Chapter 3 - Operating System Installation
This section provides the initial installation procedures for the Windows 2000 family of operating systems.
On This Page
Preparing for Installation
Windows 2000 Installation Process
Choosing Good Passwords
Windows 2000 Service Pack Considerations
Preparing for Installation
During Installation, the Setup program will ask for information on how to install and configure Windows 2000. Prepare for the Windows 2000 operating system installation by collecting hardware information and establishing configuration decisions prior to initiating the installation process. The following checklist provides some guidelines as to the information that needs to be defined prior to initiating the installation process.
Table 3.1 Windows 2000 Pre-Installation Checklist
Hardware Compatibility: Review all hardware to ensure compatibility with the Windows 2000 operating system. Hardware components include: Motherboard, network adapters, video card, sound card, CD-ROM drives, etc. The Windows 2000 Hardware Compatibility List (HCL) can be found at:
Disk Space: Ensure the system has sufficient disk space. The minimum disk space recommended for installation of Windows 2000 is 2 gigabytes (GB).
Disk Partitions: Determine disk-partitioning requirements, keeping in mind the minimum disk space recommendations for installation of the Windows 2000 operating system.
File System: The file system must be configured as NTFS in order to allow configuration of security. A commonly held misconception is that it is easier to recover a system that is running with a FAT partition. This is not true. FAT only makes you less secure, it does not ease recovery.
Installation Method: Determine whether the Windows 2000 operating system will be installed from Setup boot disks, CD-ROM, or over-the-network.
Procedures provided in this document describe installations from boot disks or from CD-ROM.
Prior to installation, determine the services that will be required for the installed operating system. For server installations, considerations may include Active Directory, DNS, WINS, or DHCP.
Windows 2000 Installation Process
Windows 2000 can be installed as either an upgrade to an existing Windows operating system or as a new operating system installation. To ensure security Windows 2000 should be the only operating system on the computer and be installed on a clean partition. That is, any previous operating system must be wiped clean from all hard disk partitions within the computer prior to installing Windows 2000.
There are three methods available to install the Windows 2000 operating system:
Setup boot disks – This method is designed to be used with legacy computers which do not support bootable CD-ROM disks. It will not be discussed further
Over-the-network – These are discouraged except in environments where the network can be guaranteed to be non-hostile.
Initiating the Installation from a Bootable CD-ROM
Using a bootable CD-ROM is the simplest and fastest method of installing Windows 2000. To ensure that the machine is not compromised during setup, however, it is highly recommended that it be disconnected from the network until setup is complete and the most recent service pack is installed.
Start Setup from a bootable CD-ROM as follows:
Insert the CD-ROM in the drive.
Restart the computer and wait for Setup to display a dialog box. On many computers you will be required to press any key during the boot process to boot from a CD-ROM.
Follow the Setup instructions on the screen.
In the remainder of this chapter, we will point out the most secure way of installing the system. This is not intended as a complete walk-through of the setup process.
Configuring Disk Partitions
During the initial text-mode setup of the system, setup will ask where to install Windows 2000. Figure 1 shows the dialog presented. If there are multiple partitions or multiple hard disks they will be identified in the display. The example in Figure 1 below shows a 40 Gigabyte Hard disk that is not partitioned. For security purposes, it is highly recommended that this dialog be used to delete all other operating system partitions from the system. For workstations, we recommend using all space on a disk for the installation partition. For servers, we recommend using about 4 GB of space on one disk for the operating system. The remaining space in the system should be reserved for data files, services, utilities and so on. We highly discourage storage of user data files on the boot partition on servers, while on workstations this is acceptable practice which makes it easier for users to locate their data.
Figure 1: Select a disk partition
The next step after creating the partition is to format it. For all systems where security is a requirement all partitions must be NTFS formatted. Only on systems using NTFS can any reasonable security be presumed.
Assign an Administrator account password
The Computer Name and Administrator Password dialog box shown in Figure 2 provides a means of setting the password for the default Administrator account. The specific guidance on how to set a good password is provided in the section 3.3, Choosing Good Passwords It is imperative that a good password is set on the built-in Administrator account during setup.
Figure 2: Computer Name and Administrator Password Dialog
Choose service components for Windows 2000 Server products
In the Windows 2000 Components dialog box, select the necessary components for the server being installed. This dialog box allows addition or removal of components during installation. The default configuration of Windows 2000 Professional is acceptable, but Windows 2000 Server needs to be modified during installation.
Several components should not be selected as they decrease the security of the system. These include the Simple TCP/IP Services, and the SNMP protocol.
