This page gives a basic overview of Windows 2000 security, if you wish to make a more detailed analysis of your system's security you should run the MMC's Security Configuration and Analysis snap-in.
SECURITY UPDATES
From time to time MIcrosoft will release hotfixes for sometimes obscure vulnerabilities in the Operating System. If these are critical they will be available using the Windows Update feature, otherwise minor fixes will eventually be made available through a Service Pack. Details of current critical fixes can be found here.
TCP-IP FILTERING
You can specify which ports you wish to be accessible using this. Together with the NTFS file system this provides very strong protection against inwanted access to your system through a network connection. Right-click the network connection you want to configure, and then click Properties. On the General tab (for a local area connection) or the Networking tab (all other connections), click Internet Protocol (TCP/IP), and then click Properties. Click Advanced. Click Options, click TCP/IP filtering, and then click Properties. You may then configure TCP, UDP and IP ports for the traffic you wish to allow. Note that this filters incoming traffic only, you will need a firewall to monitor outgoing traffic. You may need to install this from the Network and Dial Up Connections folder, by selecting Advanced/Optional Networking Components.
FIREWALLS
A firewall monitors all incoming, and usually outgoing, data on a network to prevent a system from attack by third parties. A firewall is essential if you have a permanent or semi-permanent to the internet for example. To see how open your system is to attack whilst online, have a look at this excellent site. Details on programmes available for Windows 2000 can be found here.
ENCRYPTION
If you are using the NTFS file system you can encrypt files or folders so that they cannot be opened by other users. Open 'Windows Explorer', and then browse to the file or folder to be encrypted. Right-click on the file/folder and click 'Properties'. On the 'General' tab, click 'Advanced'. Select the 'Encrypt contents to secure data' check box. Encrypting a folder automatically encrypts all its subfolders and files. The encryption of a file or folder is transparent to the person who encrypts it; that person can work with the file without restriction. Encryption protects against others opening that file or folder.
WINDOWS FILE PROTECTION
Windows 2000 has a built in defence against programmes which overwrite important system files, you can find out more about Windows File Protection here.
USER ACCOUNTS
Firstly, under Control Panel/Users & Passwords ensure that the "Users must enter a user name and password" box is checked, and under the Advanced tab, that "Require users to press CTR-ALT-DEL before logging on" is also checked.
User Accounts define the access to the system that an individual will be given at login. Details can be found in Control Panel, Administrative Tools, Computer Management, Local Users and Groups, Users. By default Windows 2000 creates two User Accounts: Administrator and Guest, these cannot be removed, but for security purposes it is better to rename them. To simplify the process of assigning permissions to User Accounts, Windows 2000 defines default Groups each with specific permissions. These can be seen in the Control Panel, Administrative Tools, Computer Management, Local Users and Groups, Groups folder. If you right click on a User Account you can see which Group that account is a part of e.g. if you right click on the Administrator User Account, and select Properties, you will see it is a member of the Administrator Group - this is the Group that has complete and unrestricted access to the system. Under NTFS more specific permissions can be set by User or Group for folders or even individual files.
You will need to log on under an Administrator account to set up and install Windows 2000, but once you have done this it is recommended to log in under a User account. The simplest way of doing this is to modify the Guest Account: right click on it and rename it, then in properties delete any Groups that it is currently a member of, and add the User group. If you choose not to modify the Guest account, make sure that this account is disabled as enabling this account would give anonymous users access to your machine.
To create a new user account, go to Control Panel, Administrative Tools, Computer Management, Local Users and Groups, Users and select New User from the Action menu. You will be prompted for a user name for the new account, and a password. Once the account is created you can set the properties by right clicking on the new account, and ensuring that is is a member of the User group. By default the account is set to change the password at login, this is the most secure setting, but you may uncheck this box and keep a permanent password for the account.
The three important groups for setting up users are as follows:
ADMINISTRATOR: Administrators can perform any and all functions supported by the operating system. Any right that the Administrator does not have by default, they can grant to themselves. This account will be required for the following tasks:
USERS: Provided that Windows 2000 is clean-installed onto an NTFS partition, the default security settings are designed to prohibit Users from compromising the integrity of the operating system and installed applications. Users cannot modify machine-wide registry settings, operating system files, or program files. Users cannot install applications that can be run by other Users. Users cannot access other users' private data. They can run applications installed by Administrators, Power Users, or themselves, but not by other users.
POWER USERS: Power Users are between Administrators and Users in terms of system access, they are able to:
A full list of the default user settings for all groups, together with a more detailed discussion of security settings can be found here.
