DRAFT
Getting Started – Setting up a Windows 2000 Member Server in Andrew Windows
Carnegie Mellon University
A Computing Services Publication
June 10, 2002
Introduction
This document provides information on configuring and administering a Windows 2000 Member
Server in Andrew Windows and includes the following sections.
1. Overview: Andrew Windows 2000 and Microsoft Active directory
2. Installation and Configuration
2.1. Windows 2000 Server Licensing
2.2. Installing Windows 2000 Server
2.3. Upgrade to the Latest Windows 2000 Service Pack
2.4. Shutdown Non-Essential Services
2.5. Install the Latest Security Patches and Hot-Fixes
2.6. Network Registration
2.7. NTFS Disk Format
2.8. RAID
2.9. Install Required Applications
2.10.
Macintosh Services
2.11.
Printing
2.12.
Backups/Restorations
2.13.
Internet Information Services (IIS)
3. Andrew Domain Configuration
3.1. Creating a Server Organizational Unit (OU)
3.2. Blocking Inheritance
3.3. Custom GPO for the Server
3.4. Joining the Domain
3.5. Local Administration Access for Accounts and Groups
3.6. Local vice Andrew Domain Accounts
3.7. Local Logon Access
3.8. Restricting Server Access
4. Security
4.1. Physical Security
4.2. Registry Security
4.3. File/Share Access Permissions
4.4. Disable Guest Account
4.5. Virus Software
4.6. Auditing
DRAFT
4.7. Vulnerability Scanners
4.8. Other Security Links
5. On-Going Support Activities
5.1. User Privacy/Confidentiality
5.2. Restrict Administrator Privileges
5.3. Keep the Patches Current
5.4. Review Event Logs
5.5. Disk Defragmenting
6. Trouble-shooting
6.1. Resource Kit
6.1.1. Group Policy Object (GPO) Processing
6.1.2. Group Memberships
DRAFT
1.0 Overview: Windows Member Server Guide
This document is a guide to assist you in setting up a Windows 2000 Member Server within the
Andrew Windows Service. Readers should have a general knowledge of Windows 2000 and
Active Directory terminology.
This guide is not meant to be a comprehensive resource for configuring a Windows 2000 Server.
In order to become familiar with Windows 2000 Server, Computing Services recommends that
Computing Administrators complete a course similar to MS Course 2154: Implementing and
Administering Microsoft Windows 2000 Directory Services, from a Certificated Microsoft
trainer. In addition, many good books exist for Windows 2000 Administration. A book that we
recommend is, Mastering Windows 2000 Server, by Mark Minasi.
2.0 Installation and Configuration
2.1 Windows 2000 Server Licensing
The Windows 2000 Server license is not covered under the Microsoft Campus License
Agreement. Departments must purchase Windows 2000 Server licenses in order to run Member
Servers. Windows 2000 Server licenses and media are available from the CMU Computer Store.
Client Access Licenses (CALs) are currently covered under the Microsoft Campus License
Agreement and do not need to be purchased separately.
2.2 Installing Windows 2000 Server
Install Windows 2000 from a Windows 2000 installation CD. The CD media can be purchased
from the CMU Computer Store. It is recommended that the media be stored in a safe place, as it
may be required at a later time.
Until the Windows 2000 Server is patched and secured, the server should not be run on the open
campus network. Therefore, it is recommended that the network connectivity be disconnected
during the installation process.
DRAFT
2.3 Upgrade to the Latest Windows 2000 Service Pack
Upgrade the Windows 2000 Server to the latest Microsoft Service Pack. The current Service
Pack available is Service Pack 2.
2.4 Shutdown Non-Essential Services
You should limit the number of applications that your machine is running to essential services.
Services that must be removed for installation in the CMU Campus include WINS and DNS.
Services that should be considered for removal include FTP, WWW and SNMP.
Examine the existing services via:
Control Panels->Administrative Tools ->Services.
OR
Start menu->Run…->type “services.msc”
Check out the Microsoft website or a detailed description of the Windows 2000 Services.
It is a good security practice is to limit the amount of critical services that are running on any one
machine. Try to avoid running all of your critical departmental services on one server.
2.5 Install the Latest Security Patches and Hot-Fixes
Install Hot-Fixes appropriate to your server while the server is still offline. To stay up to date on
Microsoft patches, visit the MS Technet security site where you can join an e-mail list to notify
you of new security fixes. The "Windows Update" function allows you to download many
patches and updates, and allows you to be informed of critical updates, but it does not contain all
security patches.
