skyBuilders HomePage   skyBuilders Security Policy

Jesse Burkhardt - begun on 2001/09/20, last modified 2001/12/03

Summary:  In the wake of a litany of hack invasions, sophisticated virus attacks, and the increasingly Byzantine and ever changing imbroglio of MS Windows permissions tiers and hidden, so-called services, it has become necessary to define a security policy document as a general guideline for installing MS Windows 2000. The services and permissions complexities and the lack of decent documentation in how to deal with them in MS Windows 2000 has brought about the need for this document. This document is not only an meant to be a guideline for in house skyBuilders MS Windows 2000 installations, but also as a template for organizations needing to address these same issues.

Categories to be covered are:

  1. Users - who they are and what are the scope of their privileges
  2. File and Folder Permissions - applying nuanced permissions on a user basis
  3. Services - detailing what services should run on various types of servers
  4. Miscellaneous - addressing email concerns, removable media, etc.
I. Defining Users:

  1. Administrator: As a matter of policy it is a good idea create a user account that is part of the Administrators group or at least that has full Administrator user privileges. Viruses and crackers sometimes try to become the user known as Administrator. If no such user exists you can minimize your security exposure.

  2. Administrators: This refers to the Administrators group.

  3. SYSTEM: Many scheduled or automatically performed operations require certain privileges for the user known as SYSTEM. For instance the the Task Scheduler service cannot even be started without the SYSTEM user have some sort of execute privilege in the \WINNT\System32 directory.

  4. IUSR_[host machine]: In order to allow the world to browse into your web site pages published on the internet your Windows 2000 web server needs to allow the IUSR user to have at least Read privileges on the physical folder where the web site serves from. If you want the IUSR to enter text into electronic forms or other modifiable information gathering interfaces then the IUSR must also have Write privileges. If you want to allow your internet visitor to browse down the site subdirectory structure the IUSR will also need to have List Folder Contents privileges or Traverse Folder/Execute File privileges.

  5. IWAM_[host machine]: This user, IWAM (Internet Web Administration Manager), is not well explained in much documentation I have encountered. IWAM_[host machine] is often mentioned in the same breath as the IUSR_[host machine] user. In the absence of information I cannot make any recommendations conerning it. Please examine the following web page excerpts on the subject.

    1. From Deja: When IIS is installed, it creates two user accounts, assigns them specific user rights, and places them in specific user groups. These two accounts are IUSR_computername and IWAM_computername. The IUSR_computername account is used by IIS to grant anonymous access to Web resources. IWAM_computername is the account used by Microsoft Transaction Server (MTS) and various IIS entities to provide programmatic and transactional functions.

    2. From Microsoft - Updating IIS after the Computer Name Is Changed (search on ../Q234/1/42.ASP): This may or may not be pertinant. The article claims that potential IWAM "sync" problems do not apply to MS 2000.

    3. From Microsoft - Server Reliability through Process Isolation (search on ../server112299): The IWAM_machine (IWAM for short) account, seen in Figure 5, can be a common source of problems if you don't know a few tricks. The IWAM account is an important account; it's the default account that's used when you set your Web applications to run out of process from IIS.

      A problem occurs when you change the IWAM account's password through NT USERMGR without informing IIS of the changes. You need to update IIS manually because the IWAM account does not have the same password synchronization option that the IUSR account does. IUSR's password synchronization option automatically synchronizes any changes in USRMGR with the IUSR's password stored in the metabase. If you change the password to the IWAM account in USERMGR, you will also need to make the same change to the MTS packages for out-of-process applications that you have already created for IIS. You also need to make the change to the WAMUserPass property in the metabase, which is where IIS stores the IWAM account information that it will use when it is creating new out-of-process applications in the future.

    4. From Microsoft - Web Hosting with IIS 5.0 (URL not available): The IUSER computer name account is the anonymous access user account, the IWAM computer name account is the account that allows you to run ASPs, CGIs, and so on. IUSER handles anonymous connectivity, and IWAM is used to launch ASP and CGI applications.

  6. Everyone: The Everyone user is actually an all inclusive group and is typically given many privileges by default. In the Windows 2000 server environment this is asking for trouble. It may be good practice to severe limit, or even completely eliminate the Everyone user's privileges.

