Windows 2000 was designed more as a server operating system than were Windows 95/98/ME. While this may give users a more stable operating system, it also results in more complex options that can be exploited by someone who wishes to do harm to your computer. While there are a few more things you need to do to secure your system, let's see if we can give you some simple tips to protect yourself.
Set good passwords on all accounts (5 minutes)
Almost every hacked Windows 2000 machine we've seen has been hacked because it either had no password or
a weak password on the Administrator account. To set a password, log in as the Administrator account, then
hit CTRL-ALT-DEL and
select the "Change Password" option. Select a
good password and remember it.
Install Anti-Virus Software (20 minutes)
Duke provides a site-license for the McAfee anti-virus software which allows all
students, faculty and staff to use it for FREE. Of course, anti-virus software is only
as good as the information it has, so make certain that you keep your DAT files up to date
(the current version from OIT is set to auto-update).
Install the Windows Critical
Update Notifier (10 minutes)
The Critical Update Notifier is a tool provided by Microsoft to notify
users of new security fixes and to assist in the downloading and installation
of the fixes. This is an excellent tool to have
on your system and it is available for free from Microsoft.
Disable unnecessary services (10 minutes)
Some versions of Windows 2000 come with services available that really aren't necessary for
the average user. These include the IIS webserver, the FTP server and others. Unfortunately,
because of the numerous security probles in these services, computers running them are prone
to being hacked unless the owner is always patching the system. We strongly recommend disabling these
services.
Set an account lockout policy (10 minutes)
To prevent against someone attempting to guess your password (through an automated process called a dictionary
attack), you should configure an account lockout policy. Such a policy will lock an account until the
Administrator can unlock it. Note that the Administrator account can only be locked for remote access,
you can always physically log on to the computer as Administrator.
Disable the Guest Account (5 minutes)
The Guest account on Windows 2000 can be a source of information for hackers and can
cause some security problems. We recommend that you disable the account.
Disable the Default Shares (5 minutes)
By default, Windows 2000 will allow for the remote access of your computer's hard drive and other
resources. If you've gotten this far in our quick security checklist, you probably think this
is a bad idea (good for you +2 pts). Disabling the Server service will prevent Windows 2000
from sharing your drives. Note, this will also disable the Computer Browser which allows
you to view the Network Neighborhood.
Create a user account (5 minutes)
One of the main problems with Windows is that many people run the entire computer as Administrator.
The argument is that this is necessary to allow you to install software. This is also dangerous because
viruses and trojan horses that are accidentally run will be run as the Administrator account. To solve this,
let's create a User account for every day use. When you need to install new software, use the Run As
feature to temporarily become the Administrator. Run As can be used by pressing Shift and holding down
the Right Mouse Button which brings up a menu including "Run As". Selecting "Run As" will prompt you for the
Administrator password - now, whatever you just ran will be run as the Administrator.
Consider Installing a Personal Firewall (15 minutes)
Personal Firewalls are a good way to lock down your computer. The firewall will not allow
any unauthorized network traffic in or out of your computer. One note, these firewalls do tend
to over-react, there is no need to threaten people with legal action if your firewall detects
something, just be glad that it is doing its job.
Keep Up To Date with Microsoft Security Fixes
(ongoing)
New security vulnerabilities are constantly being discovered in the operating system and in the
basic applications Microsoft distributes (e.g. Internet Explorer, Outlook Express, etc). If you
did not install the Windows Critical Update Notifier (above), you will need to keep on
top of these issues by periodically check the Windows Update site and obtain the relevant security
fixes.