FireWall-1 FAQ: Securing Windows 2000 for VPN-1/FireWall-1 Installation
Please note: This content was from when I was operating my FireWall-1 FAQ site, which I stopped operating in August 2005. For some reason people still have links to this stuff on the Internet that people are still clicking on.
I am making this information available again AS IS. Given how old this information is, it is likely wildly inaccurate. I have no plans to update this information.
If you're still running versions of Check Point VPN-1/FireWall-1 where this information is still relevant to you, do yourself a favor and upgrade to a more recent release. If you happen to be running a current release and the information is useful, it's by happenstance :)
Securing Windows 2000 for VPN-1/FireWall-1 Installation
Note that there are a ton of different opinions on what services need to be enabled or disabled on a server. The truth is this: It depends on how paranoid you are and what you re trying to accomplish. If you follow these steps, you will have a fairly braindead system for much of anything else except running VPN-1/FireWall-1. That s good, because it s what we are trying to accomplish.
Hardening an OS installation begins during the initial installation. The first choice is how to install the server as a standalone server or as a domain controller. A standalone server should be chosen. Your firewall should not be a domain controller, for that goes against the idea that a firewall should be nothing but a firewall. Additionally, the firewall should not be a member of a domain.
When presented with the Windows Components Wizard dialog, ensure that all components except for SNMP are unchecked because none of the other components will be necessary. FireWall-1 does make use of SNMP, however.
When setting up Windows 2000 for FireWall-1, only TCP/IP is needed. Use a static IP address. The non-IP protocols are undesirable (FireWall-1 cannot filter these protocols). Also, the Client for Microsoft Networks service and the File and Print Sharing service are not necessary and may create a potential security risk.
Choose a machine name (firewall seems like a good choice, though do not choose fw, fw-1, firewall-1, or similar), and choose a domain/workgroup that is unreachable.
- COM+ Event System: The main reason to keep this service enabled is to track logons and logoffs by local users.
- DHCP Client: You should leave this enabled only if you plan to get IP addresses via DHCP; otherwise, disable this service.
- _ Event Log_: This service provides the interface for reading/writing the Windows 2000 Event logs.
- Logical Disk Manager: This service allows you to manage locally attached disks. Set this service to manual startup instead of automatic.
- Network Connections: This service allows you to modify your network connection properties.
- Plug and Play: This service provides hardware device installation and configuration.
- Remote Procedure Call: This service allows a program on one system to execute a program on another remote system. Note that we are going to remove the listeners for this service later to ensure this service cannot be used to compromise the platform.
- RunAs Service: If you want to be able to use the RunAs functionality where one user can run commands as a user with elevated privileges like the UNIX su command, keep this service enabled.
- Security Accounts Manager: If you want to be able to manage local user accounts, this service needs to be enabled.
- Task Scheduler: If you want to be able to use the at command to run scheduled jobs, this service needs to be enabled.
- Windows Management Instrumentation: If you want to use the Microsoft Management Console on the platform, leave this service enabled.
- Windows Management Instrumentation Driver Extensions: If you want to use the Microsoft Management Console on the platform, leave this service enabled too.
Set EnableIPRouter to 1 HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\TCPIP\Parameters (REG_DWORD)
HKLM\Software\Microsoft\RPC\ClientProtocols\ncacn_ip_tcp HKLM\Software\Microsoft\RPC\ClientProtocols\ncacn_ip_udpYou will also need to edit the registry key HKLM\Software\Microsoft\RPC\DCOM Protocols so that it no longer includes ncacn_ip_tcp. After you reboot, you can verify this change took effect by using the netstat command to validate that nothing is listening on TCP port 135.