One of the most important post-migration tasks you can perform is a security sweep of a post-migrated environment. In this lesson, you'll examine a tool that will analyze Windows 2000 security vulnerabilities in a post-migration environment.
After this lesson, you will be able to
Estimated lesson time: 25 minutes
Windows 2000 includes many additional components for securing an environment. However, these aren't installed automatically. In earlier chapters, you saw how the actual migration could weaken security; for example, RRAS security could potentially be weakened during an upgrade. An essential post-migration exercise is to run some type of security scanner to ensure that your Windows 2000 network has no obvious loopholes. This scan should be in addition to using the ADMT tool covered in Lesson 1 because ADMT focuses predominantly on DACLs.
For example, ADMT wouldn't detect that the last user name is displayed on all domain controllers. This can be a security problem because an unauthorized person accessing the network will then have a valid user name as a starting point in attempting to log on. On a domain controller, this name is likely to be part of the Administrators group. The unauthorized person then needs only to successfully guess the password for the account to break into your Windows 2000 network.
To correct this security problem, open Domain Controller Security Policy from the Administrative Tools folder. Expand the tree through Security Settings, Local Policies, to Security Options. There, you can enable the Do Not Display Last User Name In Logon Screen setting and many other useful security settings for your domain controllers.
In this practice, you'll use the Internet Security Systems Scanner to check your Windows 2000 system environment for vulnerabilities. This product should be installed on a Windows 2000 workstation in a real-world environment; however, on the small test network, you'll use TRAINKIT1 (PC1).
You'll see a warning telling you that you should install the scanner on a workstation.
Files will be copied followed by a warning message about Internet Scanner affecting server performance, as shown in Figure 10.16.
Figure 10.16 Internet Scanner warning message
Finally, the installation will ask if you'd like to view the Readme file.
The ISS Internet Scanner dialog box will appear.
In this lesson, you learned how important it is to scan your Windows 2000 systems after a migration because of potential vulnerabilities opened by the migration. You also learned to use a third-party security scanning utility.