Lesson 6: Ensuring Security

One of the most important post-migration tasks you can perform is a security sweep of a post-migrated environment. In this lesson, you'll examine a tool that will analyze Windows 2000 security vulnerabilities in a post-migration environment.

After this lesson, you will be able to

  • Understand the need for a post-security migration analysis.
  • Install and use a security scanner.

Estimated lesson time: 25 minutes

Using a Security Scanner

Windows 2000 includes many additional components for securing an environment. However, these aren't installed automatically. In earlier chapters, you saw how the actual migration could weaken security; for example, RRAS security could potentially be weakened during an upgrade. An essential post-migration exercise is to run some type of security scanner to ensure that your Windows 2000 network has no obvious loopholes. This scan should be in addition to using the ADMT tool covered in Lesson 1 because ADMT focuses predominantly on DACLs.

For example, ADMT wouldn't detect that the last user name is displayed on all domain controllers. This can be a security problem because an unauthorized person accessing the network will then have a valid user name as a starting point in attempting to log on. On a domain controller, this name is likely to be part of the Administrators group. The unauthorized person then needs only to successfully guess the password for the account to break into your Windows 2000 network.


To correct this security problem, open Domain Controller Security Policy from the Administrative Tools folder. Expand the tree through Security Settings, Local Policies, to Security Options. There, you can enable the Do Not Display Last User Name In Logon Screen setting and many other useful security settings for your domain controllers.

Practice: Installing and Using a Security Scanner

In this practice, you'll use the Internet Security Systems Scanner to check your Windows 2000 system environment for vulnerabilities. This product should be installed on a Windows 2000 workstation in a real-world environment; however, on the small test network, you'll use TRAINKIT1 (PC1).

  1. Log on to TRAINKIT1 as Administrator with the password secret.
  2. Open My Computer, open the Tools\InternetScanner folder, and install Internet Scanner by double-clicking Setup.exe.

    You'll see a warning telling you that you should install the scanner on a workstation.

  3. Click Yes to continue.
  4. Click Next in the Welcome dialog box and then click Yes to accept the license agreement.
  5. Accept the default folder suggested by the program, Program Files\Iss\Scanner6. Click Next.

    Files will be copied followed by a warning message about Internet Scanner affecting server performance, as shown in Figure 10.16.

    Figure 10.16 Internet Scanner warning message

  6. Click Yes and then click OK on the following screens.

    Finally, the installation will ask if you'd like to view the Readme file.

  7. Click Yes and read the documentation.
  8. Restart your machine if prompted.
  9. Log on to TRAINKIT as Administrator with the password secret.
  10. From the Programs menu, select ISS, System Scanner 6.0, and then click Internet Scanner 6.0.

    The ISS Internet Scanner dialog box will appear.

  11. Accept the default to create a new session and click OK.
  12. In the Key Select dialog box, click Next.
  13. In the Policy Select dialog box, select L5 NT Server and click Next.
  14. In the Add A Session Comment dialog box, type Trial and click the Finish button.
  15. You'll now see the ISS Scanner screen, which is split into three panes: left, right, and bottom. Select a host from the left pane.
  16. Open the Scan menu and select Scan Now.
  17. Ignore any messages that appear and click the red vulnerabilities button below the right pane (and above the bottom pane).
  18. Scroll through the list of vulnerabilities. Red indicates a critical vulnerability, yellow a medium vulnerability, and blue ones are simply information regarding different aspects of your security. See if you can locate the yellow warning that there is no password on the guest account.
  19. Click Risk at the top of the Risk column to sort the vulnerabilities in order of high, medium, and low. If the low ones appear at the top, click Risk again, and it will toggle to display the high vulnerabilities at the top of the screen.
  20. When the scan has completed, you might want to explore the rest of the facilities this tool has to offer, such as the Report menu option to generate reports on the vulnerabilities found and the Policy menu to create your own major policy concerns. Note that you can also use the Microsoft Security Configuration Manager snap-in as covered in Chapter 3, Lesson 3, "Security Assessment," to do a similar scan.

Lesson Summary

In this lesson, you learned how important it is to scan your Windows 2000 systems after a migration because of potential vulnerabilities opened by the migration. You also learned to use a third-party security scanning utility.

MCSE Training Kit (Exam 70-222. Migrating from Microsoft Windows NT 4. 0 to Microsoft Windows 2000)
MCSE Training Kit (Exam 70-222): Migrating from Microsoft Windows NT 4.0 to Microsoft Windows 2000 (MCSE Training Kits)
ISBN: 0735612390
EAN: 2147483647
Year: 2001
Pages: 126

flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net