For server installations, Indexing Service, Internet Information Service (IIS), and Script Debugger are selected for installation by default in the Windows 2000 Components dialog box. However, most systems do not need these components. On non-web servers IIS and the Script Debugger should be deselected. On systems that do not need file indexing for searching files, the Indexing Service should be deselected, as shown in Figure 3. Note that systems running Microsoft Exchange 2000 will need certain portions of IIS installed. However, security configuration of Exchange 2000 is beyond the scope of this guide. Please refer to the Security Operations Guide for Exchange 2000 Server for more information on Exchange 2000 Server:
Note that due to the prevalence of worms exploiting unsecured systems on most networks, it is highly recommended that system running IIS are installed on an isolated network segment, or with no network cable attached, until Service Pack 3 or higher is installed.
Figure 3: Selecting Windows 2000 Components
Convert a Windows 2000 Server to a Domain Controller
To build a domain controller, you must first install one of the Windows 2000 Server family of products, and then promote the system to a domain controller. This can be done using the DCPromo.exe tool. During promotion, you will be presented with a dialog labeled Permissions (see Figure 4). On this dialog, the radio button for Pre-windows 2000 compatible permissions is selected by default. When this option is selected, the Everyone group becomes a member of the Pre-Windows 2000 Compatible Access group. That latter group, in turn, has read access to all attributes of all objects in Active Directory. This presents a serious potential for security leaks. If you have a system that has already been promoted, you can verify whether this check box was selected by verifying the membership of the Pre-Windows 2000 Compatible Access group. If Everyone is a member of that group, remove it, and then reboot all domain controllers. A reboot is necessary because the access token governing this access is created at boot time.
On new installations, where access by non-Windows 2000 servers and clients is not a requirement, this option should be selected. This is only the first example of an instance where we can tighten the security significantly in the absence of backward compatibility.
Figure 4: Active Directory Permissions Dialog
Choosing Good Passwords
So much of system security is dependent on choosing good passwords. This topic is covered in detail in this section. In order to understand how to select good passwords on Windows 2000, however, a basic understanding of how the operating system stores passwords is required.
Windows 2000 Password Representations
By default, Windows 2000 will never store a clear-text user password. Rather, passwords are stored using two different password representations, commonly called "hashes." The reason for using two representations is for backward compatibility.
The LMHash, also known as the Lan Manager hash, is technically speaking not a hash at all. It is computed as follows:
Convert all lower case characters in the password to upper case
Pad the password with NULL characters until it is exactly 14 characters long
Split the password into two 7 character chunks
Use each chunk separately as a DES key to encrypt a specific string
Concatenate the two cipher texts into a 128-bit string and store the result
As a result of the algorithm used to generate the LMHash, the hash is very easy to crack. First, even a password longer than 8 characters can be attacked in two discrete chunks. Second, the entire lower-case character set can be ignored. This means that most password cracking tools will start by cracking the LMHashes and then simply vary the alpha characters in the cracked password to generate the case-sensitive passwords. Note that in order to log on to a Windows 2000 system, whether remotely or locally, you will need to use the case-preserved password.
The NTHash is also known as the Unicode hash, because it supports the full Unicode character set. The NTHash is calculated by simply taking the plaintext password and generating an MD4 hash of it. The MD4 hash is then stored. The NTHash is much more resistant to brute force attacks than the LMHash. Brute forcing an NTHash takes several orders of magnitude longer than brute forcing the LMHash of the same password.
What constitutes a good password?
There are some general guidelines for what constitutes a reasonable password:
Longer than 7 characters (otherwise the second half of the LMHash is an encryption using the NULL password
Contains elements from at least three of the following four character sets
Non-alpha numeric characters
Does not contain any part of the users name, username, or any common word
This complexity is enforced via a password filter, and can be optionally required using group policy. Additionally, an administrator can customize the complexity requirements by writing a custom password filter. Such a filter could, for example, enforce that company names are not part of the password, or require additional complexity. For more information on how to write such a filter, refer to section on Password Filters in the Microsoft Windows Software Development Kit, at https://msdn.microsoft.com/library/en-us/security/Security/password_filters.asp.
However, most passwords like these are still easily cracked. There are several steps that can be taken to make a password harder to crack
Use non-alpha numeric characters other than those from the "upper row." Upper row characters are those you type by holding down SHIFT and typing any number key. Most password crackers know that the upper row characters are the most common method to add entropy to a password and therefore start cracking with those.
Use ALT characters. ALT characters are those that you type by holding down the ALT key (the FN+ALT keys on a laptop) and typing a three or four digit number on the numeric keypad (the numeric overlay keypad on a laptop). Most password crackers are not capable of testing the vast majority of ALT characters.
