FireWall-1 FAQ: Securing Windows 2000 for VPN-1/FireWall-1 Installation
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Securing Windows 2000 for VPN-1/FireWall-1 Installation
Note that there are a ton of different opinions on what services need to be enabled or disabled on a server. The truth is this: It depends on how paranoid you are and what you re trying to accomplish. If you follow these steps, you will have a fairly braindead system for much of anything else except running VPN-1/FireWall-1. That s good, because it s what we are trying to accomplish.
Hardening an OS installation begins during the initial installation. The first choice is how to install the server as a standalone server or as a domain controller. A standalone server should be chosen. Your firewall should not be a domain controller, for that goes against the idea that a firewall should be nothing but a firewall. Additionally, the firewall should not be a member of a domain.
When presented with the Windows Components Wizard dialog, ensure that all components except for SNMP are unchecked because none of the other components will be necessary. FireWall-1 does make use of SNMP, however.
When setting up Windows 2000 for FireWall-1, only TCP/IP is needed. Use a static IP address. The non-IP protocols are undesirable (FireWall-1 cannot filter these protocols). Also, the Client for Microsoft Networks service and the File and Print Sharing service are not necessary and may create a potential security risk.
Choose a machine name (firewall seems like a good choice, though do not choose fw, fw-1, firewall-1, or similar), and choose a domain/workgroup that is unreachable.
After installing the operating system, make sure you install any service packs and critical security hotfixes, which are available at http://www.microsoft.com/windows2000/ downloads/default.asp.
After you have installed these fixes, services should be disabled. Windows 2000 has quite a number of services most of them are unnecessary on a firewall. Below I describe the various services you might want to keep enabled. Other services not in this list should be stopped and marked as disabled. For a more complete listing of the services and what they do, review the Glossary of Windows 2000 Services at Microsoft s site, available at http://www.microsoft.com/windows2000/techinfo/howitworks/management/w2kservices.asp.
- COM+ Event System: The main reason to keep this service enabled is to track logons and logoffs by local users.
- DHCP Client: You should leave this enabled only if you plan to get IP addresses via DHCP; otherwise, disable this service.
- _ Event Log_: This service provides the interface for reading/writing the Windows 2000 Event logs.
- Logical Disk Manager: This service allows you to manage locally attached disks. Set this service to manual startup instead of automatic.
- Network Connections: This service allows you to modify your network connection properties.
- Plug and Play: This service provides hardware device installation and configuration.
- Remote Procedure Call: This service allows a program on one system to execute a program on another remote system. Note that we are going to remove the listeners for this service later to ensure this service cannot be used to compromise the platform.
- RunAs Service: If you want to be able to use the RunAs functionality where one user can run commands as a user with elevated privileges like the UNIX su command, keep this service enabled.
- Security Accounts Manager: If you want to be able to manage local user accounts, this service needs to be enabled.
- Task Scheduler: If you want to be able to use the at command to run scheduled jobs, this service needs to be enabled.
- Windows Management Instrumentation: If you want to use the Microsoft Management Console on the platform, leave this service enabled.
- Windows Management Instrumentation Driver Extensions: If you want to use the Microsoft Management Console on the platform, leave this service enabled too.
In order to route packets, IP Routing must be enabled. This requires editing the following registry key using regedit:
Set EnableIPRouter to 1 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters (REG_DWORD)
The next step is to disable DNS Registration. In the TCP/IP configuration screen for each interface, select Advanced, then the DNS tab. Ensure that the Register this connection s address in DNS checkbox is unchecked. This prevents the firewall from attempting to register with a Windows 2000 DNS server, which is not necessary for a firewall to do.
The next step is to disable NetBIOS over TCP. This is done in the Device Manager, which you can access by right-clicking on My Computer, selecting Properties, then clicking on the Hardware tab and clicking on the Device Manager button. Then from the View menu, select Show Hidden Devices. Under the Non Plug and Play section, you will see "NetBIOS over tcpip." Right-click on this service, and select Disable.
Finally, you will want to prevent the RPC Portmapper from listening on Windows 2000. To do this, remove the following two registry entries:
You will also need to edit the registry key HKLM\Software\Microsoft\RPC\DCOM Protocols so that it no longer includes ncacn_ip_tcp.
After you reboot, you can verify this change took effect by using the netstat command to validate that nothing is listening on TCP port 135.