- The Windows 2000\XP\.NET Resource Index
Home | About Us | Search

Last Updated December 16, 2003

Windows 2000
Windows XP
Book Reviews
Career Tools
Device Drivers
Hardware Guides
MCSE Toolkit
Service Packs
  Articles & Whitepapers
  Books on Security
  Disaster Recovery
  FAQ's & Tutorials
  Incident Response
  Intrusion Detection
  Legal Resources
  Online Seminars
  Password Security
  Security Links
  Securing Networks










Securing Workstations, Servers, and Networks

Where to Start

Windows 2000 Installation Security Checklist
Our security checklist for locking down Windows 2000 Servers and Workstations. This is a live document that will be updated continuously as new recommendations are posted by Microsoft.

Analyze System Security in Windows 2000
Microsoft Knowledge Base Article: Q313203 - This step-by-step article describes how you can use the Security Configuration and Analysis snap-in to analyze and configure security on a Windows 2000-based computer.

Microsoft Windows 2000 Security Configuration Guide -- Introduction
This document provides guidance to allow for the secure installation and configuration of Windows 2000 in accordance with the Windows 2000 Common Criteria Security Target (ST) which provides a set of security requirements taken from the Common Criteria (CC) for Information Technology Security Evaluation. Source:

Microsoft Solution for Securing Windows 2000 Server
To help customers deploy its products more securely, Microsoft is developing free security solutions that address their business needs. The first solution©Securing Windows? 2000 Server©is aimed at helping customers reduce their security risks while lowering their security management costs. The Securing Windows 2000 Server Solution is delivered in 11 chapters, plus a Test Guide, a Delivery Guide, and a Support Readiness Guide, each with applicable job aids, script files and test cases. Source:

Security Operations Guide for Windows 2000 Server
This guide delivers procedures and best practices for system administrators to lock down their Windows 2000-based servers and maintain secure operations once they're up and running. Through effective use of Group Policy, proper patch management, and auditing and intrusion detection tactics, this guide provides administrators with the key information to manage risk of attack from avoidable malicious code (such as viruses and Trojan horses), unauthorized access, and data theft. Source:

Securing Windows 2000 Network Resources
Administration of a Microsoft Windows 2000 operating system-based network is a important task that has become much simpler. The administration tools and the directory service infrastructure (for user accounts and authentication) provide and control access to network and application resources. This guide focuses on setting up user accounts and using groups to control access to resources such as file share, printers and Web servers. Source: (March 7, 2000)

Securing Windows 2000 Terminal Services
The Terminal Services environment is, by definition, a thin-client architecture where all application processing occurs centrally on the server. Therefore, it is important to protect the integrity of the data stored on the Windows 2000 Server as well as the data in transit among the Terminal Services application and its clients. This paper presents the information necessary to implement strong security within your Windows 2000 Terminal Services environment. Source:

The Definitive Guide to Windows 2000 Security
An online eBook sponsored by BindView Corporation. Free Registration required. Source:

WebCast: Using the Microsoft Security Tool Kit to Get and Stay Secure
Level:200 During this session, we will walk through the three installations of the Security Tool Kit. We will also review the contents of the tool kit, and provide an in-depth discussion of the tools included in the tool kit that will help you stay secure.

WebCast: Microsoft Baseline Security Analyzer Tool
Level:100 This session will discuss the Microsoft Baseline Security Analyzer (MBSA), a tool used to scan Windows computers for security vulnerabilities. It will also review the system requirements to run MBSA, the scenarios in which the tool can be used, the output of the tool, and how that output can be used to enhance network security

Windows 2000 Security Technical Overview
This paper describes the major elements of the Windows 2000 distributed security services that support this model, including Active Directory, authentication, and authorization, and an introduction to the Kerberos authentication protocol. Source:

Additional Resources

Addressing DoS Vulnerabilities
Last month, Microsoft published an article that documents five registry modifications you can use to reduce Windows 2000's TCP vulnerability to a variety of Denial of Service (DoS) attacks. These guidelines are appropriate for Win2K systems connected to a WAN or to the Internet and for sites that operate under strict security controls. Source: Windows & .NET Magazine  

Close the door on hackers--secure your network
An overview of simple procedures you can use to keep your data from falling into the wrong hands. Source: Windows NT Professional Magazine (July 1999)

Common Criteria for Information System Security Evaluation v. 2.0  
Soon to be the new ISO standard

Default Access Control Settings in Windows 2000
Describes the default security settings for numerous components of Windows© 2000, including the registry and file system as well as user rights and group membership. Source: Microsoft TechNet

Defending your Web Server
Article by Rik Farrow that takes a look at how insecure applications and scripts expose Web servers to attack, and explains how to batten down the hatches. Source: Microsoft TechNet

Description of the Windows 2000 Resource Kit Security Tools
Microsoft Knowledge Base Article: 264178 - The Microsoft Windows 2000 Resource Kit contains a set of tools designed to give administrators the ability to modify or enhance the security in Windows 2000.  

