 Natl. Inst. Stand. Technol. Spec. Publ. 800-43, 163 pages (Dec. 2001) Certain commercial entities, equipment, or materials may be identified in this document in order to describe an experimental procedure or concept adequately. Such identification is not intended to imply recommendation or endorsement by the National Institute of Standards and Technology, nor is it intended to imply that the entities, materials, or equipment are necessarily the best available for the purpose. U.S. GOVERNMENT PRINTING OFFICE WASHINGTON: 2001 For sale by the Superintendent of Documents, U.S. Government Printing Office Internet: bookstore.gpo.gov — Phone: (202) 512-1800 — Fax: (202) 512-2250 Mail: Stop SSOP, Washington, DC 20402-0001 iii NIST WIN2K DRAFT FOR PUBLIC COMMENT Disclaimer Certain products are described in this document as examples only. Inclusion or exclusion of any product does not imply endorsement or non-endorsement by NIST or any agency of the U.S. Government. Inclusion of a product name does not imply that the product is the best or only product suitable for the specified purpose. Acknowledgements The authors Murugiah Souppaya of NIST and Anthony Harris, Nikolaos Selimis, and Mark McLarnon of Booz Allen and Hamilton wish to thank Timothy Grance and John Wack, staff at NIST, the National Security Agency, Microsoft, and the Security Professional community for providing valuable contributions to the technical content of this guide. Trademark Information Microsoft, MS-DOS, Windows, Windows 2000, Windows NT, SMS, Systems Management Server, Internet Explorer, IE, Microsoft Office, Outlook, and Microsoft Word are either registered trademarks or trademarks of Microsoft Corporation in the U.S.A. and other countries. Symantec and Norton AntiVirus are registered trademarks of Symantec Corporation. Netscape and Netscape Communicator are registered trademarks of Netscape Communications Corporation. McAfee, VirusScan, Network Associates, and NAI are registered trademarks of Network Associates Technology Incorporated. F-Secure is a registered trademark of F-Secure Incorporated. Qualcomm and Eudora are registered trademarks of Qualcomm Incorporated. IBM and LanDesk are registered trademarks of IBM Corporation. All other names are registered trademarks or trademarks of their respective companies. iv NIST WIN2K DRAFT FOR PUBLIC COMMENT Table of Contents 1. INTRODUCTION................................................................................................................. 1 1.1 AUTHORITY ................................................................................................................. 1 1.2 PURPOSE AND SCOPE....................................................................................................... 2 1.3 OBJECTIVE ....................................................................................................................... 2 1.4 AUDIENCE AND ASSUMPTIONS ........................................................................................ 2 1.5 DOCUMENT STRUCTURE .................................................................................................. 2 2. WINDOWS 2000 SECURITY COMPONENTS OVERVIEW........................................ 4 2.1 KERBEROS SUPPORT ........................................................................................................ 4 2.2 SMART CARD LOGON SUPPORT ....................................................................................... 5 2.3 PKI SUPPORT................................................................................................................... 5 2.4 IPSEC SUPPORT ................................................................................................................ 5 2.5 PPTP AND L2TP SUPPORT.............................................................................................. 6 2.6 ENCRYPTING FILE SYSTEM SUPPORT ............................................................................... 6 3. STANDALONE VS DOMAIN MEMBER ......................................................................... 7 3.1 STANDALONE................................................................................................................... 7 3.2 DOMAIN........................................................................................................................... 7 4. SECURITY CONFIGURATION TOOL SET................................................................... 9 4.1 WINDOWS 2000 SECURITY TEMPLATES........................................................................... 9 4.2 ANALYSIS AND CONFIGURATION ................................................................................... 10 4.3 GROUP POLICY DISTRIBUTION ....................................................................................... 13 4.4 SECEDIT ......................................................................................................................... 14 4.4.1 Secedit Syntax ......................................................................................................................................14 4.4.2 Secedit Advantages ..............................................................................................................................15 4.5 CREATING SECURITY TEMPLATES.................................................................................. 15 4.6 SUMMARY OF RECOMMENDATIONS .................................................................. 18 5. AUDITING AND EVENT LOGGING ............................................................................. 19 5.1 SYSTEM-WIDE AUDITING .............................................................................................. 19 5.2 INDIVIDUAL FILE AUDITING........................................................................................... 21 5.3 SUMMARY OF RECCOMENDATIONS ................................................................................ 22 6. WINDOWS 2000 PROFESSIONAL INSTALLATION................................................. 23 6.1 WHY CHOOSE NTFS?.................................................................................................... 23 6.2 HOW TO CONVERT NON-NTFS PARTITIONS ................................................................. 24 6.3 OTHER SETTINGS............................................................................................................ 24 6.4 CREATING AND PROTECTING THE ERD......................................................................... 24 6.4.1 How to Create an ERD ........................................................................................................................25 6.4.2 How to Protect ERD ............................................................................................................................26 6.4.3 How to Protect ERD Backup ...............................................................................................................26 6.5 SUMMARY OF RECOMMENDATIONS ............................................................................... 27 7. UPDATING AND PATCHING GUIDELINES............................................................... 28 7.1 WINDOWS 2000 PROFESSIONAL UPDATES ..................................................................... 28 7.2 WINDOWS 2000 PATCHING RESOURCES ........................................................................ 29 v NIST WIN2K DRAFT FOR PUBLIC COMMENT 7.2.1 Internet Security Portals......................................................................................................................29 7.2.2 Windows Update Web Site...................................................................................................................30