Basic Security Help



Eddie
07-09-2005, 10:53 PM
I have a windows 2003 single domain in native mode. All of my workstations
are windows 2000 pro or xp pro. all of my windows servers are 2003. I want to
lock down security but I am affraid of causing problems. any articals i can
read. also any advise would be great.

Alan Edwards
07-09-2005, 10:53 PM
Recommended Minimal Security Settings
http://mvps.org/winhelp2002/restricted.htm#Setting

....Alan

--
Alan Edwards, MS MVP W95/98 Systems
http://dts-l.org/index.html

In microsoft.public.security, "Eddie"
<Eddie@discussions.microsoft.com> wrote:

> I have a windows 2003 single domain in native mode. All of my workstations
>are windows 2000 pro or xp pro. all of my windows servers are 2003. I want to
>lock down security but I am affraid of causing problems. any articals i can
>read. also any advise would be great.

Steven L Umbach
07-09-2005, 10:53 PM
There are plenty to great articles as shown in the links below. The main
things that you can do to start are the following many of which are common
sense items that need to be implemented and used. By far the biggest risk to
a network is weak or no passwords followed by malicious user on your
network.

-- Use password policy to enforce strong passwords in the domain by enabling
password complexity and using password no less that seven characters in
length. Be sure to educate users of any pending changes to password policy
and get users to think of pass phrases instead of passwords.

-- Be sure that computers are kept current of critical security updates from
Windows Updates or using a SUS server to authorize and distribute security
updates which can be done automatically with Automatic Updates.

-- Have virus protection on all of your computers that also is kept current
with virus definitions, scans all emails, and does scheduled full system
virus scans.

-- Modify the user rights for access this computer from the network to
restrict which users/groups can access a computer for file and print
sharing. Be careful using the deny access to this computer from the network
as it overrides the allow user right and remember that administrators are
also in the users/everyone group.

-- Have an action plan now for what to do if you discover viruses on your
network including how to isolate and repair infected computers. The free
Antivirus in Depth Guide available at the TechNet Security Center can help
you plan such.

-- Use a firewall at the perimeter to protect your network computers and
periodically scan it from the outside to make sure it is doing its job as
configured. The free self scan sites such as http://scan.sygatetech.com/ can
be of help.

-- Make sure that the number of domain administrators is kept to a minimum
of qualified and trustworthy people and that regular domain users are not
also "local" administrators unless you have a compelling business reason for
such. Never allow any domain user to share user accounts or passwords.

-- Windows 2003 should already have auditing enabled by default in Domain
Controller Security Policy. Be sure to check the security logs periodically
looking for unauthorized account management events and suspicious failed
logon attempts.

-- Never logon to a domain workstation computer that is not a secure admin
workstation as a domain administrator as you risk capture of your
credentials or their exploitation by malware/hacker.

-- Disable non essential services on domain computers. Use the Microsoft
Baseline Security Analyzer to help with such as it can scan your network
computers and also report other vulnerabilities such as missing critical
security updates.

-- Physically protect to some degree your domain controllers and any other
critical domain computers with sensitive information.

-- Don't underestimate the impact of social engineering on network security.
Helpful users often gladly give access or passwords to those that ask for
such nicely posing to be part of the IT staff or a big boss. Training,
strict procedures, and awareness is the best defense against such.

-- Don't tolerate unauthorized computers or Wireless Access Points on your
network that may be poorly secured or even infected with malware. This
mainly can be employee laptops. Have a written computer use policy that the
employee/user signs and understands the consequences.

-- Use Group and security policy to uniformly manage security and
configuration of your domain computers. One good example would be to force
computers to lock their desktop after a period of idle time. The free Group
Policy Management Console can make that task much easier.

-- Backups are a must part of securing a network. For domain controllers be
sure to backup the "System State" on a regular basis as that is where your
Group Policy and other Active Directory objects such as users, groups, and
computers are stored. Have a disaster recovery plan and try it out sometime
on a test network so that you know what to do if the real deal happens.

-- If you want to try and change security policy settings such as security
options it is best to test out the changes on a test computer in a test
Organizational Unit.