Description of Default Security Settings in Windows 2000 
Microsoft Knowledge Base Article: 217050 - This article describes some of the default security settings in Windows 2000.

Determining Windows 2000 Network Security Strategies 
Sample Chapter 17 from the Windows 2000 Server Deployment Planning Guide, Published by Microsoft Press. The strategic use of security technologies to protect your company's network connections to the Internet or other public networks is discussed in this chapter. This chapter does not provide details about how to install and use network security technologies. Network architects involved in network security design and system administrators involved with administering network security need to read this chapter. As a prerequisite to performing the tasks outlined in this chapter, you need to be familiar with network and Internet technologies, such as routing, network protocols, and Web serving

Distributed Denial of Service Defense Tactics
This paper details some practical strategies that can be used by system administrators to help protect themselves from distributed denial of service attacks as well as protect themselves from becoming unwitting attack nodes against other companies. Source: SimpleNomad

Downloading and Using the Security Configuration Manager Tool
Microsoft Knowledge Base Article: 245216 - You can use the Microsoft Security Configuration Tool set to configure security for a Windows NT-based or Windows 2000-based computer, and then perform periodic analysis of the computer to ensure that the configuration remains intact or to make necessary changes over time. This tool set is also integrated with the Microsoft Windows Administration Change and Configuration Management tool to automatically configure policies on a large number of computers in the enterprise. (updated 8/29/2000)

Hardening Windows NT against Attack  
By Paul E. Proctor, Windows NT Systems, January 1999

How to Secure Windows 2000 Professional in a Non-Domain Environment
Microsoft Knowledge Base Article: 269799 - This article describes how to use the local group policy to secure a Windows 2000 Professional workstation in a non-domain environment.

HOW TO: Add an Authorized Page Warning in Windows 2000 
Microsoft Knowledge Base Article: 310115 - This article describes how to create an authorized page warning. By using Windows 2000 Group Policy, you can add a legal notice to users who attempt to gain access to your systems. The legal notice provides information about network policies to users who log on to your systems. The notice also includes information about possible incident handling for unauthorized network usage. You can configure authorized page warnings for site, domain, organization unit, or local group policies. 

HOW TO: Apply Predefined Security Templates  
Microsoft Knowledge Base Article: 309689 - Windows 2000 includes several pre-defined security templates that you can apply to increase the level of security for computers that are running either Windows 2000 Professional or Windows 2000 Server. These security templates are plain text that you manually edit by using text editor such as Notepad. However, it is recommended that you use the Security Templates Microsoft Management Console (MMC) to make changes to these templates. This article describes how to apply predefined security templates. 

HOW TO: Apply Security Patches by Using Task Scheduler 
Microsoft Knowledge Base Article: 314435 - This step-by-step articles describes how to apply security patches by using Task Scheduler. A member of the administrators group will have already identified and downloaded the security patches and created a script to run the patches that are referred to in this article. A member of the administrators group on a computer that is running Windows 2000 Server or Advanced Server will complete all of the following procedures 

How to: Configure a Certificate Authority to Issue Smart Card Certificates in Windows 2000
Microsoft Knowledge Base Article: 313274 - This step-by-step article describes how to configure a Certificate Authority to issue smart card certificates

HOW TO: Configure Network Security for the SNMP Service 
Microsoft Knowledge Base Article: 313381 - This step-by-step article describes how to configure network security for the Simple Network Protocol Service (SNMP).

HOW TO: Configure the Security for Windows 2000 Server That Uses Microsoft NNTP Service
Microsoft Knowledge Base Article: 302566 - This article describes how to configure the security to control who has access to specific newsgroups and who can operate Microsoft Network News Transfer Protocol (NNTP) Service. You can also restrict access on the basis of the client computer. 

