Network + AD = Tighten Security

[Guest]

We are trying to tighten up our security here and was wondering what else could be done through AD besides:
1. Workstation lock down after idle for 20 min
2. We changed our password policy to include a lower threshold, lower lockout and password complexity
3. We changed our Administrator passwords
4. We've added all updates and patches.

Is there anything else we can add? We are a small biz with about 55 users.

Thanks all!

 

[Oli Restorick [MVP]]

Are you using Software Update Services? Although you may have applied all
current patches, as time goes on it's very easy to slip into not installing
them. Deploying patches by hand is no fun at all.

http://www.microsoft.com/windowsserversystem/sus/default.mspx

I'll chuck a question back to you now. What do you see as the biggest
threat to the security and smooth-running of your network?

One practice I always recommend is to never log into users' workstations
using a domain administrator level account.

Regards

Oli

 

[Scott Harding - MS MVP]

These are considered the typical lock down procedures.


http://www.cisecurity.org/ - have a look at the benchmark area.

http://www.nsa.gov/snac/downloads_all.cfm?MenuID=scg10.3.1 - more here....
--
Scott Harding
MCSE, MCSA, A+, Network+
Microsoft MVP - Windows NT Server

We are trying to tighten up our security here and was wondering what else

could be done through AD besides:

1. Workstation lock down after idle for 20 min
2. We changed our password policy to include a lower threshold, lower

lockout and password complexity

 

[Steven L Umbach]

Well there is a lot that can be done depending on how you want to balance security
and functionality.

I would be careful about setting your lockout threshold too low. MS recommends
minimum of ten which will protect your network fine with complex passwords. In
addition I would enable auditing of logon events on the domain controller and any
servers being sure to increase the default log size substantially. If at all possible
do not let users be local administrators on their machines nor power users and the
default ntfs permissions on the root/drive folder is too permissive in W2K where you
want the everyone group to have no more than read/list/execute. keep in mind that
newly created shares will give everyone full control which you want to usually
change. Assuming internet access I would also look into configuring the web content
zones of your users to have minimum settings and taking advantage of the trusted web
content zone to place "authorized" sites that are know to be safe. Of course you will
have to prevent users from having access to IE settings to undo what you have done.
There is a setting in IE/advance to disable on demand install of third party addons
which I would disable, though I do not know of a way to do that through GP
unfortunately. If you do not want users to install unauthorized software it will help
to enter setup.exe and install.exe to the list of disallowed Windows applications in
user configuration/administrative templates/system. A firewall with a default block
all outbound rule and then the allowed exceptions can keep users from running
unauthorized internet programs such as chat and file swapping. Also keep in mind that
a malicious user can reset the local administrator password if they are able to boot
their computer from a cdrom, floppy, or other device. Therefore you will want to
configure the computers to boot only from the hard drive and password protect the
cmos settings and have locking computer cases if posible to prevent them from
resetting the cmos via jumper. If you do not need usb [pen drives]then diable that in
cmos and use GP to diable autorun of cdroms. The domain controller must be physically
secured to some degree even it is just a real heavy duty case with access to ports
and drives blocked. You should also run Microsoft Baseline Security Analyzer at least
on your domain controller and other servers. For instance in a default install of any
W2K server IIS is enabled which should be disabled or unistalled if not needed. That
should give you a good start.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://mvps.org/winhelp2002/unwanted.htm -- tips on securing IE settings.
http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.mspx --- more
advanced security options.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

 

[Tim]

Dear Steve,

The Enter key can be used to break up long sentences into things called
paragraphs.

For us mortals, it improves readability enormously and assists us in
comprehending your valuable contributions.

Regards...
- Tim

Well there is a lot that can be done depending on how you want to balance security
and functionality.

