Lock down Win2K Box on a LAN?

[Geoff Glave]

Hi Everyone,

I'd like to lock down a Windows 2000 Pro box on a LAN. It needs to be on
the LAN to connect to the Internet, but that's it - It doesn't access any
network resources and it doesn't provide any.

I'd like no one else on the LAN to be able to connect to it, or ideally even
see it.

It strikes me that a simple way to do this would be to disable the SERVER
service. Is this a good approach? Are there any other services I could /
should disable? Or is my approach a bad one. The computer itself is
physically secure in a locked office.

Thanks in advance.

Cheers,
Geoff Glave
geoff at glave dot org
Vancouver, Canada

 

[Dave Patrick]

Just unbind 'File and Printer Sharing' for the network connection.

--
Regards,

Dave Patrick ....Please no email replies - reply in newsgroup.
Microsoft Certified Professional
Microsoft MVP [Windows]
http://www.microsoft.com/protect

:
| Hi Everyone,
|
| I'd like to lock down a Windows 2000 Pro box on a LAN. It needs to be on
| the LAN to connect to the Internet, but that's it - It doesn't access any
| network resources and it doesn't provide any.
|
| I'd like no one else on the LAN to be able to connect to it, or ideally
even
| see it.
|
| It strikes me that a simple way to do this would be to disable the SERVER
| service. Is this a good approach? Are there any other services I could /
| should disable? Or is my approach a bad one. The computer itself is
| physically secure in a locked office.
|
| Thanks in advance.
|
| Cheers,
| Geoff Glave
| geoff at glave dot org
| Vancouver, Canada
|
|

 

[Analysis&Solutions]

I'd like to lock down a Windows 2000 Pro box on a LAN. It needs to be on
the LAN to connect to the Internet, but that's it - It doesn't access any
network resources and it doesn't provide any.

http://www.blackviper.com/


Title: Windows 2000 Common Criteria Evaluated Configuration
Administrator's Guide
PDF:
http://www.microsoft.com/downloads/...2e-5738-443a-9832-81de1d228548&DisplayLang=en
HTML:
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccadm/default.mspx


Title: Windows 2000 Security Configuration Guide
PDF:
http://www.microsoft.com/downloads/...d9-25c0-40f8-9ecc-b3f66179ce75&DisplayLang=en
HTML:
http://www.microsoft.com/technet/security/prodtech/windows2000/w2kccscg/default.mspx

--Dan

 

[Steven L Umbach]

Disabling unneeded services is always a good thing. Windows 2000 enables
quite a bit of services by default. You could use Microsoft Baseline
Security Analyzer to help determine unneeded services and review information
in the Windows 2000 Security Hardening Guide for more specifics on services.

http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
http://www.microsoft.com/downloads/...86-A2C8-4C8F-A9D0-A0201F639A56&DisplayLang=en

Another thing I would do is to create an ipsec filtering policy via Local
Security Policy on that computer or install a software firewall to make sure
that it can access only the internet and the other network computers can not
access it. --- Steve

http://www.securityfocus.com/infocus/1559 --- example of ipsec filtering.

 

[Art]

Hi Everyone,

I'd like to lock down a Windows 2000 Pro box on a LAN. It needs to be on
the LAN to connect to the Internet, but that's it - It doesn't access any
network resources and it doesn't provide any.

I'd like no one else on the LAN to be able to connect to it, or ideally even
see it.

Follow my detailed intructions here:

http://www.claymania.com/windows2000-hardening.html

They are applicable to a situation where internet sharing only via a
router is desired.

Art

http://home.epix.net/~artnpeg

 

[Karl Levinson, mvp]

That's one possible step, but there are a lot of other steps I would
recommend as well. See the hardening checklists and Security Guides for
Windows 2000 Server at

www.microsoft.com/technet/security and
www.nsa.gov/snac

Note that disabling the server service would probably prevent you from
accessing Windows file shares like \\servername\c$ from other computers on
your network for administrative purposes, and may have other effects as well
If that's a problem for you, it's probably as effective to leave the Server
service running but use a firewall, IPSec or some other form of TCP/IP
filtering to control what IP addresses can connect to the Netbios ports on
your server.

 

[Tom Che [MSFT]]

Hi Geoff,

Thank you for posting here!

I notice that you have posted the same question in our
microsoft.public.win2000.networking newsgroup, to which I have already
responded. Please check my answer there, and if you need any further
assistance on this particular issue please reply to me in that thread so I
can follow up with you. In the future, please don't cross-post the same
question in multiple newsgroups. This will help our engineers work on your
question more efficiently. Your understanding and cooperation is
appreciated.

For your convenience, I have included my reply as follows:

------------------
Hi Geoff,

Thanks for posting here. Also thanks for all guys' wonderful replies.

Geoff, from your post, my understanding of this issue is: You want to know
how to lock down a computer in a LAN, and it needs to be on the LAN to
connect to the Internet, but it doesn't access any network resources and it
doesn't provide any. If this is not correct, please feel free to let me
know.

If all you need is just you mentioned, I think both your approach (disable
Server service) and unbinding 'File and Printer Sharing' as Dave mentioned
are simple and acceptable ideas. Of course, other guys' suggestions may
make this machine safer. However, I would remind you to avoid the security
risk from Internet. A set of effective and strong Firewall software or
settings on the server side or the client side may be helpful.

Hope this helps!
------------------

Thank you and have a nice day!

Sincerely,
Tom Che
Microsoft Online Partner Support
Get Secure! - www.microsoft.com/security

=====================================================
When responding to posts, please "Reply to Group" via your newsreader so
that others may learn and benefit from your issue.
=====================================================
This posting is provided "AS IS" with no warranties, and confers no rights.

--------------------