Microsoft has a number of tools that help with installing security patches. Several that we
recommend include:
MS Network Security HotFix Checker (HFNetchk) is a tool that allows you to check for missing
security HotFixes.. It must first be run on a computer with network access to download a current
list of HotFixes, but then it can be copied to unsecured computers not yet connected to the
network. This tool checks for HotFixes related to the operating system and other core
components like Internet Explorer. It will not notify the user of Hot-Fixes for applications like
Microsoft Office.
A graphical tool, similar to hfnetchk, is the Microsoft Security Baseline Analyzer (MBSA).
MBSA will keep a history or scans as well as search for vulnerabilities in the operating system.
Qchain is a tool that allows you to install multiple HotFixes sequentially without requiring
multiple reboots.
DRAFT
2.6 Network Registration
The Windows 2000 Server should be registered to use the Campus Network via NetReg. After
registration, the Server should be configured to run DHCP. It will receive the IP Configuration
information after a reboot.
2.7 NTFS Disk Format
Hard disks should be formatted with the NTFS file system. This format allows the most
flexibility in security and audit policies and it reduces exposure to boot attacks. Windows 2000
allows the capability to upgrade to NTFS partitions without damaging data. However, when a
disk that was installed with FAT/FAT32 is converted to NTFS that the Everyone group has Full
Control of all the files/folders on the entire disk, including the \winnt directory.
2.8 RAID
RAID (Redundant Array of Independent Disks) technology allows for high availability and
increased performance for disk drives. RAID has become very popular throughout server
technology and it is recommended for critical File Servers. Windows 2000 has built-in software
RAID functionality that should be considered if hardware RAID is not cost-efficient.
2.9 Install Required Applications
It is a good idea to install all of the necessary Application Software to the Member Server prior
to releasing it as a production server. As was mentioned with services, it is recommended that
Application Software be limited to essential programs.
2.10 Macintosh Services
To provide File and/or Print Sharing to Macintosh Clients, you will need to install and configure
the bundled Windows 2000 product “Services for Macintosh”. Services for Macintosh requires
the disk(s) be NTFS-formatted. Since AppleTalk routing is being eliminated at CMU, this
service will need to be run natively under TCP/IP. The latest Microsoft UAM will need to be
installed on your client computer in order to support the more secure NTLMv2 client. Please see
the Client Guide for Andrew Windows for specific instructions.
Microsoft discusses Services for Macintosh on its’ website.
2.11 Printing
Windows 2000 Server has the native ability to create Print Spools. Although this capability has
been tested and works sufficiently, Computing Services will not support departmental print
spoolers.
2.12 Backups/Restorations
DRAFT
In order to protect against data loss, it is strongly recommended that routine backups be
performed on critical file systems. Computer Operations has a fee-based backup service. It is
also recommended that recoveries be performed periodically in order to guarantee the integrity
of the data backups.
2.13 Internet Information Services (IIS)
The IIS application provides access to Web, FTP, SMTP, and NNTP, and is bundled with
Windows 2000 Server. Unfortunately, IIS has been the target of numerous security
vulnerabilities. If you decide to run IIS on your server, be sure to install core security patches
and stay up to date on new security advisories.
The National Security Agency has produced a guide for securing IIS. The University of
Colorado at Boulder also has an informative site.
3.0 Andrew Domain Configuration
3.1 Creating a Server Organizational Unit (OU)
In order to control your Server configuration for your Department in the Andrew Windows
environment, we recommend that you have an Organizational Unit (OU) delegated to your
department. If you do not have an OU already, please send email to advisor@andrew.cmu.edu
requesting an OU. Please include the name and Andrew User ID of the primary point of contact
for the OU administration.
After the OU has been created, we recommend that you create a sub-OU for your Member
Server. Please see the Administration Guide for Andrew Windows for specific instructions.
3.2 Blocking Inheritance
In order to ensure that software packages and GPO Settings from parent objects do not propagate
to your Member Server, we recommend that inheritance for the Server OU be blocked. Please
see the Administration Guide for Andrew Windows for instructions on blocking inheritance.
3.3 Custom GPO for Server OU
We recommend that a custom GPO be configured for this Server OU. To request the GPO
creation, send email to advisor@andrew.cmu.edu. This GPO can then be linked to the Server
OU and configured with custom software packages. Custom Security settings can also be
adjusted via this GPO.