  7. Guest: The Guest user may or may not be categorized the same way as the Everyone user. It is possible that the Guest user the FTP/Telnet equivalent of the IUSR to web server access.

  8. Privilege Recommendations: This paragraph is very much related to the following section (II).

    1. SYSTEM - Full Control, probably at the drive level on all drives

    2. ADMINISTRATORS - as with the SYSTEM user, Full Control (Both of these users require that you click "Advanced" and check the checkbox "Reset permissions on all child objects and enable propagation of inheritable permissions." You will receive an error while trying to apply permissions to pagefile.sys. Press continue on this and any other similar errors.)

    3. IUSR_[host machine] - Read and Execute, List Folder Contents, Read, leaving "Allow inheritable permissions from parent to propagate to this object" checked, applying these privileges to [C:\]Inetpub\wwwroot.

    4. Everyone - Read and Execute, List Folder Contents, Read, leaving "Allow inheritable permissions from parent to propagate to this object" checked, applying these privileges to [C:\]Program Files\Common Files.

      Here I shall excerpt from Mark Reynolds, a link to whose document appears at the bottom of this document:

      Why you should use the EVERYONE group instead of the IUSR_[host machine] account:

      The everyone group encompasses the Users group, the IUSR_[host machine] account, and the IWAM_[host machine] account.

      IIS 5.0 uses two separate accounts to execute web pages. When anonymous authentication is used IIS uses the IUSR_[host machine] account to view those pages. However, IWAM_[host machine] is used to start up a separate process called DLLHOST.EXE. All ASP, COM components, or other ISAPI extensions (ASP is considered an ISAPI extension) are run inside this DLLHOST.EXE. This is primarily for stability purposes. If a custom COM component called from an ASP page crashes (Access Violates thus shutting down the process) it will not effect INETINFO.EXE. This means the web service will continue to run.

      There are two protection levels in IIS 4.0:

      Default - IIS 4.0 runs all "Applications" In-Process meaning inside the INETINFO.EXE process, which gets started up by the SYSTEM account. When web pages are viewed the particular thread that is serving the page is run under the context of the IUSR_[host machine] account. HTM, ASP and any other ISAPI extensions are run inside the INETINFO.EXE process.

      Run in Separate Memory Space (Isolated Process) - This is also knows as Out-Of-Process. This uses the IWAM_[host machine] account to spawn a separate MTX.EXE process that runs ASP and other ISAPI extensions.

      There are three protection levels in IIS 5.0:

      Low (IIS Process) - This setting is similar to the default setting under IIS 4.0. All web pages whether HTM or ASP are run inside the INETINFO.EXE process.

      Medium (Pooled) - This is the default. As with IIS 4.0 this setting starts a separate process called DLLHOST.EXE where all ASP and COM components are run. This process is started by the IWAM_[host machine] account just as in IIS 4.0. Also, this setting is known as pooled because even if there are 5000 different web sites running in IIS, they will all share this single DLLHOST.EXE for executing ASP pages (Windows 2000 replaces MTX.EXE with DLLHOST.EXE).

      High (Isolated) - This setting starts a dedicated DLLHOST.EXE for that particular web site or application. If you had 5 web sites each set on High protection you would see five DLLHOST.EXE processes plus one additional DLLHOST.EXE that COM+ starts under the "System Application" for a total of six DLLHOST.EXE's.

      To restore default NTFS permissions for Windows 2000 please see:

      Q266118 How to Restore the Default NTFS Permissions for Windows 2000

Back to top of page.

II. Defining File and Folder Permissions:

As general matter of policy is good practice to locate operating system and service programming files away from their traditional, and, therefore, vulnerable drive locations. We recommend that whenever possible to avoid using the C: drive, which is where many viruses begin their search for service programs to hijack. Please refer to the previous item (I.7) for a discussion of actual user accounts with their associated privileges for each of the following directories here.

  1. Disk Drive Level: It is probably a good idea to give the Administrator (or whatever user account has assumed this role) and the SYSTEM user some degree of, or even full, privileges at the outermost (drive root) level across all drives.

  2. [C:]\WINNT: Do the following to all folders (or subdirectories) excluding the [C:]\WINNT\inetsrv and [C:]\WINNT\certsrv subdirectories: Open "Properties" for these folders and uncheck "Allow inheritable permissions from parent to propagate to this object." When Windows asks whether to "[Copy] [Remove] [Cancel]" click the Copy button. Click OK to exit the properties display panel.