Do not allow storage of the LMHash.
There are many ways to prevent storage of the LMHash. A system wide method will be discussed later in the section "Disable LMHash creation" in Chapter 5. However, the creation of an LMHash can be controlled on a per-account basis by constructing the password in certain ways.
First, if the password is longer than 14 characters, the system is unable to generate an LMHash. In Windows 2000, passwords can be up to 127 characters.
Second, if the password contains certain ALT characters, the system will also not be able to generate an LMHash. This latter point is tricky, because while some ALT characters significantly strengthen the password by removing the LMHash, others significantly weaken it since they are converted into a normal upper-case letter prior to storage. There are many characters, however, which will strengthen the password. Table 1 lists all the characters below 1024 which cause the LMHash not to be generated.
Table 1 ALT characters which cause the LMHash to disappear
In many environments the LMHash cannot be disabled system wide. This could be the case, for example, in environments where the operating system is installed over the network by booting to a DOS disk. DOS does not support the NT hash algorithm and therefore requires the LMHash to be present. DOS also does not support ALT characters in the password. While we recommend that LMHashes be disabled system wide in all environments where it is feasible, the above techniques can be used to strengthen individual passwords in all environments.
We particularly recommend using ALT characters on sensitive accounts such as service accounts and administrative accounts. In general, these accounts need greater protection than ordinary user accounts, and the users using them should be willing to use very complicated passwords. One caveat is that using ALT characters in a password does break the recovery console, however. This should be kept in mind before setting up passwords with ALT characters.
Windows 2000 Service Pack Considerations
Windows 2000 Service Packs 2 and higher support high encryption (128-bit) as a default, and will automatically upgrade the operating system from standard encryption (56-bit) if it hasn't been upgraded already. It is not possible to disable or uninstall this feature. If the Service Pack is removed after installation, the operating system will continue to use 128-bit encryption; it will not revert to back to 56-bit encryption.
There is, however, one exception to this. The Protected Store is a data store introduced with Internet Explorer 4.0. The Protected Store is in the process of being deprecated in favor of the Data Protection API. However, by default, data in the Protected Store, such as IE usernames and passwords, are protected using weak encryption, and this encryption is not upgraded during the service pack installation. To upgrade the encryption on the Protected Store, you must run the following command after installing Service Pack 2 or higher:
Keymigrt.exe Keymigrt.exe –m
The keymigrt.exe utility also takes the following switches.
keymigrt [-f] [-v] [-u] [-m] [-s] CAPI Key upgrade utility -f - Force key upgrade -e - Force Encryption Settings upgrade -v - Verbose -u - Allow upgrade of UI protected keys -m - Upgrade machine keys -s - Show current state, but make no modifications
For more information on keymigrt.exe and to download the tool, consult Microsoft Security Bulletin MS00-032 at https://www.microsoft.com/technet/security/bulletin/ms00-032.mspx.
Recommended Actions Prior to Installing Service Pack and Hotfix Updates
Before installing any Service Pack or Hotfix updates:
Close all applications.
Update the Emergency Repair Disk (ERD):
Click Start, point to Programs, point to Accessories, point to System Tools, and then select Backup.
On the Welcome tab, click Emergency Repair Disk.
In the Emergency Repair Diskette window, choose Also back up the registry to the repair directory to save the current registry files in a folder called \RegBack within the %systemroot%\Repair folder. This is useful if there is a need to recover the system in the event of a failure.
Click OK to create the ERD.
When the ERD is created, the files described in the table below will be copied from the %systemroot%\Repair folder to a floppy disk.
A copy of %systemroot%\System32\Autoexec.nt, which is used to initialize the MS-DOS environment.
A copy of the %systemroot%\System32\Config.nt, which is used to initialize the MS-DOS environment.
A log of which files were installed and of Cyclic Redundancy Check (CRC) information for use during the emergency repair process. This file has the read-only, system, and hidden attributes, and it is not visible unless the computer has been configured to show all files.
Perform a full backup of the computer, including the Registry files.
Verify available disk space with update requirements, which are generally found in the corresponding Readme file.
If recent changes were made to the system it may be necessary to restart the computer prior to installing a Service Pack update.
Installing Service Pack and Hotfix Updates
Windows 2000 Service Pack 3 can be installed from a Service Pack CD, from a network drive, of from the Windows 2000 Service Pack Web site at:
Detailed procedures for each installation method can be found in the Service Pack readme file. During the installation process, the Service Pack program installs its files in the computer and automatically creates a backup of the files and settings that the service pack installer changes and saves the backup files in a $NTServicepackUninstall$ folder within the %systemroot% folder.