Windows 2000 Security Checklist

To immediately secure your Windows 2000 system, take the three steps below:

1. Install anti-virus software
   If you don't have anti-virus software installed, you may leave your system vulnerable to viruses, Trojan horses, spam, and other intrusions. Students, faculty and staff can download anti-virus software from the BevoWare site. You should configure your software to scan regularly and set your virus definition (DAT) files to auto-update.


2. Install a personal firewall
   A personal firewall protects your machine against Internet attacks and random network scans. Students, faculty and staff can download personal firewall software from the BevoWare site.


3. Run Windows Update and Enable Automatic Updates
   You should run Windows Update on your system or visit the Windows Update Web site to install all Critical and Recommended updates for your system. ITS recommends that you also configure Windows 2000 to automatically update.

For increased security, you should also take the following steps:

Set strong passwords on all accounts
All users on the UT network are expected to choose strong passwords and guard them well. If someone else obtains your password, they can access your private data (including e-mail), alter or destroy your files and perform illegal or inappropriate activities in your name. To learn more about choosing strong passwords, visit the Password Dos and Don'ts topic.

Create a user account
Your administrator account allows you to install software, but using it all the time is dangerous because viruses and Trojan horses accidentally run from the administrator account can cause greater harm to your computer.

Download the Microsoft Baseline Security Analyzer
The Microsoft Baseline Security Analyzer (MBSA) provides an easy and efficient way to identify common security misconfigurations on your Windows-based system. MBSA will scan your operating system and other installed components for common system misconfigurations and check for missing security updates. The ITS Web site has a tutorial on running the scan and fixing any problems.

Disable unnecessary services
Your system may be running services such as the IIS Web server and the FTP server without your knowledge. Running these services can increase your machine's vulnerability. You should disable these services unless you have a specific need for them.

Set an account lockout policy
You shold configure an account lockout policy that will protect your accounts when a number of failed logon attempts occur within a specified amount of time. This prevents someone from cracking your password using an automated process that tests hundreds of passwords a second.

Disable guest accounts
You should disable any guest accounts on your system as they can provide information to hackers and increase your security risk.

Disable the default shares
The default settings on your Windows machine may allow remote access to your hard drive. You should disable the default shares to ensure others cannot access your drives.

Be careful when using peer-to-peer file sharing applications
Although peer-to-peer (P2P) applications such as Napster, Gnutella, iMesh, Audiogalaxy Satellite, and KaZaA, are a good way of sharing information, if you do not use them appropriately you may degrade the performance of the University’s network, unknowingly share your personal data, inadvertently violate federal copyright law, or expose your computer to malicious code or unacceptable use. Read What You Need to Know about Peer-to-Peer File-Sharing Applications.

Use secure file transfer
When transferring files over the Internet you should always use a secured connection. SSH and SFTP applications encrypt and protect your passwords and information. If you use Telnet or a non-secure FTP program, your information is sent in the clear for anyone to see. SSH and SFTP clients are available for download on the BevoWare site.