The core Andrew software installers are currently available from \\dist.andrew.ad.cmu.edu.
They are distributed as .MSI files, which utilize Microsoft’s, Microsoft Installer technology.
License permitting, these MSI’s can be copied and then linked to the local GPO. If you do not
have access to a desired MSI, please send email to advisor@andrew.cmu.edu.
DRAFT
We strongly suggest that you do not link GPO’s directly to the MSI’s on the Dist Server. This
core distribution is maintained for Computing Services Computer Clusters and may change
without notice. As an alternative, consider copying the MSI’s to a local file share.
In addition, many of the software MSI’s were custom built for cluster configurations and may
not work as expected in your environment. We will not support applications installed with these
MSI’s. Use them at your own risk. At some point in the future, we hope to be able to offer
stable and supportable MSI’s.
3.4 Joining the Domain
At this point, you should have a customized OU for your Member Server and can add the Server
to the Domain with the NETDOM utility. NETDOM is a powerful tool for automating domain
membership activity on client systems. Please see the Administration Guide for Andrew
Windows for specific instructions.
Do not attempt to add the machine to the Domain via the “My Computer” -> Network
Identification method. By default, this will place the server into the Active Directory Computer
Container. If the server is mistakenly added to this container, upon reboot it will unintentionally
pick up the Andrew GPO’s.
The Microsoft Knowledge-base article Q222525 describes automating the
creation of computer accounts within a domain.
3.5 Local Administration Access from Andrew Accounts and Groups
One of the first server changes you should consider is the addition of your departmental OU
administrators group to the local administrators group on your Member Server. This will enable
you to perform local Server administration tasks without logging in as the local administrator.
Please see the Administration Guide for Andrew Windows for specific instructions.
3.6 Local vice Andrew Domain Accounts
When Member Servers join the Andrew Domain, resources can then be adjusted to give
permissions to Andrew Users. In addition, Member Servers still have the ability to host local
accounts for resource control. Server administrators are responsible for local machine accounts.
For security reasons, it is recommended that these accounts be minimized.
3.7 Local Logon Access
We recommend that departments customize their local logon policies to restrict access to nondepartmental Administrators. Please see the Administration Guide for Andrew Windows for
specific instructions.
DRAFT
3.8 Restricting Server Access
By default, when a computer is joined to a domain, several domain groups are added to local
machine groups. The Domain Users group is joined to the Local Users group and the Domain
Administrators group is joined to the local computer's Administrators group. These domain
groups can be removed from the local groups to increase the security of your computers.
Directions for customizing local machine access can be found in the Administration Guide for
Andrew Windows.
4.0 Security
4.1 Physical Security
The most basic and important security measure for any operating system is regulating who has
physical access to the machine. Software exists to read NTFS data if the drive is connected to a
non-NT system (Linux or MS-DOS). It is also possible to reset the built-in administrator's
password with a boot floppy. Because data and passwords can be extracted from media, System
Repair Disks and Backup Tapes should also be highly guarded.
A limited access, climate-controlled, locked room is an ideal environment for the server. A
locked CPU cabinet is another viable option. If either of these can’t be obtained, a locked
computer chassis should be used. The system BIOS should be secured to disable booting from
floppy or CD-ROM drives and the BIOS password should be enabled.
The server should be protected from power surges and short outages with a UPS device.
4.2 Registry Security
Windows 2000 registry permissions are secure by default. Normal users do not have permission
to change any registry settings.
4.3 File/Share Access permissions
The standard permissions on files and shares are secure in Windows 2000 and they do not allow
a standard user to make changes to system files
Windows 2000 uses a concept of inherited permissions instead of explicitly changing the Access
Control List (ACL) of each Directory/File to propagate a security change. In the Graphical User
Interface (GUI), an ACL inherited from a parent is shown grayed out. You cannot remove them
without blocking ACL inheritance. Be especially careful of this when setting permissions at a
drive root.
When creating a share, you can just leave default permission of "Everyone" "Full Control". In
general, disk ACLs are secure and the combined restrictions apply. It is still recommended that
you first verify this setting on your system.
DRAFT
“Authenticated Users” is a built-in group that contains all user accounts. This does not contain
anonymous connections, as the “Everyone” group does. For better file protection, use
"Authenticated Users" instead of "Everyone”.
4.4 Disable Guest Account
The local Guest Account provides a potential door into your system for hackers and hence it
should be disabled.