HOW TO: Configure Security for Files and Folders on a Network (Domain)
Microsoft Knowledge Base Article: 301195 - This step-by-step guide describes how to configure security for files and folders on a network to protect data from unauthorized access.

HOW TO: Configure the Security for Windows 2000 Server That Uses Microsoft NNTP Service 
Microsoft Knowledge Base Article: 302566 - This article describes how to configure the security to control who has access to specific newsgroups and who can operate Microsoft Network News Transfer Protocol (NNTP - Service. You can also restrict access on the basis of the client computer.

HOW TO: Configure TCP/IP Filtering in Windows 2000
Microsoft Knowledge Base Article: 309798 -
This step-by-step article describes how to configure TCP/IP Filtering on Microsoft Windows 2000-based computers. Windows 2000-based computers support several methods of controlling inbound access. One of the most simple and most powerful methods of controlling inbound access is by using the TCP/IP Filtering feature. TCP/IP Filtering is available on all Windows 2000-based computers that have the TCP/IP stack installed.

HOW TO: Configuring Your Windows 2000 Server-Based Computer for Daily Virus Checks
Microsoft Knowledge Base Article: 298034 - This article describes a step-by-step procedure that you can use to configure your Windows 2000 Server-based computer for daily virus checks.

HOW TO: Define Security Templates in the Security Templates Snap-in 
Microsoft Knowledge Base Article: 313434 - This step-by-step article describes how to define security templates in the Security Templates snap-in.

HOW TO: Enable and Apply Windows Security Auditing
Microsoft Knowledge Base Article: 300549 - This step-by-step instruction guide describes how to enable and apply Windows security auditing.

HOW TO: Enable Local Security Auditing in Windows 2000 
Microsoft Knowledge Base Article: 248260 - This article describes how to enable local security auditing in Windows 2000. Administrators of local computers can use this method to set up local auditing of security access rights on individual Windows 2000-based computers.

HOW TO: Enforce a Remote Access Security Policy 
Microsoft Knowledge Base Article: 313082 - This step-by-step article describes how to enforce a remote access security policy in a Windows 2000-based Native-mode domain. 

How to Gain System Access to a Windows 2000-Based Computer
Microsoft Knowledge Base Article: 238846 - You may need to run commands in the context of the local System account for recovery or other administrative purposes. 

HOW TO: Harden the TCP/IP Stack in Windows 2000 Against Denial of Service Attacks 
Microsoft Knowledge Base Article: 315669 - Denial of service attacks are network attacks that are aimed at making a computer or a particular service on a computer unavailable to network users. Denial of service attacks can be difficult to defend against. To help prevent denial of service attacks, you can use one or both of the following methods 

How to: Install a Smart Card Reader in Windows 2000
Microsoft Knowledge Base Article: 313557 - This article describes how to install a smart card reader

HOW TO: Prevent the Last Logged-On User Name from Being Displayed
Microsoft Knowledge Base Article 310125 - This article describes how to prevent the last logged-on user name from being displayed. After you use this method, a user must type a user name and password to log on to a Windows 2000-based computer.  

HOW TO: Prevent Users from Scheduling Tasks
Microsoft Knowledge Base Article  Q310208 - The Windows 2000 Task Scheduler enables you to configure Windows to automatically open a document, start a program, or run a script at a preconfigured time. This functionality is convenient for administrators, who can force these tasks to occur at specified times on users' computers. The Task Scheduler starts by default when you start Windows 2000 and runs in the background.  In a high-security environment, Task Scheduler can pose a security threat. Users can create new tasks or delete those that are set to run by the administrator. If you are an administrator, you can control this behavior to provide greater security and ensure that only the tasks that you configure run at the proper time. This article describes how you can prevent users from scheduling tasks. 

How to Prevent Windows 2000 Upgrade from Modifying Custom Security
Microsoft Knowledge Base Article: 260242 - The Windows 2000 upgrade process applies Windows 2000 default security settings to registry keys and file system objects. This process overwrites any custom permissions that you previously defined. If the Windows 2000 default security settings. 

How to Protect Windows NT Desktops in Public Areas 
Microsoft Knowledge Base Article: 143164 - In certain environments it is necessary to prevent workstation users from harming the system. For example, you may want to limit the number of applications a user can use.

HOW TO: Restrict Users from Gaining Access to a Domain Controller by Using Telnet 
Microsoft Knowledge Base Article: 292536 - This article explains how to restrict users from gaining access to a Windows 2000-based domain controller when they use the Telnet service.

