Boot up Windows 2000 CD-ROM, and begin installation and configuration.

The Welcome to Setup screen appears. Press Enter to continue.

Click F8 to accept End User License Agreement (EULA).

Note: Install only one instance of the operating system. If you need to get on to a server using another instance, install on need, and delete afterwards.

Choose your partition to install OS onto, choose NTFS for format.

Reserve a separate minimum 4 GB partition for the OS.

Choose regional settings as appropriate.

Type in name and organization.

Choose Per Seat License.

Choose a name for the server and set an administrator password.

Choose components:

• Go to Details on Accessories and Utilities, uncheck Accessibility Wizard, Communications, Games and Mulitimedia
• Uncheck Indexing Services
• Go to Details on IIS Service, uncheck Documentation, Frontpage Server Extensions, and Internet Services Manager (HTML)
• Go to Details on Management and Monitoring Tools, check Simple Network Management Protocol (SNMP)
• Uncheck Script Debugger
• Check Terminal Services

Set Date, Time and Time Zone

Select Remote Administration Mode for terminal services.

Choose Typical Network Settings.

Workgroup or Computer Domain setup:

Choose No, This Computer Is Not On a Network, or Is On a Network Without a Domain.

Type in a random workgroup name (Alt 255 for a blank workgroup).

Note: The file copy starts (takes some time). Log back in after reboot.

When the Windows Configure Your Server screen comes up:

Choose I Will Configure This Server Later.

Click Next, then uncheck Show This Screen at Startup. Close window.

Go to Start > Programs > Administrative Tools > Computer Management > Disk Management.

Right click on CD-rom and choose Change Drive Letter, click Edit, choose Z for drive.

Right click on the unallocated space and choose Create Partition. The Create Partition Wizard appears. Click Next, choose Primary Partition, then allocate space as required.

Click Next, choose drive letter, choose NTFS format.

Double click "My Computer" Icon. Right mouse click on your C drive.

Click on Security > Remove Everyone Group, and add Administrators and System Groups, giving both Full Control.

IMPORTANT!! Click Advanced > Check Reset Permissions on all Child Objects.

Click Advanced > Auditing > Click Add > Administrator, click OK. Check the boxes for each of the following:

• Create Files/Write Data
• Create Folders/Append Data
• Delete Subfolders and files
• Delete
• Change Permissions
• Take Ownership

Click OK > Apply > OK. You will get a message saying that auditing is not turned on.

Under the General tab, uncheck Allow Indexing Service To Index This Disk For Fast File Searching

Choose Apply Changes to c:\, subfolders and files.

Install the high encryption pack for Windows 2000:
    http://www.microsoft.com/WINDOWS2000/downloads/recommended/encryption/default.asp.

It will ask you to restart your computer: choose No.

NOTE: After installing the High Encryption Pack, it is necessary to run the KEYMIGRT.EXE utility to upgrade the encryption of the private keys used by IIS SSL from 40-bit RC4 to 168-bit 3DES (http://www.microsoft.com/technet/security/bulletin/ms00-032.asp). Strictly speaking, the upgraded key is the "Master Key" which encrypts IIS's private keys, as well as all the private keys of all the services which use public/private keys on the server.

Right Mouse click on My Computer icon, choose Properties > Advanced > Performance Options.

Choose Change on Virtual Memory Settings.

Set the page file's Min/Max as Equal. Click OK.

You will now need to reboot.

Install SP1 for Windows 2000:
    http://www.microsoft.com/windows2000/downloads/recommended/sp1/x86Lang.asp.

It will ask you to restart your computer, choose Yes.

Install patches: currently SP1 and the Unicode patch:
    http://www.microsoft.com/technet/security/bulletin/MS00-078.asp.

For more up to date information refer to:
    http://ntbugtraq.ntadvice.com/default.asp?sid=1&pid=47&aid=65.

Disable all network protocols except TCP, and set fixed IP for server:

Right click on My Network Places, right click on Local Area Connections > Properties > Uninstall File and Print Sharing.

Uncheck Client for Microsoft Networks.

Set Fixed IP Address(s) for the server.

Go to Advanced Settings for TCP.

Click DNS, uncheck Register This Connection's Address in DNS.

Choose Options > TCP/IP Filtering > Properties.

Check Enable TCP/IP Filtering (All Adapters).

Change Permit All to Permit Only Explicitly Needed Ports.

TCP Ports		UDP Ports		IP Protocols
80	HTTP	161	SNMP	6
443	SSL	162	SNMP	8
22	SSH
3389	RDP

 

 

 

 

Restart your computer when prompted.

Disable NetBios over TCP/IP:

Right click on My Computer > Properties > Hardware > Device Manager.

Click on View > Show Hidden Devices.

Click on View > Devices by Connection.

Right click on NetBios over TCP/IP > Properties

Driver Tab > Type > Disabled.

Click OK.