4.5 Virus Software
A Virus Scanner should be installed on the Member Server. CMU has a site license for Norton
Antivirus and it can be downloaded from the MyAndrew website.
The Virus Definition (DAT) files should be set to automatically update. The automatic update
times should be modified to be different than the default time. The entire file system should be
scanned on a routine basis.
4.6 Auditing
Auditing is an effective security measure because it can help you track what an attacker (or
errant user) is attempting to do and help provide insights on how to stop it. To enable auditing,
your file system must be formatted as NTFS (see above).
Auditing can be configured with:
Group Policy ->Computer Configuration\Windows Settings\Security Settings\Local
Policies\Audit Policy
One suggested auditing configuration is:
Event
Account logon events
Success Failure
X
X
Account management
X
X
Directory service access
Logon Events
X
Object access
X
Policy change
X
Privilege use
X
Restart, Shutdown, and System X
Process Tracking
X
X
DRAFT
The University of Colorado at Boulder also has some information on logging on its’ website.
4.7 Vulnerability Scanners
After the server has been configured, it should be tested for vulnerabilities with a Network and
Vulnerability Scanner. The Retina scanner is a robust, but pricey tool. Foundstone’s SuperScan
is a free scanning tool. Gibson Research produces the ShieldsUp utility. Microsoft has produced
the MBSA tool that assesses weaknesses and helps guide administrators in securing their
systems.
4.8 Other Good Security Links:
NSA Win20000 Security guides
University of Colorado at Boulder Windows 2000 Security
NIST System Administration Guide for Windows 2000
5.0 On-Going Support Activities:
After the initial server configuration and deployment, it is still essential to conduct periodic
maintenance of the Member Server in order to verify its reliable and secure operations. Several
areas of concern are addressed below.
5.1 User Privacy/Confidentiality
Administrators carry advanced computer privileges. With these privileges, comes the
responsibility to ensure privacy in accordance with the University Computer Code of Ethics and
the University Privacy Policy.
5.2 Restrict Administrator Privileges
Since Administrator access is critical to the security of the Member Server, it is important to
protect this access. Several suggestions for protecting the Administrator Account:
 Use Strong Passwords as recommended by the Computer Services Guidelines.
 Change your passwords regularly.
 Do NOT share passwords with multiple users.
 Limit the number of people with Administrator Access.
 Run as a non-privileged user for daily procedures. Elevate procedures with the “Run As”
option when necessary.
5.3 Keep the Patches Current.
DRAFT
Most security compromises are caused by administrators failing to apply security patches. As
mentioned above, there are a number of good tools and resources for ensuring the security of the
Member Server. It is essential that security is an on-going activity and patches should be
updated weekly or more frequently when critical vulnerabilities are announced.
5.4 Review Event Logs
A good administrative practice is to become familiar with the logs by checking them routinely.
The security logs can provide insights into potential vulnerabilities. The Application and System
logs can point out configuration or hardware issues. Check your Event Logs as part of an ongoing routine. The event logs can be viewed using the event viewer tool via:
Start Menu->Run…->eventvwr.msc
5.5 Disk Defragmenting
The nature of hard disk storage often leads to data fragmentation because files are frequently
being created and removed from the storage device. Windows 2000 has a built in defragmenting
tool that can reduce the file fragmentation and increase disk performance. It is important to
defragment your Server Disks periodically.
6.0 Trouble-shooting
Windows 2000 and Active Directory is a powerful environment and can lead to complicated
trouble-shooting issues. This section attempts to provide some suggestions, and tools that can
help trouble-shoot these issues.
6.1 Resource Kit
The Microsoft Windows 2000 Resource Kit contains a number of utilities that are very important
for computer management in a Windows environment. Some of the Resource Kit tools are
available for free download, but most are bundled with the purchased manuals as available via
Amazon.com.
6.2 Group Policy Object (GPO) Processing
Group Policy Objects are a powerful tool for deploying applications and controlling machine
configuration. However, GPO processing can be complicated and confusing. The Resource Kit
contains a useful tool called GPResult that can help identify how a collection of policies can
affect a user. Yale has an example output from GPResult available at their website. Stanford has
an excellent write-up detailing Loop-Back Processing within Windows 2000.
6.3 Group Memberships
DRAFT
Because Groups can be nested, trouble-shooting group membership can be difficult. Several
Resource Kit tools (local.exe, findgrp.exe. and showmbrs.exe) are very helpful at enumerating
group memberships.