HOW TO: Secure Communication Between a Client and Server with Terminal Services Microsoft Knowledge Base Article: 306561 - This step-by-step article describes how to secure communications between a client computer and a server by using Windows 2000 Terminal Services. 

HOW TO: Secure Windows in a Non-Domain Environment 
Microsoft Knowledge Base Article: 269799 - You can use a Windows-based computer in a non-domain environment to use local group policies to secure the workstation. This implementation is not designed to secure a Windows-based computer for individual users who log on to the computer. 

How to Troubleshoot SNMP Security Issues 
Microsoft Knowledge Base Article: 200885 - If Simple Network Management Protocol (SNMP) is not responding and you have implemented SNMP security, you can use the steps in this article to help you troubleshoot the issue. 

HOW TO: Use the Secedit.sdb Database to Perform a Security Analysis in Windows 2000 Microsoft Knowledge Base Article: 318711 - This step-by-step article describes how to use the Secedit.sdb database to analyze your security settings. This analysis can identify security holes that may exist in your current configuration, and can also identify changes that will take place if you use a security template to configure your computer.

HOW TO: Use Simple Procedures to Prevent Unauthorized Users from Accessing Your Computer in Windows 2000 
Microsoft Knowledge Base Article: 300957 - This step-by-step article describes how to prevent unauthorized users from accessing either a stand-alone computer, a network computer, or a remote computer. Each of these types of computers has different security requirements and the topic of security is complex. This article describes some simple procedures to secure your computer. For another user to access your computer, they must either be assigned to an administrative group or they must have the appropriate security rights and permissions

Increasing Security on Windows 2000 VPN Server
Microsoft Knowledge Base Article: 255784 - A Windows 2000 virtual private network (VPN) server that is configured by using the Routing and Remote Access Services (RRAS) Setup Wizard is installed with a default set of Input and Output filters. These filters support Point-to-Point Tunneling Protocol (PPTP), Layer 2 Tunneling Protocol (L2TP), and IP Security Protocol (IPSec) connectivity. The filters are generic and can be modified to tighten security on a VPN server. This article describes modifications that you can make to these filters to increase security. All filter configurations mentioned in this article should be tested prior to being deployed in a production environment

MS Security Configuration Tool Set
This paper describes the Microsoft© Security Configuration Tool Set, a set of Microsoft Management Console (MMC) snap-ins designed to reduce costs associated with security configuration and analysis of Windows NT? and Windows? 2000?based operating system networks. The Security Configuration Tool Set allows you to configure security for a Windows NT or Windows 2000©based system, and then perform periodic analysis of the system to ensure that the configuration remains intact or to make necessary changes over time. It is also integrated with Windows Administration Change and Configuration Management to automatically configure policy on a large number of systems in the enterprise.

Protection of the Administrator Account in the Offline SAM
Microsoft Knowledge Base Article: 223301 - This article discusses the security of the offline Security Accounts Manager (SAM) and the accounts in it. 

Protect Administrator Privileges
Gaining administrator access is the ultimate coup for a system intruder, so protecting administrative privileges needs to be high on your security priorities list. Administrator Account Vulnerabilities I discussed NT's administrator vulnerabilities in detail in "NT's Top Security Problems," October 1998. Many systems administrators further disguise the Administrator account by creating a decoy Administrator account. Source: Windows 2000 Magazine (Feb 2000)

Protecting Windows RPC Traffic
In security circles, Remote Procedure Calls (RPCs) are bad news. According to a study by Cisco, "The most vulnerable Internet service, ranked by the percentage of times that the service was visible and found to have a security problem" is RPC, with 93.4 percent of the systems exposing RPC reporting security problems. This article discusses some of the perceptions and the realities of RPC vulnerabilities on the Windows platform, and the use of Microsoft's ISA server to address some of these issues. Source:

SANS Network Security Roadmap
Hacker-proofing, advance planning before they hit you - A Computer Security Roadmap 
Written for UNIX Admins, but plenty of useful information for everyone.

