Guy's top ten tips for Windows Server 2003 Security
Take as your mantra: 'Preventions is better than cure'. It is more fun
configuring the system to prevent security breaches than implementing disaster
recovery plans.
1) Administrators Account - Needs Renaming
If hackers do not know the name, then they cannot start guessing the
password. Choose a name which blends in with the other users. You
could even create a dummy Administrator account with no rights. Audit the
account and see what happens.
Master the Security Configuration and Analysis Snap-in
Use the Templates to check the available security settings for different
levels of security e.g. HISECDC - High security settings for a domain
controller.
Guy Recommends 3 Free Active Directory Tools
Solarwinds have produced three Active Directory add-ons. These free utilities
have been approved by Microsoft, and will help to manage your domain by:
Take the time to check out the variety of roles where certificates can
improve security, examples: EFS, L2TP, and email. Develop a policy and a
strategy for certificates, for example set up your Active Directory certificate
authority to be a subordinate of VeriSign.
3) Check the Security Logs
It is no use having a marvellous security system if you do not check to see
what is happening. Get to know the significant Security events such as
ID's 675 and 680.
4) EFS on Laptops
Equip your laptops with EFS, this will prevent people stealing the files
through a parallel installation. However it will not provide protection if
the thief can guess the user's password. If you do you EFS take the time
to practice with the recovery agent. You will find that you have to backup
the data and restore it on the server with the recovery agent's certificate.
5) Make the Run As command your friend
Always logon with your ordinary humble account, and when you want
administrative privileges, instead of logging off - which is a pain - use Run
As. You can even modify shortcuts to Run As another user.
6) L2TP for your VPN's not PPTP
It seems that PPTP is a favourite choice for hackers, so configure the
clients to use L2TP. However the certificates are awkward to set up, so
take care with the instructions.
7) Lockup your Root Servers
Do not neglect physical security, particularly for the servers in your root
domain. Think of the disaster if there was only one root server and it was
stolen.
8) Services that you do not use?
If there are any services that you are not using, then make sure they are
disabled. Do you need IIS, FTP or Telnet on the server? Should
clients run VB or java scripting engines or macros?
9) User education
User support and acceptance for your security initiatives will be your unseen
friend. Foster goodwill by explaining why account security is so
important. Reinforce the message with horror stories from other companies.
10) Which service packs do you have?
Back to basics, remember to check for the latest security hot-fixes.
Several of these hot-fixes have prevented virus attacks which have crippled
competitors.
Guy's Challenge - Download
this free device backup utility
(CatTools)
CatTools is a free program for backing up configuration settings on
hardware devices. Here is Guy's challenge. If you
download CatTools, then it will not only take care of backups, but
also it will show you something new about the hardware on you
network. I could give you a money back guarantee - but CatTools is
already free! Thus, I just make a techie to techie challenge, you
will learn more about your network if you:
Guy Recommends: Orion's NPM - Network Performance Monitor
Orion's performance monitor is designed for detecting network outages. NPM makes it easy to see what's working, and what needs your attention.
This utility guides you through creating network maps. It also helps troubleshooting by indicating whether the root cause is faulty equipment, or resource overload.