That should be a start but maybe it is not what you expected. Securing a
network is much more than some registry tweaks and modifying ntfs
permissions. Be sure to read the Windows 2003 Server Security guide and the
Threats and Countermeasures Guide that are available at TechNet Security
Center. --- Steve

http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC
http://www.microsoft.com/smallbusiness/support/computer-security.mspx --
Small business security guidance center
http://www.microsoft.com/technet/security/default.mspx --- TechNet Security
Center


"Eddie" <Eddie@discussions.microsoft.com> wrote in message
news:350C21EF-AFDE-4912-8045-1649B9270462@microsoft.com...
> I have a windows 2003 single domain in native mode. All of my workstations
> are windows 2000 pro or xp pro. all of my windows servers are 2003. I want
> to
> lock down security but I am affraid of causing problems. any articals i
> can
> read. also any advise would be great.

Sjonia Harper [MSFT]
07-09-2005, 10:53 PM
Not sure of the size of you organization but here are some links to help you
out:
http://www.microsoft.com/smallbusiness/support/computer-security.mspx
http://www.microsoft.com/technet/security/default.mspx

--
This posting is provided "AS IS" with no warranties, and confers no rights.
Please do not send email directly to this alias as it is used for newsgroup
participation only.
"Eddie" <Eddie@discussions.microsoft.com> wrote in message
news:350C21EF-AFDE-4912-8045-1649B9270462@microsoft.com...
> I have a windows 2003 single domain in native mode. All of my workstations
> are windows 2000 pro or xp pro. all of my windows servers are 2003. I want
> to
> lock down security but I am affraid of causing problems. any articals i
> can
> read. also any advise would be great.

Kymberley
07-09-2005, 10:53 PM
The info provided to 'eddie' sounds experienced & educated. I have a
question of my own. I did a dumb thing and i don't know how to "undo' it. i
set up a system password - and promptly forgot it - ; I also changed the
logon screen from "welcome" to the more secure logon screen using a username
and password.. I have no idea how to get around it. Please help!!! Can you
help me? Can I reload my windows xp application cd and get around the login
password that way.?

"Steven L Umbach" wrote:

