by Ryan Smith
The Center for Internet Security has compiled an excellent security benchmark
for locking down and testing the security of Windows NT 4.0 and Windows 2000
workstations and servers. The entire benchmark package consists of three primary
benchmarks: a Level I benchmark for Windows NT 4.0 Workstations and Servers,
a second Level I benchmark for Windows 2000 Professional and Servers, and a Level
II consensus baseline for Windows 2000 Professional.
Ryan Smith’s latest article takes a look at the Center for Internet Security’s security benchmark for locking down and testing the security of Windows NT 4.0 and Windows 2000 workstations and servers.
The Level I benchmarks establish the minimum security configuration recommendations,
while the Level II consensus baseline is a compilation of content from the National
Security Agency (NSA), the Defense Information Systems Agency (DISA), The National
Institute of Standards and Technology (NIST), the General Services Administration
(GSA), the SANS Institute, and the staff and members of the Center for Internet Security
Windows NT 4.0/Windows 2000 Level I Benchmark
The Level I benchmarks establish the minimum security configuration for the respective
operating system. The Level I benchmark is designed to be implemented to a clean
install of the operating system and is also designed to satisfy three primary conditions: 1) Any administrator
regardless of technical skill can apply them, 2) they typically “do no harm” to any system functionality required by end users, and 3) an associated software tool can score them.
Windows 2000 Professional Level II Consensus Benchmark
The Level II Consensus Benchmark is an extension of the Level I Benchmarks; however, it
is designed specifically for Windows 2000 Professional. The Level II consensus benchmark
has security configurations that affect the overall operation of Windows 2000. Extreme
care must be taken before applying this benchmark as it can cause all shared resources to
be removed and network access to be disabled.
Windows Security Scoring Tool
The CIS Windows Security Benchmarks specify the baseline minimum level of security that
should be applied to a Windows computer. The CIS Windows Security Scoring Tool
allows you to score your computer against the baselines to determine your level
of security. A default installation of Windows will produce an overall score of zero,
while full compliance with all of the recommendations from the CIS Windows Security
tools will produce an overall score of 10.
Scoring the security level of a specific Windows computer allows you to know your specific level of readiness before you are attacked. Of course, as always, Windows security benchmarks only allow you to lock down and be protected from currently known vulnerabilities and problems. This is one of the primary reasons why security is not a “set-it and forget-it” type of environment; it’s a continually changing and updating process that requires administrators to stay on top of the latest information.
The benchmark package includes several security templates. These security templates can be applied to a Windows NT/2000 workstation or server, and the configuration settings from the security template will be applied to the destination operating system. There are two primary methods used to apply a security template to a Windows workstation:
- Group Policy — Using W2K’s Group Policy, you can specify the security template in
Group Policy so that either all systems in a domain or a specific subset
of systems in a domain receive the security template.
- Local Security Policy — This security policy is applied locally to a specific
individual machine and is typically overwritten by a Domain-based Group
Policy when the machine joins a Windows 2000 domain.
Security Templates Included:
Center for Internet Security (CIS)
Windows 2000 Level I
Windows NT 4.0 Level I
Windows 2000 Professional Level II
National Security Agency (NSA)
Microsoft ISA Server 2000
Windows NT 4.0 Backup Domain Controller
Windows NT 4.0 with Exchange Server
Windows NT 4.0 Member Server
Windows NT 4.0 Primary Domain Controller
Windows NT 4.0 Workstation
Windows 2000 Domain Controller
Windows 2000 Domain Policy
Windows 2000 Server
Windows 2000 Workstation
National Institute of Standards and Technology (NIST)
Windows 2000 Professional Domain Member
Windows 2000 Professional Standalone
Baseline Windows 2000
Baseline Windows 2000 Domain Controller
The CIS Windows NT/2K Benchmark is an extremely effective tool for administrators
to utilize to ensure that their systems are adequately secured. At a minimum, the
Level I benchmark should be applied to each and every NT/2000 system. In addition,
the Level II consensus benchmark should be reviewed extensively to determine if
it would be effective at security Windows 2000 Professional workstations without
causing any problems for your particular environment.
Note: The current version of the W2K Benchmark does NOT include support for Windows
2000 Service Pack 3. CIS is currently updating the benchmark and will release a new
version to support SP3 shortly.
To get more information about the Windows NT/2K benchmarks or to download a copy,
visit the Center for Internet Security at