    Also for [C:]\WINNT add the Everyone user privileges Read and Execute, List Folder Contents, and Read, leaving "Allow inheritable permissions from parent to propagate to this object" checked.

  3. [C:]\WINNT\System32: Like the \WINNT\Temp directory it is probably a good idea to give the Everyone user certain privileges here - this needs study. Minimally, we seriously advise allowing the IUSR (and possibly the Everyone user) to have "Read & Execute", "List Folder Contents", and "Read" permissions in order to get some basic web services to play.

  4. [C:]\WINNT\Temp: This directory bears a particular significance. Many things will not operate without privileges on it. For instance, if you are backing a database backing a web site using MS Access 2000, the IUSR user must have Modify, Read & Execute, List Folder Contents, Read, and Write permissions. In fact various applications and services will not function unless the IUSR, or even the Everyone, user have these privileges in the \WINNT\Temp directory.

    Alternatively to be slightly more inclusive one could give the Everyone user these privileges which would subsume the IUSR into the group. This depends on what level of security granularity you want to apply.

  5. [C:]\Inetpub\wwwroot: Best to put this service into a directory that the world at large does not know about.

  6. [C:\]Program Files\Common Files: The Everyone user should have Read and Execute, List Folder Contents, Read, leaving "Allow inheritable permissions from parent to propagate to this object" checked.

Back to top of page.

III. Defining Allowable Services and Ports:

Many server services open windows of vulnerability into your server machine. Services such as telnet, FTP, SMTP, and even DNS and and web browsing can open your server up to hijacking. Standard port numbers can can remapped to help fool invaders as what ports may be open of your server. You should ask yourself questions such as, should a web server allow the use of a web browser? A great deal of them may be non-essential to the operation of a specific server machine. Services open communication ports which make a server vulnerable. For security purposes it is recommended that all non-essential services be disabled. Many services which create vulnerability can operate through a firewall by means of forwarders or proxy methods, but these topics are far beyond the scope of this document.

Some services are installed by third party software. For instance a "good", but non-essential, third party service is the Norton AntiVirus Client service. Such a service probably should be not disabled.

Other times services can actually be installed by viruses. Take a look at this brief link to see what the notorious Funlove virus does to your registry to act as a service.

What follows is a comprehensive list of MS Windows 2000 Services. It is presently not clear to me what constitutes a minimum of these services for MS Windows 2000 OS to function. Suggestions and recommendations are welcome as to how to tailor various of these services. We will assume that the server you are installing will be primarily a web server, though it may perform other functions such as DNS.