> There are plenty to great articles as shown in the links below. The main
> things that you can do to start are the following many of which are common
> sense items that need to be implemented and used. By far the biggest risk to
> a network is weak or no passwords followed by malicious user on your
> network.
>
> -- Use password policy to enforce strong passwords in the domain by enabling
> password complexity and using password no less that seven characters in
> length. Be sure to educate users of any pending changes to password policy
> and get users to think of pass phrases instead of passwords.
>
> -- Be sure that computers are kept current of critical security updates from
> Windows Updates or using a SUS server to authorize and distribute security
> updates which can be done automatically with Automatic Updates.
>
> -- Have virus protection on all of your computers that also is kept current
> with virus definitions, scans all emails, and does scheduled full system
> virus scans.
>
> -- Modify the user rights for access this computer from the network to
> restrict which users/groups can access a computer for file and print
> sharing. Be careful using the deny access to this computer from the network
> as it overrides the allow user right and remember that administrators are
> also in the users/everyone group.
>
> -- Have an action plan now for what to do if you discover viruses on your
> network including how to isolate and repair infected computers. The free
> Antivirus in Depth Guide available at the TechNet Security Center can help
> you plan such.
>
> -- Use a firewall at the perimeter to protect your network computers and
> periodically scan it from the outside to make sure it is doing its job as
> configured. The free self scan sites such as http://scan.sygatetech.com/ can
> be of help.
>
> -- Make sure that the number of domain administrators is kept to a minimum
> of qualified and trustworthy people and that regular domain users are not
> also "local" administrators unless you have a compelling business reason for
> such. Never allow any domain user to share user accounts or passwords.
>
> -- Windows 2003 should already have auditing enabled by default in Domain
> Controller Security Policy. Be sure to check the security logs periodically
> looking for unauthorized account management events and suspicious failed
> logon attempts.
>
> -- Never logon to a domain workstation computer that is not a secure admin
> workstation as a domain administrator as you risk capture of your
> credentials or their exploitation by malware/hacker.
>
> -- Disable non essential services on domain computers. Use the Microsoft
> Baseline Security Analyzer to help with such as it can scan your network
> computers and also report other vulnerabilities such as missing critical
> security updates.
>
> -- Physically protect to some degree your domain controllers and any other
> critical domain computers with sensitive information.
>
> -- Don't underestimate the impact of social engineering on network security.
> Helpful users often gladly give access or passwords to those that ask for
> such nicely posing to be part of the IT staff or a big boss. Training,
> strict procedures, and awareness is the best defense against such.
>
> -- Don't tolerate unauthorized computers or Wireless Access Points on your
> network that may be poorly secured or even infected with malware. This
> mainly can be employee laptops. Have a written computer use policy that the
> employee/user signs and understands the consequences.
>
> -- Use Group and security policy to uniformly manage security and
> configuration of your domain computers. One good example would be to force
> computers to lock their desktop after a period of idle time. The free Group
> Policy Management Console can make that task much easier.
>
> -- Backups are a must part of securing a network. For domain controllers be
> sure to backup the "System State" on a regular basis as that is where your
> Group Policy and other Active Directory objects such as users, groups, and
> computers are stored. Have a disaster recovery plan and try it out sometime
> on a test network so that you know what to do if the real deal happens.
>
> -- If you want to try and change security policy settings such as security
> options it is best to test out the changes on a test computer in a test
> Organizational Unit.
>
> That should be a start but maybe it is not what you expected. Securing a
> network is much more than some registry tweaks and modifying ntfs
> permissions. Be sure to read the Windows 2003 Server Security guide and the
> Threats and Countermeasures Guide that are available at TechNet Security
> Center. --- Steve
>
> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC
> http://www.microsoft.com/smallbusiness/support/computer-security.mspx --
> Small business security guidance center
> http://www.microsoft.com/technet/security/default.mspx --- TechNet Security
> Center
>
>
> "Eddie" <Eddie@discussions.microsoft.com> wrote in message
> news:350C21EF-AFDE-4912-8045-1649B9270462@microsoft.com...
> > I have a windows 2003 single domain in native mode. All of my workstations
> > are windows 2000 pro or xp pro. all of my windows servers are 2003. I want
> > to
> > lock down security but I am affraid of causing problems. any articals i
> > can
> > read. also any advise would be great.
>
>
>

Steven L Umbach
07-09-2005, 10:53 PM
It sounds like you are using XP but I am not sure if you are using XP Pro or
XP Home. I am not very familiar with XP Home but it is my understanding that
for XP Home you "might" be able to access the built in administrator account
by booting into safe mode and entering administrator for logon name an leave
the password blank. This of course assumes that the built in administrator
account has not been configured. Otherwise for XP Home and XP Pro there is a
free utility available on the internet that allows you to create a bootable
floppy or cdrom to reset the built in administrator account to allow you to
logon to your computer. See the link below for details and instructions. If
you reinstall your operating system as an "upgrade" install it will not fix
your problem and a fresh/new install would require you to reinstall all of
your applications and erase your data files that are on the same drive
partition as your operating system IF you format your hard drive during the
installation. If the instructions sound complicated to you try to find a
friend or family member that knows a bit about computers to help you. --
Steve

http://www.petri.co.il/forgot_administrator_password.htm
http://home.eunet.no/~pnordahl/ntpasswd/