Ensure the following services are set to disable:

• Alerter
• DHCP Client
• Distributed Link Tracking Client
• Distributed Link Tracking Server
• Distributed Transaction Coordinator
• DNS Client
• License Logging Service
• Messenger
• Print Spooler
• Remote Registry Service
• Removable Storage
• Run as a Service
• Simple Mail Transport Protocol (SMTP)
• Task Scheduler
• TCP/IP NetBios Helper Service
• Telephony
• Workstation

Set the following manual services to disable:

• Computer Browser
• Fax Service
• File Replication
• Indexing Service
• Internet Connection Sharing
• Netmeeting Remote Desktop
• QoS RSVP
• Remote Access Auto Connection Manager
• Remote Access Connection Manager
• Smart Card
• Smart Card Helper
• Telnet
• Uninterruptible Power Supply
• Network DDE
• Network DDE DSDM
• Windows Time

IPSec Policy:

Setup IPSec policy to deny all and only allow necessary ports. For example:

Use ipsecpol.exe, and make certain these two dll's are in your path: ipsecutil.dll and text2pol.dll. From command prompt, enter following lines:

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "BlockAll" -n BLOCK -f 0=*::*
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowICMP" -n PASS -f 0::=*:*:ICMP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSMTP-in" -n PASS -f 0:25=*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSMTP-out" -n PASS -f 0:=*:25:TCP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowDNS-in" -n PASS -f 0:53+*::UDP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowDNS-out" -n PASS -f 0:=*:53:UDP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowHTTP-in" -n PASS -f 0:80+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowHTTPS-in" -n PASS -f 0:443+*::TCP

ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowPOP3" -n PASS -f 0:110+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowRDP-in" -n PASS -f 0:3389+*::TCP
ipsecpol -x -w REG -p "CISCO_WWWSRV" -r "AllowSSH-in" -n PASS -f 0:22+*::TCP

Configure Terminal Service:

Go to Start > Programs > Administrative Tools > Terminal Services Configuration (TSC).

Right mouse click on RDP-TCP, choose Properties > General > Encryption Level: High.

Under Client Setting:

Uncheck Use Connection Settings From User Settings.

Uncheck Connect Client Printers at Logon and Default to Main Client Printer.

Under Disable:

Check all except Clipboard Mapping.

Under Sessions:

Check Override User Settings, then choose

End a Disconnected Session
3 hours	Active Session Limit: 1 Day	Idle Session Limit: 30 minutes

 

Check the second Override User Settings, and choose Disconnect From Session.

Under Network Adaptor, choose maximum 5 connections.

Under Server Settings for TSC, change Active Desktop to Disable.

If needed, do the below edits to the server to enable clipboard file transfer:

1. Open Regedt32, and then change the value data in the Name value from RDPCLIP to FXRDPCLP in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\AddIns\Clip Redirector

2. Change the value data in the Startup Programs value from RDPCLIP to FXRDPCLP in the following registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd

3. Rename the new rdpclip.exe file included in the Windows 2000 Resource Kit to Fxrdpclp.exe, and then copy the file to the Winnt\System32 folder.

4. Copy the fxfr.dll file to the Winnt\System32 folder.

To the Clients that wish to use the enhanced clipboard facilities:

5. Copy the 32-bit Fxfr.dll file to the "Program Files\Terminal Services Client" folder.

6. Rename the Rdpdr.dll file in the "Program Files\Terminal Services Client" folder to Rdpdr.pss.

7. Copy the 32-bit rdpdr.dll file from the resource kit to the "Program Files\Terminal Services Client" folder.

Go into ISM and Stop the Default Website.

Right mouse click on the computer name in ISM:

Choose Properties > Edit The Master Properties For The WWW Service.

Choose Website > Enable Logging > W3C Extended Log File Format > Properties.

Change the New Log Time Period to When The File Reaches 50 MB; click OK.

Click Properties > Extended Properties > and add checks for Cookies and Referrer.

Choose Home Directory > Configuration:

Remove any unnecessary Application Mappings, as below.

NOTE: Remove them all and add back in as needed!

At a minimum, remove the .HTR, .IDC and .PRINTER.

Click OK to get out of edit mode.

Create your new website base directory:

While still in ISM, highlight your computer name, right mouse click, then choose New, Web Site.

This will start the new Web Site Wizard. Click Next.

Choose the minimum set of permissions here for your web site.

Click Next to finish.

Disable Parent paths.

Go to Properties on the Web Site > Home Directory > Configuration > App Options.

Uncheck Enable Parent Paths.

Microsoft recommends configuring a separate directory for each file type so you can easily set ACLs. Best Practice:

This is a good idea if you have the ability to do so. For example, setup your web site:

• D:\test_website\static (.html)
• D:\test_website \include (.inc)
• D:\test_website \script (.asp)
• D:\test_website \executable (.dll)
• D:\test_website \images (.gif, .jpeg)

Change the Application Protection to Low (IIS Process):

Go to Web Site Properties > Home Directory tab > Application Protection.

This will stop IIS from using the IWAM_Machiname Account.

Disable the default web site. (It is better to leave the default web site disabled rather than remove it, as it may come in handy down the line.)

Right mouse click on the Default Web Site. Select Properties > Directory > Security > Anonymous Access & Authentication Control > Edit.