Key: E = Essential, D = Dangerous, O = Reasonable Option to Retain

Alphabetical Listing of All Windows Services
  Service / Dependencies
      Description Depends on: Supports:
1. Alerter Workstation Nothing
  Notifies selected users and computers of administrative alerts.
2. Application Management Nothing Nothing
  Provides software installation services such as Assign, Publish, and Remove.
3. Boot Information Negotiation Layer Server Nothing
  Provides the ability to install Windows 2000 Professional on PXE remote boot-enabled client computers.
4. ClipBook Network DDE Nothing
  Supports ClipBook Viewer, which allows pages to be seen by remote ClipBooks.
5. COM+ Event System Remote Procedure Call (RPC) Nothing
E Provides automatic distribution of events to subscribing COM components.
6. Computer Browser Server, Workstation Nothing
O Maintains an up-to-date list of computers on your network and supplies the list to programs that request it.
7. DefWatch Nothing Nothing
O NA - It is used by Norton AntiVirus, but otherwise no information.
8. DHCP Client Nothing Nothing
O Manages network configuration by registering and updating IP addresses and DNS names.
9. DHCP Server Remote Procedure Call, Security Accounts Manager Nothing
  Provides dynamic IP address assignment and network configuration for Dynamic Host Configuration Protocol (DHCP) clients.
10. Distributed File System Server, Workstation Nothing
  Manages logical volumes distributed across a local or wide area network.
11. Distributed Link Tracking Client Remote Procedure Call Nothing
  Sends notifications of files moving between NTFS volumes in a network domain.
12. Distributed Link Tracking Server Remote Procedure Call Nothing
  Stores information so that files moved between volumes can be tracked for each volume in the domain.
13. Distributed Transaction Coordinator Remote Procedure Call, Security Accounts Manager Nothing
  Coordinates transactions that are distributed across two or more databases, message queues, file systems, or other transaction protected resource managers.
14. DNS Client Nothing Nothing
  Resolves and caches Domain Name System (DNS) names.
15. DNS Server NT LM Security Support Layer, Remote Procedure Call (RPC) Nothing
O Answers query and update requests for Domain Name System (DNS) names.
16. Event Log Nothing Nothing
E Logs event messages issued by programs and Windows. Event Log reports contain information that can be useful in diagnosing problems. Reports are viewed in Event Viewer.
17. Fax Service Plug and Play, Print Spooler, RPC, Telephony Nothing
  Helps you send and receive faxes
18. File Replication Event Log, RPC Nothing
  Maintains file synchronization of file directory contents among multiple servers.
19. File Server for Macintosh Workstation Nothing
  Enables Macintosh users to store and access files on this Windows server machine.
20. FTP Publishing Service IIS Admin Service Nothing
D Provides FTP connectivity and administration through the Internet Information Services snap-in.
21. IIS Admin Service ProtectedStoragee, RPC FTP Publishing, SMTP, WWW Publishing Service
E Allows administration of Web and FTP services through the Internet Information Services snap-in.
22. Indexing Service RPC Nothing
O Makes a web site documents searchable through a browser interface.
23. Intel Alert Handler Intel PDS Nothing
24. Intel Alert Originator Intel PDS Nothing
25. Intel File Transfer Intel PDS Nothing
26. Intel PDS Nothing Intel Alert Handler, Intel Alert Originator, Intel File Transfer
27. Internet Authentication Service RPC Nothing
  Enables authentication, authorization and accounting of dial-up and VPN users. IAS supports the RADIUS protocol.
28. Internet Connection Sharing Remote Access Connection Manager Nothing
  Provides network address translation, addressing, and name resolution services for all computers on your home network through a dial-up connection.
29. Intersite Messaging Security Accounts Manager Nothing
  Allows sending and receiving messages between Windows Advanced Server sites.
30. IPSEC Policy Agent RPC Nothing
  Manages IP security policy and starts the ISAKMP/Oakley (IKE) and the IP security driver.
31. Kerberos Key Distribution Center RPC Nothing
O Generates session keys and grants service tickets for mutual client/server authentication.
32. License Logging Service Nothing Nothing
33. Logical Disk Manager Nothing Nothing
  Logical Disk Manager Watchdog Service.
34. Logical Disk Manager Administrative Service Nothing Nothing
  Administrative service for disk management requests.
35. Messenger RPC, Workstation Nothing
  Sends and receives messages transmitted by administrators or by the Alerter service.
36. Net Logon Workstation Nothing
  Supports pass-through authentication of account logon events for computers in a domain.
37. NetMeeting Remote Desktop Sharing Nothing Nothing
D Allows authorized people to remotely access your Windows desktop using NetMeeting.
38. Network Connections RPC Nothing
  Manages objects in the Network and Dial-Up Connections folder, in which you can view both local area network and remote connections.
38. Network DDE Network DDE DSDM ClipBook
  Provides network transport and security for dynamic data exchange (DDE).
39. Network DDE DSDM Nothing Network DDE
  Manages shared dynamic data exchange and is used by Network DDE
40. NT LM Security Support Provider Nothing DNS Server, Windows Internet Name Service (WINS), Windows Media Unicast
  Provides security to remote procedure call (RPC) programs that use transports other than named pipes.
41. On-line Presentation Broadcast RPC Nothing
42. Performance Logs and Alerts Nothing Nothing
  Configures performance logs and alerts.
43. Service: Plug and Play Nothing Fax Service, Smart Card, Telephony
  Manages device installation and configuration and notifies programs of device changes.
44. Print Server for Macintosh Nothing Print Spooler
  Enables Macintosh users to send print jobs to a spooler on a server running Windows 2000.
45. Print Spooler RPC Fax Service, Print Server for Macintosh, TCP/IP Print Server
  Loads files to memory for later printing.
46. Protected Storage RPC IIS Admin Service
  Provides protected storage for sensitive data, such as private keys, to prevent access by unauthorized services, processes, or users.
47. QoS Admission Control (RSVP) Nothing Nothing
  Provides network signaling and local traffic control setup functionality for QoS-aware programs and control applets.
48. Remote Access Auto Connection Manager Remote Access Connection Manager, Telephony Nothing
D Creates a connection to a remote network whenever a program references a remote DNS or NetBIOS name or address.
49. Remote Access Connection Manager Telephony Internet Connection Sharing, Remote Access Auto Connection Manager
D Creates a network connection.
