|
|
 |
Guidelines for Securely Installing Windows 2000/XP
Before you begin, you will need the following items:
- The install media
- Windows Security Tool Kit CD
- Isolated network hub/switch
- Latest Service Pack(s) on CD
- Any other patches for ancillary services on CD
- HFNETCHK utility
Steps to follow:
- Disconnect the computer from the network. If it is necessary to have the system connected to a network in order to have it install the network drivers, then connect it to a hub/switch that is not connected to any network access. Therefore it is not available to network based attacks.
- Install Windows as you normally would. Be sure to set a password for the administrator account. Make the password as long as possible and use letters, numbers, and other characters. Do not use any words that can be found in a dictionary. This will help to negate dictionary based password hacks.
- Install all of the services you will be using. You will be patching them and stopping them before placing it on the active network. However, do not install "Simple TCP/IP Services." You don’t need them and they can be used in denial of service attacks.
- Place the machine in a workgroup at this point since it is not attached to a real network. The final step after it is fully patched is to add it to your local Windows domain.
- For Windows 2000 Use the Microsoft Security Tool Kit CD and apply the patches. Since this is a CD it will usually lag behind the latest patches, but is good for getting most O/S items patched. Also it can be used to lockdown IIS and cover additional possible security holes.Be sure to set a password on any local accounts you have created.
- Apply the latest Service Pack for the O/S, which is not contained on the Security Tool Kit CD. Also apply any other Service Packs that you have that are related to any additional services you have installed (SQL Server, etc.).
- Stop all unnecessary services, such as: SNMP, IIS, FTP, SMTP, SQL Server, etc, that are not needed in order to access the Windows Update Web Site. At this point the computer should be patched well enough to gain access to the network.
- Access the Windows Update Web Site and apply the remaining patches for the O/S.
- Verify patch level using HFNETCHK. See the instructions that come with HFNETCHK. Be sure you know the difference between a "Note", "Warning", and "Missing Patch" message. You will have to interpret the results from an HFNETCHK scan and determine what other security issues there may be in regards to the context of how the computer will be used.
- Install any remaining patches for the ancillary services and any additional necessary patches found via HFNETCHK.
- Configure Windows Update Services to check daily and download patches. For client systems I highly recommend setting them to automatically apply needed patches and reboot if necessary. If it is a server, you may want to manually manage the reboots, thus you should set it to "download and notify you before install" on a daily basis.
- Install anti-virus software and in the least configure it to automatically update itself on a daily schedule. Some packages even allow auto-upgrading the scan engine as well. This is highly recommended.
- After meeting the security patch level requirements you can now add it to your local Windows domain and turn on all of the necessary services.
The following should aid you in keeping the machine up-to-date with security patches:
- Subscribe to all security bulletin e-mail services.
- Configure for auto-download and apply security patches.
- Configure for auto-upgrade anti-virus software and signatures.
- When new patches are published verify that the necessary machines received them even if they are set to autoupdate.
|
|
