ServersCIS Windows NT/2000 Benchmarks

CIS Windows NT/2000 Benchmarks

ServerWatch content and product recommendations are editorially independent. We may make money when you click on links to our partners. Learn More.




by Ryan Smith

The Center for Internet Security has compiled an excellent security benchmark
for locking down and testing the security of Windows NT 4.0 and Windows 2000
workstations and servers. The entire benchmark package consists of three primary
benchmarks: a Level I benchmark for Windows NT 4.0 Workstations and Servers,
a second Level I benchmark for Windows 2000 Professional and Servers, and a Level
II consensus baseline for Windows 2000 Professional.

Ryan Smith’s latest article takes a look at the Center for Internet Security’s security benchmark for locking down and testing the security of Windows NT 4.0 and Windows 2000 workstations and servers.

The Level I benchmarks establish the minimum security configuration recommendations,
while the Level II consensus baseline is a compilation of content from the National
Security Agency (NSA), the Defense Information Systems Agency (DISA), The National
Institute of Standards and Technology (NIST), the General Services Administration
(GSA), the SANS Institute, and the staff and members of the Center for Internet Security
(CIS).

Windows NT 4.0/Windows 2000 Level I Benchmark

The Level I benchmarks establish the minimum security configuration for the respective
operating system. The Level I benchmark is designed to be implemented to a clean
install of the operating system and is also designed to satisfy three primary conditions: 1) Any administrator
regardless of technical skill can apply them, 2) they typically “do no harm” to any system functionality required by end users, and 3) an associated software tool can score them.

Windows 2000 Professional Level II Consensus Benchmark

The Level II Consensus Benchmark is an extension of the Level I Benchmarks; however, it
is designed specifically for Windows 2000 Professional. The Level II consensus benchmark
has security configurations that affect the overall operation of Windows 2000. Extreme
care must be taken before applying this benchmark as it can cause all shared resources to
be removed and network access to be disabled.

Windows Security Scoring Tool

The CIS Windows Security Benchmarks specify the baseline minimum level of security that
should be applied to a Windows computer. The CIS Windows Security Scoring Tool
allows you to score your computer against the baselines to determine your level
of security. A default installation of Windows will produce an overall score of zero,
while full compliance with all of the recommendations from the CIS Windows Security
tools will produce an overall score of 10.

Scoring the security level of a specific Windows computer allows you to know your specific level of readiness before you are attacked. Of course, as always, Windows security benchmarks only allow you to lock down and be protected from currently known vulnerabilities and problems. This is one of the primary reasons why security is not a “set-it and forget-it” type of environment; it’s a continually changing and updating process that requires administrators to stay on top of the latest information.

Security Templates

The benchmark package includes several security templates. These security templates can be applied to a Windows NT/2000 workstation or server, and the configuration settings from the security template will be applied to the destination operating system. There are two primary methods used to apply a security template to a Windows workstation:

  • Group Policy — Using W2K’s Group Policy, you can specify the security template in
    Group Policy so that either all systems in a domain or a specific subset
    of systems in a domain receive the security template.
  • Local Security Policy — This security policy is applied locally to a specific
    individual machine and is typically overwritten by a Domain-based Group
    Policy when the machine joins a Windows 2000 domain.

Security Templates Included:

Center for Internet Security (CIS)
Windows 2000 Level I
Windows NT 4.0 Level I
Windows 2000 Professional Level II

National Security Agency (NSA)
Microsoft ISA Server 2000
Windows NT 4.0 Backup Domain Controller
Windows NT 4.0 with Exchange Server
Windows NT 4.0 Member Server
Windows NT 4.0 Primary Domain Controller
Windows NT 4.0 Workstation
Windows 2000 Domain Controller
Windows 2000 Domain Policy
Windows 2000 Server
Windows 2000 Workstation

National Institute of Standards and Technology (NIST)
Windows 2000 Professional Domain Member
Windows 2000 Professional Standalone

Microsoft
Baseline Windows 2000
Baseline Windows 2000 Domain Controller

Summary

The CIS Windows NT/2K Benchmark is an extremely effective tool for administrators
to utilize to ensure that their systems are adequately secured. At a minimum, the
Level I benchmark should be applied to each and every NT/2000 system. In addition,
the Level II consensus benchmark should be reviewed extensively to determine if
it would be effective at security Windows 2000 Professional workstations without
causing any problems for your particular environment.

Note: The current version of the W2K Benchmark does NOT include support for Windows
2000 Service Pack 3. CIS is currently updating the benchmark and will release a new
version to support SP3 shortly.

To get more information about the Windows NT/2K benchmarks or to download a copy,
visit the Center for Internet Security at
http://www.cisecurity.org
.


Ryan Smith

Get the Free Newsletter!

Subscribe to Daily Tech Insider for top news, trends & analysis

Latest Posts

Related Stories