U.S. flag   An official website of the United States government
Dot gov

Official websites use .gov
A .gov website belongs to an official government organization in the United States.

Https

Secure .gov websites use HTTPS
A lock (Dot gov) or https:// means you've safely connected to the .gov website. Share sensitive information only on official, secure websites.

National Checklist Program

National Checklist Program

NCP

  1. Checklist Repository

Guide to Securing Microsoft Windows 2000 Active Directory v1.0 Checklist Details (Checklist Revisions)

Supporting Resources:

Target:

Target CPE Name
Microsoft Windows 2000 cpe:/o:microsoft:windows_2000 (View CVEs)

Checklist Highlights

Checklist Name:
Guide to Securing Microsoft Windows 2000 Active Directory
Checklist ID:
23
Version:
v1.0
Type:
Compliance
Review Status:
Archived
Authority:
Governmental Authority: National Security Agency
Original Publication Date:
11/30/2000

Checklist Summary:

The purpose of this document is to provide Active Directory security configuration guidance and recommendations. This document gives an overview of Active Directory in relation to Windows 2000 to the reader. This document provides detailed information on the configuration of multiple Active Directory areas. This document provides the methods that the system administrators can use to implement configuration and security settings within Active Directory. In addition, this guide documents procedures in order to backup and restore the Active Directory data. This document is meant to be a starting point for Windows 2000 Active Directory security and does not include numerous Windows 2000 functions and applications associated with Active Directory. This document is a companion to the Guide to Securing Microsoft Windows 2000: Security Configuration Tool Set and other documents that comprise the overall NSA Windows 2000 guidance.

Checklist Role:

  • Active Directory Server

Known Issues:

Do not attempt to implement any of the settings in this guide without first testing in a non-operational environment. This document is only a guide containing recommended security configurations. It is not meant to replace well-structured policy or sound judgment. Furthermore, this guide does not address site-specific configuration issues. Care must be taken when implementing this guide while using products such as Microsoft Exchange, IIS, and SMS. The security changes described in this document only apply to Microsoft Windows 2000 Service Pack 1 systems and should not be applied to any other Windows versions or operating systems. You can severely impair or disable a Windows 2000 system with incorrect changes or accidental deletions when using programs (examples: Security Configuration Tool Set, Regedt32.exe, and Regedit.exe) to change the system configuration. Therefore, it is extremely important to test all settings recommended in this guide before installing them on an operational network. Currently, no Undo function exists for deletions made within the Windows 2000 registry. The registry editor (Regedt32.exe or Regedit.exe) prompts you to confirm the deletions if Confirm On Delete is selected from the options menu. When you delete a registry key, the message does not include the name of the key you are deleting. Therefore, check your selection carefully before proceeding with any deletion.

Target Audience:

This checklist has been created for IT professionals. It is intended for the reader who is already familiar with Active Directory but needs to understand more on how to make it more secure. The document assumes that the reader has experience administering Windows-based systems in domain or standalone configurations.

Target Operational Environment:

  • Managed

Testing Information:

The security configuration guide has been extensively tested in a lab and operational environment.

Regulatory Compliance:

Not provided.

Comments/Warnings/Miscellaneous:

Prior to loading Windows 2000 Active Directory, it is recommended to verify that the current operating system of the system is Windows 2000 Service Pack 1. The security changes described in this document should not be applied to any other Windows 2000 or Windows NT versions or operating systems. In order for Active Directory to properly use DNS, Active Directory requires DNS Service Resource Record (SRV RR) support and BIND 8.1.2 or higher. The Microsoft Management Console is used to customize and apply some of the security settings to Windows systems. A Registry editor (Regedt32.exe or Regedit.exe) can be used for manipulation of registry keys.

Disclaimer:

Do not attempt to implement any of the settings in this guide without first testing them in a non-operational environment. Security configuration guides are provided for the Department of Defense and other government agencies requiring security configuration guidelines. The guides contain recommended security settings. They are not intended to replace well-structured policy or sound judgment. The guides do not address site-specific configuration issues. Care must be taken when implementing the guides to address local operational and policy concerns. All security changes described in the guides are applicable only to specifically identified operating systems or architecture components and should not be applied to any other operating system or architecture components.

Product Support:

Not provided.

Point of Contact:

SNAC.Guides@nsa.gov

Sponsor:

Not provided.

Licensing:

Refer to the legal statement provided found in the download package. http://www.nsa.gov/notices/notic00004.cfm? Address=/snac/os/win2k/w2k_active_dir.pdf

Change History: 

v1.0, 2000-12
hotfix for incorrect data - 03/13/2017
Updated status to Archive - 10/24/18

Dependency/Requirements:

URL Description

References:

Reference URL Description

NIST checklist record last modified on 10/24/2018