Win2K Security Templates
I’ve been learning about and testing Windows 2000 security templates, the new improved version of Windows NT 4.0 system policies, and I’ve come to the conclusion that we should all be using them to define, configure, and enforce standard security controls on workstations, servers, and domain controllers (DCs). If you haven’t yet explored security templates, start the Microsoft Management Console (MMC) and load the Security Templates and Security Configuration and Analysis snap-ins. (The first time you expand the Security Templates snap-in, the utility pauses while it loads 12 built-in templates. Template files exist as .inf files that contain many OS-specific information settings, and the snap-in takes a few seconds or longer to process the contents of these files.)
The built-in template files come in five flavors: basic, secure, hisecure, compatible, and optional components. The files follow a standard naming convention. Templates that end with the letters ws or wk apply to workstations, those that end with sv apply to servers, and those that end in dc apply to DCs. The basic templates document the default security settings for new installations (i.e., not upgrades) of Win2K Server, Win2K Professional, and Win2K DCs. The secure and hisecure versions implement progressively more stringent controls. You can examine a template’s security settings by expanding its keys to the lowest levels, at which point the applicable settings and their statuses or values appear in the right pane.
The Security Configuration and Analysis snap-in audits a system against the settings in a specific template and reports where the current system settings deviate from the template. You can also use this snap-in to apply a specific template to the local system to make it conform to settings in one of the default templates or settings in a custom template that you define.
The basic templates serve two purposes. First, when you upgrade an NT 4.0 system to Win2K, the Win2K setup utility doesn’t apply ACLs to the system root on the upgraded system; instead, the upgraded system maintains the potentially lax ACLs that the previous OS put in place. You can bring a Win2K system that started life as an NT 4.0 system into compliance by applying the basicws template with the Security Configuration and Analysis tool. Likewise, you can apply basicsv to implement default server settings and basicdc to implement default DC security controls.
Second, if you define and apply a custom template that doesn’t work or that results in unpredictable system behavior, you can reset the system to a known state by applying one of the basic templates—which is much easier than remembering and reapplying all the changes individually.
If you haven’t explored these two features, have a look. I bet you’ll find them as valuable as I did!
An IIS 5.0 Security Vulnerability
Microsoft reported a new vulnerability that a malicious user can exploit to take control of a Microsoft IIS 5.0 system by forcing a buffer overflow in the Internet Printing Protocol (IPP) component. According to the security notice Microsoft issued May 1, this loophole lets a remote attacker run code in the local system security context, which by definition lets the attacker take complete control of a Web server. To manually eliminate the vulnerability, read the directions in the IIS Security Checklist document at the Microsoft Web site.
Alternatively, you can apply the high-security template that Microsoft includes with the Win2K Internet Server Security Tool, which is available at the Microsoft Web site.
The Microsoft Product Lifecycle Page
Someone recently sent me a link to a Microsoft Web site that lists the phase-out plans for Microsoft OS platforms and applications. The page, titled Client Operating Systems Lifecycle Announcement, indicates that Microsoft won’t provide hotfixes for Office 97 after July 31 and for Windows 95 after December 31 of this year. The page also indicates that Microsoft will phase out hotfixes for Windows 98 and NT 4.0 at the end of June 2002.
According to this page, you can sign up for special support contracts that extend the time during which you can obtain hotfixes for each product. To extend support, you must sign up before the end of the service offering dates. To extend support for Office 97 updates, you must sign up for the support contract by October 31; to extend Windows 95 support, you must sign up by December 31. Microsoft also promises online and per-incident support for all OS and application products until their permanent retirements. Personally, I’ll be delighted to see the demise of Windows 9x.
Win2K Server Reboots Continuously
A reader with a sense of humor sent me the following information about the continuous reboot bug that I discussed last week. According to John Quigley, a fix (Q285858_W2K_SP3_x86_en) is available from Microsoft that corrects the Active Directory (AD) entries and stops the Knowledge Consistency Checker (KCC) errors. The only problem, John notes, is that when Microsoft released the original code fix, it inadvertently packaged the executable with the FunLove virus!