Securing Windows NT/2000 Servers for the Internet: A Checklist for System Administrators


In recent years, Windows NT and Windows 2000 systems have emerged as viable platforms for Internet servers. More and more organizations are now entrusting the full spectrum of business activities—including e-commerce—to Windows.Unfortunately, the typical Windows NT/2000 installation makes a Windows server an easy target for attacks, and configuring Windows for secure Internet use is a complex task. Securing Windows NT/2000 Servers for the Internet suggests a two-part strategy to accomplish the task:

  • "Hardening" ...
See more details below
$26.81 price
(Save 10%)$29.95 List Price
Other sellers (Paperback)
  • All (14) from $1.99   
  • New (4) from $1.99   
  • Used (10) from $1.99   
Sending request ...


In recent years, Windows NT and Windows 2000 systems have emerged as viable platforms for Internet servers. More and more organizations are now entrusting the full spectrum of business activities—including e-commerce—to Windows.Unfortunately, the typical Windows NT/2000 installation makes a Windows server an easy target for attacks, and configuring Windows for secure Internet use is a complex task. Securing Windows NT/2000 Servers for the Internet suggests a two-part strategy to accomplish the task:

  • "Hardening" any Windows server that could potentially be exposed to attacks from the Internet, so the exposed system (known as a "bastion host") is as secure as it can be.
  • Providing extra security protection for exposed systems by installing an additional network (known as a "perimeter network") that separates the Internet from an organization's internal networks.
Securing Windows NT/2000 Servers for the Internet is a concise guide that pares down installation and configuration instructions into a series of checklists aimed at Windows administrators. Topics include:
  • Introduction—Windows NT/2000 security threats, architecture of the Windows NT/2000 operating system and typical perimeter networks.
  • How to build a Windows NT bastion host.
  • Configuring Windows and network services, encrypting the password database, editing the registry, setting system policy characteristics, performing TCP/IP configuration, configuring administrative tools, and setting necessary permissions.
  • Differences between Windows NT and Windows 2000 security including IPSec (IP Security Protocol) configuration.
  • Secure remote administration—SSH, OpenSSH, TCP Wrappers, the Virtual Network Console, and the new Windows 2000 Terminal Services.
  • Windows NT/2000 backup, recovery, auditing, and monitoring—event logs, the audit policy, time synchronization with NTP (Network Time Protocol), remote logging, integrity checking, and intrusion detection.
Administrators who carefully follow the detailed instructions provided in this book will dramatically increase the security of their Windows NT/2000 Internet servers.

In recent years, Windows NT and 2000 systems have emerged as viable platforms for Internet servers, but securing Windows for Internet use is a complex task. This concise guide simplifies the task by paring down installation and configuration instructions into a series of security checklists for security administration, including hardening servers for use as "bastion hosts," performing secure remote administration with OpenSSH, TCP Wrappers, VNC, and the new Windows 2000 Terminal Services.

Read More Show Less

Editorial Reviews

From The Critics
In Securing Windows NT/2000 Servers For The Internet, Stefan Norberg is designed to assist the experienced users of Windows NT/2000 to protect their computers from Internet intrusion, sabotage, information theft, and other unwanted encroachments. Very highly recommended for systems administrators and the non-specialist general users concerned with security issues, Securing Windows NT/2000 Servers For The Internet covers every aspect of building Windows 2000 security systems is comprehensively presented.
Read More Show Less

Product Details

  • ISBN-13: 9781565927681
  • Publisher: O'Reilly Media, Incorporated
  • Publication date: 11/28/2000
  • Edition number: 1
  • Pages: 216
  • Product dimensions: 7.03 (w) x 9.19 (h) x 0.58 (d)

Meet the Author

Stefan Norberg is an independent network security consultant based in Stockholm, Sweden. Before becoming an independent contractor, he worked for Hewlett-Packard Consulting, where he built everything from large firewalls to highly available Unix clusters. During the last couple of years, he has spent most of his time designing and implementing Internet firewalls using building blocks like Cisco IOS, HP-UX, Linux, and Windows NT/2000. Every now and then, he enjoys teaching Windows NT/2000 classes. Stefan is an MCSE+Internet and Microsoft Certified Trainer. When he finds spare time, Stefan enjoys spending it with his wife Marianne and daughter Matilda.

