WindowsXP & Windows 2000 Security Checklist

This Checklist is for Securing Computers after a System Compromise

Steps Required Before A Computer Can Be Unfiltered:

This page outlines the steps which must be completed before a filter is removed from a compromised (hacked) computer. These directions are only for Windows 2000 and XP.

Warning - Disconnect your system from the Network During these procedures. Your System may be compromised during the re-installation of its Operating System

Warning - Backup ALL IMPORTANT DATA. Since a reformatting/erasure of the hard drive is about to occur, please make sure that all data on your hard drive is backed up.

To reformat:

Insert the boot CD for the operating system and delete the existing partition on the hard drive.
Create a new partition.
Install the new operating system.

Once the Operating System has been re-installed, the following Checklist should be followed to secure the machine.

Install the " Security Self-Test Utility ".

Run the Security Tests.
Run the Full Password Check. Make sure you highlight all users and select the option for the "over 3,000 passwords" within the options box. Then click the Run Password Check. You may get a dialog box stating that this test may take a long time. Just go ahead and click yes. If you have found passwords that are determined to be weak ones, see who you can contact about having them changed to better ones.

If the Symantec Anti-Virus program is not installed, click here to install it . Click here to update the Virus Definitions for Symantec Anti-Virus .

Schedule Symantec Anti-Virus Defintion Updates

Double click on the Symantec Anti-Virus Gold Shield in the lower right corner of the task bar.
Click on File, then Schedule Updates.
Click on the Schedule button. Set the Virus Definitions Update Schedule to Daily and now set the time. 12pm will work.

Schedule Windows Update to Run Automatically

Click on Start button, go to settings, go to Control Panel and click on Automatic Updates.
Set Automatic Updates to Automatically download the updates, and install them on the schedule that I specify
Set the schedule so it runs everyday and set the time accordingly

BigFix Patch Management System

Configuration of the Local Security Policies, can be found by clicking Start/Programs/Administrative Tools/Local Security Policy

WINDOWS 2000 Only

Local Security Settings:
Account Polices/Password Policy
Set "Enforce Password History" to 3
Set "Minimum Password Length" to 6
Set "Passwords must meet complexity requirements" to disable
Set "Store Passwords using reversible encryption for all users in the domain" to disable

Local Policy /Audit Policy:
All Should Be Set to Success, Failure
Audit Account Logon Event - Success, Failure
Audit Account Management - Success, Failure
Audit Directory Services Access - Success, Failure
Audit Logon Events - Success, Failure
Audit Object Access - Success, Failure
Audit Policy Change - Success, Failure
Audit Privilege Use -Success, Failure
Audit Process Tracking - No Auditing
Audit System Events - Success, Failure

Local Policies/Security Options:
Additional Restrict Anonymous - set to "No Access without explicit Anonymous Permissions
Clear Virtual Memory Pagefile when systems shutsdown - Enabled
Do not Display Last Username in Logon Screen - enabled

Event Viewer Properties:
Increase the log size to 20992 on all 3 Event Types Application, Security & System Log
Overwrite Events as needed
Under Filter Tab - All Event Types Should be Set

System Properties:
Hardware Profiles
Under the option "when windows starts, select first profile listed": Set the seconds to 3
Advanced/Startup and Recovery:
Display List of operating systems for - set 3 seconds
Under System failure: Uncheck Send a Administrative Alert and Automatically Reboot
Debugging Info - set to None
no core dump should be made

Check NetDB record:
Is this machine fully patched with Windows update
Is this machine fully up-to-date with hotfixes.
Is there a shortcut for Active Ports on the desktop
Has the CIS Tool been run to confirm patch level of system

Services to disable - WINDOWS 2000 ONLY:
To disable the unneeded Services in this list, click the Start button, then go to Control Panel , Performance and Maintenance , Administrative Tools , then double-click the Services icon.

Alerter
ClipBook
Distributed Transaction Coordinator
Error Reporting Service
HP Web Jetadmin
Internet Information Server(IIS)
Indexing Service
Messenger
NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM
Portable Media Serial Number
QoS RSVP
Remote Registry Service
Routing and Remote Access
Smart Card
Smart Card Helper
Telnet
Terminal Services
Uninterruptible Power Supply
Windows Time
Wireless Configuration - Don't Disable on Laptops

WINDOWS XP ONLY

Local Security Policy Configuration:

To configure the Local Security Policy for your machine, click the Start button, then go to Control Panel , Performance and Maintenance , Administrative Tools , then double-click Local Security Policy.
Local Security Policy:
Account Polices/Password Policy
Set "Enforce Password History" to 3
Leave Maximum Password Age at its current default setting
Leave Minimum Password Age at its current default setting
Set Minimum Password Length to 6
Set Passwords must meet complexity requirements to enable
Set "Store Passwords using reversible encryption for all users in the domain" to disable
NOTE: Account Lockout Policy isn't listed because we use the default setting.

Local Policy /Audit Policy:

Audit Account Logon Event - Success, Failure
Audit Account Management - Success, Failure
Audit Directory Services Access - Success, Failure
Audit Logon Events - Success, Failure
Audit Object Access - Success, Failure
Audit Policy Change - Success, Failure
Audit Privlege Use -Success, Failure
Audit Process Tracking - No Auditing
Audit System Events - Success, Failure

Local Policies/Security Options - Set these options ONLY:
Accounts : Limit Local Account use of Blank Password to console logon only: Enable
Interactive Logon : Do not display last username: Enable
Network Access : Don't allow anonymous enumeration of SAM
accounts and shares: Disable
Network Access : Do not allow storage of credentials or .NET passport for network authentication: Disable
Shutdown : Clear virtual memory pagefile:Enable
When finished, click File and then Exit .

Event Viewer Properties
To configure Event Viewer for your machine, click the Start button, then go to Control Panel , Performance and Maintenance , Administrative Tools , then double-click Event Viewer.

Event Viewer Properties
Right mouse click on Application , Security & System to access the Properties for each entry. Make sure you set this for all Event Types.
Log Size Entries :
Maximum Log Size:20992KB
Overwrite Events as needed
Filter Tab - All Event Types Should be Set
When Finished, click File , then Exit

System Properties:
Hardware Profiles
Under the option "when windows starts, select first profile listed": Set the seconds to 3
Advanced/Startup and Recovery:
Display List of operating systems for - set 3 seconds
Under System failure: Uncheck Send a Administrative Alert and Automatically Reboot
Debugging Info - set to None
no core dump should be made

Services to Disable - WinXP ONLY

To disable the unneeded Services in this list, log in as Administrator, click the Start button, then go to Control Panel , Performance and Maintenance , Administrative Tools , then double-click the Services icon.

Alerter
ClipBook
Distributed Transaction Coordinator
Error Reporting Service
Fast User Switching Compatibilty
HP Web Jetadmin
Internet Information Server(IIS)
Indexing Service
Messenger
NetMeeting Remote Desktop Sharing
Network DDE
Network DDE DSDM
Portable Media Serial Number
QoS RSVP
Remote Registry Service
Routing and Remote Access
Smart Card
Smart Card Helper
SMTP
SSDP Discovery Service
Telnet
Uninterruptible Power Supply
Web Client
Windows Time
Wireless Configuration- Don't disable if you have a laptop with a wireless adapter.

When completed with the above tasks make sure to reboot the system