Guy’s top ten tips for Windows Server 2003 Security
Take as your mantra: ‘Preventions is better than cure’. It is more fun configuring the system to prevent security breaches than implementing disaster recovery plans.
1) Administrators Account – Needs Renaming
If hackers do not know the name, then they cannot start guessing the password. Choose a name which blends in with the other users. You could even create a dummy Administrator account with no rights. Audit the account and see what happens.
Master the Security Configuration and Analysis Snap-in
Use the Templates to check the available security settings for different levels of security e.g. HISECDC – High security settings for a domain controller.
Guy Recommends 3 Free Active Directory Tools
SolarWinds have produced three Active Directory add-ons. These free utilities have been approved by Microsoft, and will help to manage your domain by:
- Seeking and zapping unwanted user accounts.
- Finding inactive computers.
- Bulk-importing new users. Give this AD utility a try, it’s free!
Download your FREE Active Directory administration tools.
2) Certificates
Take the time to check out the variety of roles where certificates can improve security, examples: EFS, L2TP, and email. Develop a policy and a strategy for certificates, for example set up your Active Directory certificate authority to be a subordinate of VeriSign.
3) Check the Security Logs
It is no use having a marvellous security system if you do not check to see what is happening. Get to know the significant Security events such as ID’s 675 and 680.
4) EFS on Laptops
Equip your laptops with EFS, this will prevent people stealing the files through a parallel installation. However it will not provide protection if the thief can guess the user’s password. If you do you EFS take the time to practice with the recovery agent. You will find that you have to backup the data and restore it on the server with the recovery agent’s certificate.
5) Make the Run As command your friend
Always logon with your ordinary humble account, and when you want administrative privileges, instead of logging off – which is a pain – use Run As. You can even modify shortcuts to Run As another user.
6) L2TP for your VPN’s not PPTP
It seems that PPTP is a favourite choice for hackers, so configure the clients to use L2TP. However the certificates are awkward to set up, so take care with the instructions.
7) Lockup your Root Servers
Do not neglect physical security, particularly for the servers in your root domain. Think of the disaster if there was only one root server and it was stolen.
8) Services that you do not use?
If there are any services that you are not using, then make sure they are disabled. Do you need IIS, FTP or Telnet on the server? Should clients run VB or java scripting engines or macros?
9) User education
User support and acceptance for your security initiatives will be your unseen friend. Foster goodwill by explaining why account security is so important. Reinforce the message with horror stories from other companies.
10) Which service packs do you have?
Back to basics, remember to check for the latest security hot-fixes. Several of these hot-fixes have prevented virus attacks which have crippled competitors.
Guy’s Challenge – Download this free device backup utility
(CatTools)
Kiwi CatTools is a free program for backing up configuration settings on hardware devices. Here is Guy’s challenge. If you download CatTools, then it will not only take care of backups, but also it will show you something new about the hardware on you network. I could give you a money back guarantee – but CatTools is already free! Thus, I just make a techie to techie challenge, you will learn more about your network if you:
Download your free Kiwi CatTools configuration backup tools
If you like this page then please share it with your friends
Related topics
• Accounts • Auditing • IPSec • Kerberos Tickets • Windows RIS Server