Read More Show Less

Read an Excerpt

Chapter 1: Windows NT/2000 Security

Hardening the Bastion Host

Microsoft's success in the network operating system market is largely because its products are so easy to use. The Windows server version has the familiar user interface that almost all office workers use every day. It's easy to get started, and you don't need in-depth knowledge of the operating system to install a Windows NT/2000 server. Most components are configured and started automatically, just as they are in the consumer Windows 95/Windows 98 operating system. These characteristics are attractive for an internal file and print server that isn't exposed to direct attack. However, you want something quite different for an external web server that serves the organization's customers and partners over the Internet. A system exposed in this way should provide a minimum of services and needs to be properly configured to ensure a higher level of security. As I mentioned earlier in this chapter, a system configured in this manner is referred to as a bastion host.

Basically, a bastion host is a computer system that is a critical component in a network security system, and one that is exposed to attack. Examples of bastion hosts are firewall gateways, web servers, FTP servers, and Domain Name Service (DNS) servers. Because bastion hosts are so important--and so vulnerable--such systems must be highly fortified. You must pay special attention to fortifying (i.e., establishing the maximum possible security for) the bastion host during both initial construction and ongoing operation.

Why are such systems called bastion hosts? The American Heritage Dictionary defines a bastion as:

  1. A projecting part of a rampart or other fortification.
  2. A well-fortified position or area.
  3. Something regarded as a defensive stronghold.

Marcus J. Ranum is generally credited with applying the term bastion to hosts that are exposed to attack, and with the popularization of the term in the firewall community. In "Thinking About Firewalls V2.0: Beyond Perimeter Security"[6] he wrote:

Bastions are the highly fortified parts of a medieval castle; points that overlook critical areas of defense, usually having stronger walls, room for extra troops, and the occasional useful tub of boiling hot oil for discouraging attackers. A bastion host is a system identified by the firewall administrator as a critical strong point in the network's security. Generally, bastion hosts will have some degree of extra attention paid to their security, may undergo regular audits, and may have modified software.

Bastion hosts are not general-purpose computing resources. They differ in both their intent and their specific configuration. The process of configuring or constructing a bastion host is often referred to as hardening.

The effectiveness of a specific bastion host configuration can usually be judged by answering two questions:

  • How does the bastion host protect itself from attack?
  • How does the bastion host protect the network behind it from attack?

Chapter 2, Building a Windows NT Bastion Host, and Chapter 3, Building a Windows 2000 Bastion Host, provide detailed instructions for building a bastion host, using Windows NT and Windows 2000 respectively.

Exercise extreme caution when installing software on bastion hosts. Very few software products have been designed and tested to run safely on these exposed systems. For a thorough treatment of bastion hosts, and on firewalls in general, I recommend reading Building Internet Firewalls, Second Edition.

Configuring the Perimeter Network

No matter how carefully you configure your bastion host to withstand direct attacks, you can't be entirely confident about its security. Most software code has bugs in it, and therefore all systems potentially have undiscovered security vulnerabilities. For this reason, it's important to provide extra layers of security for systems that are as exposed and as vulnerable as bastion hosts.

A common way to protect exposed servers on the Internet is to implement some kind of network-based access control mechanism that serves as extra protection for the bastion hosts. One such very effective mechanism is provided by a perimeter network. A perimeter network is a network that connects your private internal network to the public Internet or another untrusted network. This makes the perimeter network very important from a security standpoint. The purpose of this network is to serve as a single point of access control. All components in a perimeter must act in concert to implement a site's firewall policy. In other words, the perimeter network is a firewall system.

The perimeter network is a key part of the architecture of many current Internet sites. The reasons are partly historical. When the Internet took off commercially, many companies wanted to get on the Net to do business. The first step was often simply to publish product information on a web server. These web servers typically contained only static information, and thus didn't need to be connected to the internal network. With the advent of e-commerce, such web servers had to be connected in some way both to the clients on the Internet and to the legacy systems on the internal network -- for example, to process orders and check the availability of products.

Many companies now faced the requirement to connect their internal networks to the Internet--and to the accompanying security risks. Since the Internet could not be trusted for obvious reasons, there was an increasing need for company-controlled networks that could act as secured perimeters...

