Amateurs as usual, leave security as the default settings
Rename your Administrator Account
Renaming the Administrator account is the single best practice
you can do to secure of your system. It amazes me that companies
spend thousands on security reports but do not rename the
Administrator's account. Also remember to delete the description:
Built-in account for administering the computer/domain when you rename the
account.
The two points are:-
1) Every hacker knows that Windows Server 2003 has an account called
Administrator
2) By design, the Administrator account cannot be locked out. So
hackers can try as many times as they like to discover the password.
Create a Dummy Administrator Account
My mate 'Barking' Eddie renames the original Administrator =
fredb, then creates a new dummy Administrator account with only
guest rights. This drives hackers mad because they cannot
understand why the Administrators account does not do what they
want! He even adds the description: Built-in account for
administering the computer/domain to the dummy account.
Guy
Recommends: A Free tool from SolarWinds: Config Generator
Config Generator (CG) is a free tool, which puts you in charge of
controlling changes to network routers and other SNMP devices.
Boost your network performance by activating network device features
that you've already paid for.
Guy says that for newbies the biggest benefit of this free tool is that
it will provide the impetus for you to learn more about configuring the SNMP
service with its 'Traps' and 'Communities'.
Notes on Best Practices for the Administrator account
In Server Windows 2003 you CAN disable the Administrator account. Best
practice would only disable the original administrator if you had created
another account with at least account operator privileges.
SG wrote to me pointing more security measures for the Administrator
account:-
Deny Access to this computer from the network. SG reminds me
that this account has a SID ending in 500 which cannot be changed. As a
result, hackers using RedButton will always know which account is the original
administrator and attack it.
You could also set a Security Policy which adds additional restrictions for
anonymous connections to Do not allow enumeration of SAM accounts and shares.
Warning about Microsoft: - Microsoft is configured for ease of
use. However with knowledge and skill I believe you can make
Windows Server 2003 and Windows 2000 as secure as Novell or Unix.
Guy's warning: - The more security you have, the more work
there will be for the administrators.
Firstly, decide on an appropriate level of security for your
organisation. Take passwords as an example: - ordinary companies
do not need complex passwords, which users have to change every
month. Whilst it would be inappropriate for banks to allow blank passwords which
never expired. See more
on computer security.
Litmus Test: Professionals use account lock out
Account lockout - if an organisation has thought about account policies then
they are probably professionals. However, this is a classic case of there is no
'right answer'.
Several Universities admit problems with account lockout.
Immature undergraduates deliberately lockout their friends
accounts by typing in the wrong password. If they can lock out a
lectures account they think it's hilarious. (Sad people, but we
have to deal with them.)
Guy's first suggestion was to add
donotdisplaylastusername setting to the Winlogon part of the registry.
This prevents users seeing the account that previously used the machine. Secondly I showed the
administrators how to set up auditing; then we could see which
workstations the rogue passwords were coming from.
Litmus test: Amateurs security audit log is empty
Amateurs will almost certainly have a blank Audit log.
Professionals will have data on unsuccessful logon's and audits
of sensitive files.
Tip: For the Boss. If I was the boss I would have a meeting
with my network manager and ask to see the security log options.
Just asking for this information will jog the network manger's
memory. The hidden message is that even the techie's actions are
accountable. If the network manager is honourable then they will
have nothing to fear. If they are a rogue, then okay they can
get around it by deleting the log, but that in itself would be
suspicious.
Guy's Challenge - Download
this free device backup utility
(CatTools)
CatTools is a free program for backing up configuration settings on
hardware devices. Here is Guy's challenge. If you
download CatTools, then it will not only take care of backups, but
also it will show you something new about the hardware on you
network. I could give you a money back guarantee - but CatTools is
already free! Thus, I just make a techie to techie challenge, you
will learn more about your network if you:
Over
40 of Guy's litmus tests. Have fun while you learn about aspects
of computing. Stacks of ideas to check your servers, networks and
security.
Your eBook has
printer friendly pages and lots more screen shots.
Litmus Tests
Guy's Litmus test is a concept that you can apply
anywhere. Each test gives you an instant answer to the simple
question:- 'Are you dealing with a professional, or are they an amateur? Is this the real deal, or is it a turkey?' The Litmus Test concept is rather like Best Practice, but it reduces a 27
page report to one sentence.
Over
40 of Guy's litmus tests. Have fun while you learn about aspects
of computing. Stacks of ideas to check your servers, networks and
security.