50. Remote Procedure Call (RPC) Nothing Com+ Event Viewer, DHCP Server, Distributed Link Tracking Client, Distributed Link Tracking Server, Distributed Transaction Coordinator, DNS Server, Fax Service, File Replication, IIS Admin Service, Indexing Service, Internet Authentication Service, IPSEC Policy Agent, Kerberos Key Distribution Center , Messenger, Network Connections, On-line Presentation Broadcast, Print Counterert Spooler, Protected Storage, Remote Storage Engine, Remote Storage File, Remote Storage Media, Remote Storage Notification, Removable Storage, Routing and Remote Access, Symantec Sytem Center Discovery Service (3rd Party), Task Scheduler, Telephony, Telnet, Terminal Services Licensing, Windows Internet Name Service (WINS), Windows Media Monitor Service, Windows Media Program Service, Windows Media Station Service, Windows Media Unicast Service
E Provides the endpoint mapper and other miscellaneous RPC services.
51. Remote Procedure Call (RPC) Locator Workstation Nothing
D Manages the RPC name service database.
52. Remote Registry Service Nothing Nothing
D Allows remote registry manipulation.
53. Remote Storage Engine Event Log, RPC, Remote Storage File, Remote Storage Media, Task Scheduler Nothing
  Coordinates the services and administrative tools used for storing infrequently used data.
54. Remote Storage File Event Log, RPC Remote Storage Engine
  Manages operations on remotely stored files.
55. Remote Storage Media Event Log, RPC. Removable Storage Remote Storage Engine
  Controls the media used to store data remotely.
56. Remote Storage Notification Event Log, RPC Nothing
  Notifies client about recalled data.
57. Removable Storage RPC Remote Storage Media
  Manages removable media, drives, and libraries.
58. Routing and Remote Access NetBIOSGroup, RPC Nothing
  Offers routing services to businesses in local area and wide area network environments.
59. RunAs Service Nothing Nothing
D Enables starting processes under alternate credentials.
60. Security Accounts Manager Nothing DHCP Server, Distributed Transaction Coordinator, Intersite Messaging, Windows Internet Name Service (WINS)
  Stores security information for local user accounts.
61. Server Boot Information Negotiation Layer, Computer Browser, Distributed File System Nothing
  Provides RPC support and file, print, and named pipe sharing.
62. Simple Mail Transport Protocol (SMTP) IIS Admin Service Nothing
D Transports electronic mail across the network.
63. Simple TCP/IP Services Nothing Nothing
E Supports the following TCP/IP services: Character Generator, Daytime, Discard, Echo, and Quote of the Day.
64. Single Instance Storage Groveler Nothing Nothing
  Scans Single Instance Storage (SIS) volumes for duplicate files, and points duplicates files to one data storage point, conserving disk space.
65. Smart Card Plug and Play Nothing
  Manages and controls access to a smart card inserted into a smart card reader attached to the computer.
66. Smart Card Helper Nothing Nothing
  Provides support for legacy smart card readers attached to the computer.
67. SNMP Service Event Log Nothing
  Includes agents that monitor the activity in network devices and report to the network console workstation.
68. SNMP Trap Service Event Log Nothing
  Receives trap messages generated by local or remote SNMP agents and forwards the messages to SNMP management programs running on this computer.
69. System Event Notification COM+ Event System Nothing
  Tracks system events such as Windows logon, network, and power events. Notifies COM+ Event System subscribers of these events.
70. Task Scheduler RPC Remote Storage Engine
  Enables a program to run at a designated time.
71. TCP/IP NetBIOS Helper Service Nothing Nothing
  Enables support for NetBIOS over TCP/IP (NetBT) service and NetBIOS name resolution.
72. TCP/IP Print Server Print Spooler Nothing
D Provides a TCP/IP-based printing service that uses the Line Printer protocol.
73. Telephony Plug and Play, RPC Fax Service, Remote Auto Access Connection Manager, Remote Access Connection Manager
  Provides Telephony API (TAPI) support for programs that control telephony devices and IP based voice connections on the local computer and, through the LAN, on servers that are also running the service.
74. Telnet RPC Nothing
  Allows a remote user to log on to the system and run console programs using the command line.
75. Terminal Services Nothing Nothing
D Provides a multisession environment that allows client devices to access a virtual Windows 2000 Professional desktop session and Windows-based programs running on the server.
76. Terminal Services Licensing RPC Nothing
  Installs a license server and provides registered client licenses when connecting to a Terminal Server.
77. Trivial FTP Daemon Nothing Nothing
D Implements the Trivial FTP Internet standard, which does not require a user name or password. Part of the Remote Installation Services.
78. Uninterruptible Power Supply Nothing Nothing
  Manages an uninterruptible power supply (UPS) connected to the computer.
79. Utility Manager Nothing Nothing
  Starts and configures accessibility tools from one window.
80. Windows Installer Nothing Nothing
  Installs, repairs and removes software according to instructions contained in .MSI files.
81. Windows Internet Name Service (WINS) NT LM Security Provider, RPC, Security Accounts Manager Nothing
O Provides a NetBIOS name service for TCP/IP clients that have to register and resolve NetBIOS-type names.
*NB: If we remove Netbeui (recommended) as a LAN protocol we must use WINS to allow for NetBIOS over TCP/IP support - set in Network Properties > Internet Protocol (TCP/IP) > Properties > Advanced > WINS (tab). - There is no added WINS server maintenace overhead, such as having to push LMHOSTS files accross the LAN.
82. Windows Management Instrumentation RPC Nothing
  Provides system management information.
82. Windows Management Instrumentation Driver Extensions Nothing Nothing
  Provides systems management information to and from drivers.
83. Windows Media Monitor Service RPC Nothing
  Provides services to monitor client and server connections to the Windows Media services
84. Windows Media Program Service RPC, Windows Media Station Service Nothing
  Used to group Windows Media streams into a sequential program for the Windows Media Station Service.
85. Windows Media Station Service RPC Windows Media Program Service
  Provides multicasting and distribution services for streaming Windows Media content.
86. Windows Media Unicast Service NT LM Security Support Service, RPC Nothing
  Provides Windows Media streaming content on-demand to networked clients
87. Windows Time Nothing Nothing
E Sets the computer clock.
88. Workstation Nothing Alerter, Computer Browser, Distributed File System, File Server for Macintosh, Messenger, Net Logon, RPC
E Provides network connections and communications.
89. World Wide Web Publishing Service IIS Admin Service Nothing
E Provides Web connectivity and administration through the Internet Information Services snap-in.