Read More Show Less

Table of Contents

Contents of This Book;
Conventions Used in This Book;
Free Software Described in This Book;
Comments and Questions;
Chapter 1: Windows NT/2000 Security;
1.1 Internet Threats;
1.2 Building a Secure Site on the Internet;
1.3 The Windows NT/2000 Architectures;
1.4 Windows NT/2000 in the Perimeter Network;
1.5 Cryptography Basics;
Chapter 2: Building a Windows NT Bastion Host;
2.1 Installation;
2.2 Using the Security Configuration Editor;
2.3 Basic Configuration;
2.4 Advanced Configuration;
2.5 Setting System Policies;
2.6 TCP/IP Configuration;
2.7 Configuring Administrative Tools and Utilities;
2.8 Setting Permissions;
Chapter 3: Building a Windows 2000 Bastion Host;
3.1 Differences Between the Systems;
3.2 IPSec in Windows 2000;
Chapter 4: Setting Up Secure Remote Administration;
4.1 Symantec pcAnywhere;
4.2 Windows 2000 Terminal Services;
4.3 Open Source (SSH, Cygwin, TCP Wrappers, and VNC);
Chapter 5: Backing Up and Restoring Your Bastion Host;
5.1 Defining Your Backup Policy;
5.2 Backup Methods;
5.3 Types of Backups;
5.4 Backup Software;
Chapter 6: Auditing and Monitoring Your Perimeter Network;
6.1 System Auditing in Windows;
6.2 Time Synchronization Using NTP;
6.3 Remote Logging and Log Management;
6.4 Integrity Checking;
6.5 Network-Based Intrusion Detection Systems;
Chapter 7: Maintaining Your Perimeter Network;
7.1 Setting Up Policies and Procedures;
7.2 Performing Third-Party Audits;
7.3 Staying Informed;
Well-Known Ports Used by Windows NT/2000;
Security-Related Knowledge Base Articles;
Build Instructions for OpenSSH on Cygwin;

Read More Show Less

Customer Reviews

Be the first to write a review
( 0 )
Rating Distribution

5 Star


4 Star


3 Star


2 Star


1 Star


Your Rating:

Your Name: Create a Pen Name or

Barnes & Review Rules

Our reader reviews allow you to share your comments on titles you liked, or didn't, with others. By submitting an online review, you are representing to Barnes & that all information contained in your review is original and accurate in all respects, and that the submission of such content by you and the posting of such content by Barnes & does not and will not violate the rights of any third party. Please follow the rules below to help ensure that your review can be posted.

Reviews by Our Customers Under the Age of 13

We highly value and respect everyone's opinion concerning the titles we offer. However, we cannot allow persons under the age of 13 to have accounts at or to post customer reviews. Please see our Terms of Use for more details.

What to exclude from your review:

Please do not write about reviews, commentary, or information posted on the product page. If you see any errors in the information on the product page, please send us an email.

Reviews should not contain any of the following:

  • - HTML tags, profanity, obscenities, vulgarities, or comments that defame anyone
  • - Time-sensitive information such as tour dates, signings, lectures, etc.
  • - Single-word reviews. Other people will read your review to discover why you liked or didn't like the title. Be descriptive.
  • - Comments focusing on the author or that may ruin the ending for others
  • - Phone numbers, addresses, URLs
  • - Pricing and availability information or alternative ordering information
  • - Advertisements or commercial solicitation


  • - By submitting a review, you grant to Barnes & and its sublicensees the royalty-free, perpetual, irrevocable right and license to use the review in accordance with the Barnes & Terms of Use.
  • - Barnes & reserves the right not to post any review -- particularly those that do not follow the terms and conditions of these Rules. Barnes & also reserves the right to remove any review at any time without notice.
  • - See Terms of Use for other conditions and disclaimers.
Search for Products You'd Like to Recommend

Recommend other products that relate to your review. Just search for them below and share!

Create a Pen Name

Your Pen Name is your unique identity on It will appear on the reviews you write and other website activities. Your Pen Name cannot be edited, changed or deleted once submitted.

Your Pen Name can be any combination of alphanumeric characters (plus - and _), and must be at least two characters long.

Continue Anonymously

    If you find inappropriate content, please report it to Barnes & Noble
    Why is this product inappropriate?
    Comments (optional)