Guy's top ten tips for Windows Server 2003 Security
Take as your mantra: 'Preventions is better than cure'. It is more fun
configuring the system to prevent security breaches than implementing disaster
recovery plans.
1) Administrators Account - needs renaming
If hackers do not know the name, then they cannot start guessing the
password. Choose a name which blends in with the other users. You
could even create a dummy Administrator account with no rights. Audit the
account and see what happens.
Master the Security Configuration and Analysis Snap-in
Use the Templates to check the available security settings for different
levels of security e.g. HISECDC - High security settings for a domain
controller.
2) Certificates
Take the time to check out the variety of roles where certificates can
improve security, examples: EFS, L2TP, and email. Develop a policy and a
strategy for certificates, for example set up your Active Directory certificate
authority to be a subordinate of Verisign.
Network security is complex. As an MCT trainer, I can thoroughly recommend
TrainSignal because they
provide practical hands on training. In particular, I like the way TrainSignal cover all learning methods, instructor lead, video and of course text material. You can either take one module, for example
Network Security or go for
a combination of modules.
See more about Network Security training here
3) Check the Security Logs
It is no use having a marvellous security system if you do not check to see
what is happening. Get to know the significant Security events such as
ID's 675 and 680.
4) EFS on Laptops
Equip your laptops with EFS, this will prevent people stealing the files
through a parallel installation. However it will not provide protection if
the thief can guess the user's password. If you do you EFS take the time
to practice with the recovery agent. You will find that you have to backup
the data and restore it on the server with the recovery agent's certificate.
5) Make the Run As command your friend
Always logon with your ordinary humble account, and when you want
administrative privileges, instead of logging off - which is a pain - use Run
As. You can even modify shortcuts to Run As another user.
▫
6) L2TP for your VPN's not PPTP.
It seems that PPTP is a favourite choice for hackers, so configure the
clients to use L2TP. However the certificates are awkward to set up, so
take care with the instructions.
7) Lockup your Root Servers
Do not neglect physical security, particularly for the servers in your root
domain. Think of the disaster if there was only one root server and it was
stolen.
8) Services that you do not use?
If there are any services that you are not using, then make sure they are
disabled. Do you need IIS, FTP or Telnet on the server? Should
clients run VB or java scripting engines or macros?
9) User education
User support and acceptance for your security initiatives will be your unseen
friend. Foster goodwill by explaining why account security is so
important. Reinforce the message with horror stories from other companies.
10) Which service packs do you have?
Back to basics, remember to check for the latest security hot-fixes.
Several of these hot-fixes have prevented virus attacks which have crippled
competitors.
Guy
recommends: The SolarWinds ipMonitor
My attraction to
ipMonitor is
because it inhabits that zone of part work, part
play; Guy just could not put the dashboard away. This excellent performance
monitor will get you started in the quest to remove bottlenecks on your network. SolarWinds provides this fully-functioning product free for 21 days. So
download
and install ipMonitor, then start scrutinizing your computers CPU, memory and disk
performance. You can also select from zillions more performance counters such as
fan temperature and battery level.
Installing ipMonitor is a breeze, but learn from gung-ho Guy's mistake and install SNMP
on each computer that you wish to monitor. What sealed my unreserved
recommendation of SolarWinds is their support team, you will get expert help even
when you are evaluating the ipMonitor.