I would be careful about setting your lockout threshold too low. MS recommends
minimum of ten which will protect your network fine with complex passwords. In
addition I would enable auditing of logon events on the domain controller and any
servers being sure to increase the default log size substantially. If at all possible
do not let users be local administrators on their machines nor power users and the
default ntfs permissions on the root/drive folder is too permissive in W2K where you
want the everyone group to have no more than read/list/execute. keep in mind that
newly created shares will give everyone full control which you want to usually
change. Assuming internet access I would also look into configuring the web content
zones of your users to have minimum settings and taking advantage of the trusted web
content zone to place "authorized" sites that are know to be safe. Of course you will
have to prevent users from having access to IE settings to undo what you have done.
There is a setting in IE/advance to disable on demand install of third party addons
which I would disable, though I do not know of a way to do that through GP
unfortunately. If you do not want users to install unauthorized software it will help
to enter setup.exe and install.exe to the list of disallowed Windows applications in
user configuration/administrative templates/system. A firewall with a default block
all outbound rule and then the allowed exceptions can keep users from running
unauthorized internet programs such as chat and file swapping. Also keep in mind that
a malicious user can reset the local administrator password if they are able to boot
their computer from a cdrom, floppy, or other device. Therefore you will want to
configure the computers to boot only from the hard drive and password protect the
cmos settings and have locking computer cases if posible to prevent them from
resetting the cmos via jumper. If you do not need usb [pen drives]then diable that in
cmos and use GP to diable autorun of cdroms. The domain controller must be physically
secured to some degree even it is just a real heavy duty case with access to ports
and drives blocked. You should also run Microsoft Baseline Security Analyzer at least
on your domain controller and other servers. For instance in a default install of any
W2K server IIS is enabled which should be disabled or unistalled if not needed. That
should give you a good start.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://mvps.org/winhelp2002/unwanted.htm -- tips on securing IE settings.

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.
mspx --- more

 

[Steven L Umbach]

Thanks Tim.

Sometimes I get carried away. Sorry. --- Steve

Dear Steve,

The Enter key can be used to break up long sentences into things called
paragraphs.

For us mortals, it improves readability enormously and assists us in
comprehending your valuable contributions.

Regards...
- Tim

Well there is a lot that can be done depending on how you want to balance security
and functionality.

I would be careful about setting your lockout threshold too low. MS recommends
minimum of ten which will protect your network fine with complex passwords. In
addition I would enable auditing of logon events on the domain controller and any
servers being sure to increase the default log size substantially. If at all possible
do not let users be local administrators on their machines nor power users and the
default ntfs permissions on the root/drive folder is too permissive in W2K where you
want the everyone group to have no more than read/list/execute. keep in mind that
newly created shares will give everyone full control which you want to usually
change. Assuming internet access I would also look into configuring the web content
zones of your users to have minimum settings and taking advantage of the trusted web
content zone to place "authorized" sites that are know to be safe. Of course you will
have to prevent users from having access to IE settings to undo what you have done.
There is a setting in IE/advance to disable on demand install of third party addons
which I would disable, though I do not know of a way to do that through GP
unfortunately. If you do not want users to install unauthorized software it will help
to enter setup.exe and install.exe to the list of disallowed Windows applications in
user configuration/administrative templates/system. A firewall with a default block
all outbound rule and then the allowed exceptions can keep users from running
unauthorized internet programs such as chat and file swapping. Also keep in mind that
a malicious user can reset the local administrator password if they are able to boot
their computer from a cdrom, floppy, or other device. Therefore you will want to
configure the computers to boot only from the hard drive and password protect the
cmos settings and have locking computer cases if posible to prevent them from
resetting the cmos via jumper. If you do not need usb [pen drives]then diable that in
cmos and use GP to diable autorun of cdroms. The domain controller must be physically
secured to some degree even it is just a real heavy duty case with access to ports
and drives blocked. You should also run Microsoft Baseline Security Analyzer at least
on your domain controller and other servers. For instance in a default install of any
W2K server IIS is enabled which should be disabled or unistalled if not needed. That
should give you a good start.--- Steve

http://support.microsoft.com/default.aspx?scid=kb;en-us;323525
http://mvps.org/winhelp2002/unwanted.htm -- tips on securing IE settings.

http://www.microsoft.com/technet/Security/prodtech/win2000/win2khg/05sconfg.
mspx --- more

advanced security options.
http://www.microsoft.com/technet/security/tools/mbsahome.mspx

else could be
done through AD besides: lockout and
password complexity