Securing NT Server
The Chicago branch of Network Computing's labs has long been known for its harsh criticism of Microsoft Corp. when it comes to Windows NT security. However, even though lacing into NT is one of our favorite pastimes, securing it is far less humorous. With NT's massive array of services and subsystems, it's difficult--at best--to identify all the problems, much less protect against them. Source: Network Computing (April 2000)

Securing Network Resources
Chapter 9 of MCSE Training Kit © Microsoft Windows 2000 Active Directory Services, reprinted with permission from Microsoft Press. This chapter introduces you to Microsoft Windows 2000 file system (NTFS) folder and file permissions. You will learn how to assign NTFS folder and file permissions to user accounts and groups, and how moving or copying files and folders affects NTFS file and folder permissions. You will also learn how to troubleshoot common resource access problems. Source: Microsoft TechNet CD Online (June 22, 2000)

Securing Windows 2000 Network Resources
Administration of a Microsoft Windows 2000 operating system-based network is a important task that has become much simpler. The administration tools and the directory service infrastructure (for user accounts and authentication) provide and control access to network and application resources. This guide focuses on setting up user accounts and using groups to control access to resources such as file share, printers and Web servers. Source: (March 7, 2000)

Securing Windows NT Server
Security requires more than just firewalls and proxy servers. Your operating systems must be bulletproof as well. Here's how to secure your Windows NT systems. Source: Network Magazine (Feb 1999)

Securing a Windows NT 4.0 installation
Microsoft Whitepaper downloadable in Word document format.

Securing your notebook computer with Windows 2000
Companies that spend many hours and dollars on network security often don't give a second thought to securing the computers that users carry out of the office each day. This article explains why they--and you--should be taking the necessary steps to secure laptops as well as PCs and servers. Source: EarthWeb.

Security Considerations When Implementing Clustered File Shares
Microsoft Knowledge Base Article: 254219 - This article describes how to administer file share security in Windows 2000 clustering, and to a limited extent Windows NT 4.0 Enterprise Server. 

Standard Security Practices for Windows NT
Microsoft Knowledge Base Article: 166992 - Any security breach that requires access to administrative privileges needs to be dealt with using the appropriate security policy. This applies to all commercial operating systems, including Windows NT and UNIX. 

Using IPSec to Lock Down a Server
The Windows 2000 IPSec policy engine provides a very effective means to secure a network interface. If you have a server that isn't protected by a firewall or router with good access control lists, the procedure described here is a must for ensuring that the server remains secure. And even if one or more layers of defense protect your server, this procedure adds an effective additional layer©increasing your network's "defense in depth." Source:

Windows 2000 Certificate Services
Microsoft Windows 2000 Certificate Services offers customers an integrated public key infrastructure (PKI) that enables the secure exchange of information across the Internet, extranets, and intranets. Certificate Services verifies and authenticates the validity of each party involved in an electronic transaction and lets domain users log on to a domain using the additional security provided by smart cards. This paper introduces Windows 2000 Certificate Services and describes PKI deployment in a Windows 2000 network. Source: (March 22, 2000)

Windows 2000 Security in an E-Commerce Environment
This white paper discusses security in a Microsoft© Windows? 2000 e-commerce Windows Distributed internet Applications Architecture (DNA) environment, focusing on the middle tier. First it looks at the differences in security architecture between Microsoft Windows NT© and Windows 2000. Then it discusses Windows 2000 security enhancements such as the Kerberos protocol, Snego, delegation, and cloaking. Finally, it will cover the security enhancements included in COM+, such as role-based security and security contexts. To get the most from this paper, you should have some experience working with Windows NT security. Additionally, you should have at least minimal experience with Windows 2000 COM+ application development. After reading this paper, you will be able to use these security enhancements to provide a greater level of security in your own applications. Source: (Aug 2000)

Windows 2000 Server Security Migration Path
Sample chapter from Tom and Deb Shinder's "Configuring Windows 2000 Server Security" by Syngress. The chapter provides an overview of Windows 2000 security, as well as examining its problems and limitations. It also provides considerations for migrating to Windows 2000 and discusses network security plans.

Working With Windows 2000 Security Templates
An excellent 2 part primer on configuring security templates in Windows 2000. Source:

 Please report broken links

Entire contents
© 1999-2003 and TechTarget
All rights reserved

This site and its contents are Copyright 1999-2003 by Microsoft, NT, BackOffice, MCSE, and Windows are registered trademarks of Microsoft Corporation. Microsoft Corporation in no way endorses or is affiliated with The products referenced in this site are provided by parties other than makes no representations regarding either the products or any information about the products. Any questions, complaints, or claims regarding the products must be directed to the appropriate manufacturer or vendor.