Uncheck all the boxes. You will get a warning that you are shutting off all access, click Yes.

It will bring up a box on Inheritance. Click Select All > OK.

Note: Do not use the default web site and disable/delete the administrative one.

Remove all IIS Sample directories:

IIS %webroot%\iissamples

IIS SDK %webroot%\iissamples\sdk

Admin Scripts %webroot%\AdminScripts

Data access c:\Program Files\Common Files\System\msadc\Samples

IIS HELP %systemroot%\help\iishelp

IIS adpwd %systemroot%\system32\inetsrv\iisadmpwd

Remove Internet Printing:

Delete the printer's virtual directory at %systemroot%\web\printers

Download and install the MS High Security Web Template hisecweb-cisco.inf :

Copy the hisecweb-cisco.inf to the %windir%\security\templates directory. The one linked here is a slightly modified version of the one found at http://download.microsoft.com/download/win2000srv/SCM/1.0/NT5/EN-US/hisecweb.exe.

Open MMC. Choose Console > Add/Remove Snap-In:

Add the Security Configuration and Analysis tool and the Security Templates.

Right click the Security Configuration and Analysis:

Choose Open Database and give a name to the database.

Click Open, then load the hisecweb-cisco.inf template.

Right-click the Security Configuration and Analysis tool:

Choose Analyze Computer Now. You can browse through the changes the template will make.

Right-click the Security Configuration and Analysis tool:

Choose Configure Computer Now from the context menu.

Under Local Users and Groups, rename Internet Guest Account to an obscure name.

Create a strong password.

Ensure Guest Account is disabled.

Remove the renamed Internet Guest Account from the Guest Group.

Rename Administrator Account. Change password to a strong password.

Note: You will need to start the Workstation Service to set passwords. Stop and disable service afterwords.

Disable the IWAM_Machiname Account.

Under Admnistrator Tools > Local Policies > User Rights Assignment > Adjust These Rights:

Remove Access This Computer From The Network for ALL users except Administrators.

Add the renamed IUSR account to the Logon Locally Group.

Remove all accounts from the Log On As A Batch Job.

Set File Permissions:

Set permissions for the renamed Internet Guest Account on all volumes to "No Access".

Right mouse click on Properties > Volume > Security > ADD > Choose Renamed IUSR account. Check all Denies, say OK to Caution pop-up.

Change the renamed IUSR account permission to Read Only for a few directories:

Right mouse click on Directory, go to Properties > Security > Advanced:

Default Path	Environment Variable
c:\winnt	%SystemRoot%
d:\	InetPub\wwwroot wherever your IIS root is

Uncheck Allow Inheritable Permissions From Parent Object to Propagate to This Object.

The following screen will appear:

Choose Copy.

You can now edit the permissions: Highlight the Internet Guest Account Deny All line and choose Clear All, then check Allow:

• Traverse Folder/Execute Data
• List Folder/Read Data
• Read Attributes
• Read Permissions

Go into ISM and right mouse click on the WWW server you created:

Choose Properties > Directory Security > Anonymous Access and Authentication Control > Edit > Edit For Anonymous Access.

Change Username to the Renamed IUSR_MACHINE. Uncheck Allow IIS to Control Password. Synch the STRONG password you set earlier.

Example ACL for router to permit only HTTP, SSH, SSL, and SNMP:

access-list 150 permit tcp any host yourwebserver eq 80

access-list 150 permit tcp any host yourwebserver eq 443

access-list 150 permit tcp SSH Client networks yourwebserver eq 22

access-list 150 permit udp SNMP Server networks host yourwebserver eq 161

access-list 150 permit udp SNMP Server networks host yourwebserver eq 161

access-list 150 permit udp SNMP Server networks host yourwebserver eq 162

access-list 150 permit udp SNMP Server network host yourwebserver eq 162

access-list 150 permit tcp RDP client networks yourwebserver eq 3389

Run install.bat

This batch file should do the following:

1. Create a server key
2. Install SSHD as a service
3. Start the sshd service

Note: Check to make sure SSHD is installed as a service and running. If it is not, refer to sshd_install.txt for instructions on how to create a server key and install SSHD as a service.

<Username>:x:<User ID>:<Group ID>:<Full Name>:<home directory>:

Example:

• administrator:x:1:10:Local administrator:/bin:

Using SCP:

SCP use on NT DMZ host:

1. Move file you need to Unix box running sshd (e.g., host.com)
2. Use srt or terra to connect to NT host running sshd
3. Type scp.exe <username>@<hostname with file>: <filename><path to place file>

Examples:

• To move the file "net.txt" from a Unix host (e.g., host.com) to the directory /bin on an NT host running sshd (with IP address 10.0.0.20) do the following:
  1. Login to host.com
  2. scp net.txt administrator@10.0.0.20:/bin
• To pull test.exe from an NT host running sshd (with IP address 10.0.0.20) to my user directory on host.com do the following:
  1. Login to host.com
  2. scp administrator@10.0.0.20:test.exe /home/user