Back to top of page.

IV. Miscellaneous Issues:

  1. Email and attachments: As a matter of policy we should not directly open email attachments hereafter. If we must see them do this:

    1. Save attachment to a temp directory on disk.
    2. Scan the saved file(s) for viruses.
    3. If a virus is detected delete the file(s) you saved to disk.
    4. Then and empty your Recycle Bin.
    5. And then delete the mail message without opening the attachments.
    6. You should empty your email Trash Folder as a final step.
    7. You may open and save your attachments if they pass the virus scan.

  2. Removable media: Floppies, zip disks, CDROMs

    Obviously it is advisable to be very strict about scanning any floppy or other writable media before reading its contents. People get lazy about this but should remain vigilant.

    Don't be fooled by CDROMs. They may inadvertently be harboring viruses.

  3. Related Links:

    1. Windows NT Configuration Guidelines from the CERTŪ Coordination Center.
    2. A page cached from Deja at Google minimum NTFS access permissions. I am heavily indebted to the author of the document at this link, Mark Reynolds (
    3. skyBuilders Installation Manual for creating a Windows 2000 Web Site
    4. A brief document discussing FTP and the Anonymous FTP user

Back to top of page.

Language: fr  | it  | de  | es  | pt  | ar  | he  | da  | nl  | zh  | ja  | ko  | none 

This Version:
Archived at:

 Version: 24074 | Series: 24074