Operating System Hardening
Operating system hardening is the process of eliminating basic vulnerabilities on the operating system. It is a kind of setup checklist and is one of the first and most important considerations when securing a public access workstation or server. The list of possible steps that can be taken to do this is very long, and the procedure can vary for each installation environment. Furthermore, each operating system requires different steps. This summary outlines the most basic and important steps to harden a Windows 2000 and Windows 98 operating system. Some steps may not be necessary in your environment and may even be counterproductive. Each step should be evaluated for appropriateness in your environment. The issues are similar for Windows NT and Windows XP.
For later OS versions (Windows Vista, Windows Server 2008), see this Microsoft page.
Hardening the operating system for Windows 98 is done differently than in Windows 2000. Where Windows 2000 is hardened mostly after the install, Windows 98 is hardened mostly during the install.
Format the Hard Drive
Make sure that the CDROM is the first boot device, and boot from the Windows 98 CD. It is always best to start with a "clean slate" and format the hard drive first. To do this, choose the "Boot 98 with CDROM support" option. This will mount the CDROM drive and allow you to run the format utility found in the D:\WIN98 directory. "FORMAT C:" is the proper command to start the format utility.
- Reboot the computer and run the Windows 98 setup option after booting from the CDROM.
- When asked for the installation type, choose "custom install." Depending on the type of workstation you are installing, you should install as few components as possible. It is best to go through each component and determine whether or not your system will need it.
- Allow setup to configure the default network services. This will be configure after setup is completed.
Configure Network Services
When prompted to configure network services you will want to use as few services as possible.
TCP/IP should be the only protocol you need to install. If the computer doesn't connect to the Internet, this protocol is probably not needed. It is also possible that a proxy client will eliminate the need for installing any protocols.
The most common services installed on Windows 98/95 workstations are "file and print sharing" services. You should only install this service if you must share files or printers. Most workstations do not need this service. If you do install it, be sure to password protect any folders that are shared.
Sometimes it is possible to configure a Windows 95/98 workstation without any clients. If possible, you should do so. If connecting to any NT/2000 server, you will need to install Client for Microsoft Networks.
Disable Unnecessary Programs from Running at Startup
Any unnecessary programs that run at startup should be disabled. This streamlines the computer by using less memory and making crashes less likely due to memory conflicts. The following are the different places programs can be run from startup. Each startup command should be researched, and any unnecessary commands disabled. It is a good idea to keep a backup list of the commands while testing their necessity, so they can be re-enabled if needed. MSCONFIG.EXE is a more user friendly way to view all startup commands however, some go directly to the source.
Commands are placed here in the format of shortcuts. Look at the properties of each shortcut to view the command lines. The shortcuts are placed in C:\windows\start menu\programs\startup
Registry Commands are placed under HKEY_LOCAL_MACHINE\Software\Microsoft\Windows\CurrentVersion\Run
Commands are also sometimes placed under HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run
WIN.INI and SYSTEM.INI can also contain run commands that are processed at startup. Look for headings labeled "LOAD." Commands are more commonly placed here for 16-bit applications and are less common these days.
To disable Windows Power Management features (which set the monitor and hard drive to standby after a certain length of time)
- Click on the Start button, choose Settings, then Control Panel.
- Double-click on the Power Management icon.
- The "Power Schemes" tab should be selected.
- Set the "Turn off monitor" option to "Never."
- Set the "Turn off hard disks" option to "Never."
- Click on OK to save changes.
To disable the CD-ROM drive's autoplay features (which causes CDs—music or data—to start as soon as it is inserted in the drive):
- Click on the Start button, choose Settings, then Control Panel.
- Double-click on the System icon.
- Click on the "Device Manager" tab.
- Click on the plus sign (+) next to the CDROM item.
- Highlight the CDROM drive you are protecting, and double-click.
- In the drive Properties window, click on the Settings tab.
- Under Options, click on the box next to "Auto insert notification" to deselect this option. It should now be unchecked.
- Click on OK to close the CDROM Properties window.
- Click on OK to close the System Properties window.
- You will be prompted to reboot. Click on Yes to proceed.
- If possible, disable the CD-ROM drive in the BIOS.
To completely disable the CD-ROM drive (or a floppy drive, for that matter):
- Open up the computer's case.
- Locate and remove the CD-ROM drive's power cable from the back of the CD-ROM drive.
- Close the case.
- The CD-ROM drive is now completely disabled.
- Apply all service packs and hot fixes.
- Disable the "guest" account.
- Rename the "administrator" account. This is the first account hackers will try to compromise. If they don't know what the username is it's harder to crack.
- Use complex passwords with at least nine alphanumeric characters.
- Ensure that the hard drives are partitioned with an NTFS file system.
- Disable unnecessary services. By default, Windows installs many unnecessary services that can be disabled. Services allow openings for attacks. Services to consider disabling are: Alerter, Distributed Link Tracking, Distributed Transaction Coordinator, Fax Service, Indexing Service, Internet Connection Sharing, Messenger, NetMeeting Remote Desktop Sharing, QoS RSVP, Remote Access Auto Connection Manager, Remote Access Connection Manager, Remote Registry Service, Routing and Remote Access, Smart Card, Smart Card Helper, Telnet, and Uninterruptible Power Supply.
- Disable NetBIOS.
- Monitor and disable any unnecessary open ports. Even if a workstation is behind a firewall, disabling any unnecessary ports makes the workstation less vulnerable.
- Disable the auto run feature on the CDROM drive.
- Change share permissions and NTFS permissions wherever possible from Everyone/Full to something more restricted. It is important to test applications after doing this.
- Deny user rights such as "log on locally" and "log on as a service" for users and groups who shouldn't have rights to these features.
- Ensure lockout policy is enabled for unsuccessful log on attempts.
- Create a separate partition for system files and data/program files.
- Enable auditing. This will allow you to monitor attempts at compromising security.
- Prevent the last logged-in user from being displayed if appropriate.
- Disable default shares if appropriate. You will need to test applications and functionality to ensure proper function after disabling these shares.
- Set permissions on the event log. Normally, any user can view the logs.
- Encrypt the file system. This prevents a user from mounting the hard drive and accessing files using another computer or boot disk.
- After renaming the "administrator" account, create a "dummy" administrator account with no privileges. This can throw off hackers for awhile.
Next: Operating System Patches