"Kymberley" <Kymberley@discussions.microsoft.com> wrote in message
news:957AC18C-5ED0-4305-80AB-33563DC458C8@microsoft.com...
> The info provided to 'eddie' sounds experienced & educated. I have a
> question of my own. I did a dumb thing and i don't know how to "undo' it.
> i
> set up a system password - and promptly forgot it - ; I also changed the
> logon screen from "welcome" to the more secure logon screen using a
> username
> and password.. I have no idea how to get around it. Please help!!! Can
> you
> help me? Can I reload my windows xp application cd and get around the
> login
> password that way.?
>
> "Steven L Umbach" wrote:
>
>> There are plenty to great articles as shown in the links below. The main
>> things that you can do to start are the following many of which are
>> common
>> sense items that need to be implemented and used. By far the biggest risk
>> to
>> a network is weak or no passwords followed by malicious user on your
>> network.
>>
>> -- Use password policy to enforce strong passwords in the domain by
>> enabling
>> password complexity and using password no less that seven characters in
>> length. Be sure to educate users of any pending changes to password
>> policy
>> and get users to think of pass phrases instead of passwords.
>>
>> -- Be sure that computers are kept current of critical security updates
>> from
>> Windows Updates or using a SUS server to authorize and distribute
>> security
>> updates which can be done automatically with Automatic Updates.
>>
>> -- Have virus protection on all of your computers that also is kept
>> current
>> with virus definitions, scans all emails, and does scheduled full system
>> virus scans.
>>
>> -- Modify the user rights for access this computer from the network to
>> restrict which users/groups can access a computer for file and print
>> sharing. Be careful using the deny access to this computer from the
>> network
>> as it overrides the allow user right and remember that administrators are
>> also in the users/everyone group.
>>
>> -- Have an action plan now for what to do if you discover viruses on your
>> network including how to isolate and repair infected computers. The free
>> Antivirus in Depth Guide available at the TechNet Security Center can
>> help
>> you plan such.
>>
>> -- Use a firewall at the perimeter to protect your network computers and
>> periodically scan it from the outside to make sure it is doing its job as
>> configured. The free self scan sites such as http://scan.sygatetech.com/
>> can
>> be of help.
>>
>> -- Make sure that the number of domain administrators is kept to a
>> minimum
>> of qualified and trustworthy people and that regular domain users are not
>> also "local" administrators unless you have a compelling business reason
>> for
>> such. Never allow any domain user to share user accounts or passwords.
>>
>> -- Windows 2003 should already have auditing enabled by default in Domain
>> Controller Security Policy. Be sure to check the security logs
>> periodically
>> looking for unauthorized account management events and suspicious failed
>> logon attempts.
>>
>> -- Never logon to a domain workstation computer that is not a secure
>> admin
>> workstation as a domain administrator as you risk capture of your
>> credentials or their exploitation by malware/hacker.
>>
>> -- Disable non essential services on domain computers. Use the Microsoft
>> Baseline Security Analyzer to help with such as it can scan your network
>> computers and also report other vulnerabilities such as missing critical
>> security updates.
>>
>> -- Physically protect to some degree your domain controllers and any
>> other
>> critical domain computers with sensitive information.
>>
>> -- Don't underestimate the impact of social engineering on network
>> security.
>> Helpful users often gladly give access or passwords to those that ask for
>> such nicely posing to be part of the IT staff or a big boss. Training,
>> strict procedures, and awareness is the best defense against such.
>>
>> -- Don't tolerate unauthorized computers or Wireless Access Points on
>> your
>> network that may be poorly secured or even infected with malware. This
>> mainly can be employee laptops. Have a written computer use policy that
>> the
>> employee/user signs and understands the consequences.
>>
>> -- Use Group and security policy to uniformly manage security and
>> configuration of your domain computers. One good example would be to
>> force
>> computers to lock their desktop after a period of idle time. The free
>> Group
>> Policy Management Console can make that task much easier.
>>
>> -- Backups are a must part of securing a network. For domain controllers
>> be
>> sure to backup the "System State" on a regular basis as that is where
>> your
>> Group Policy and other Active Directory objects such as users, groups,
>> and
>> computers are stored. Have a disaster recovery plan and try it out
>> sometime
>> on a test network so that you know what to do if the real deal happens.
>>
>> -- If you want to try and change security policy settings such as
>> security
>> options it is best to test out the changes on a test computer in a test
>> Organizational Unit.
>>
>> That should be a start but maybe it is not what you expected. Securing a
>> network is much more than some registry tweaks and modifying ntfs
>> permissions. Be sure to read the Windows 2003 Server Security guide and
>> the
>> Threats and Countermeasures Guide that are available at TechNet Security
>> Center. --- Steve
>>
>> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
>> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC
>> http://www.microsoft.com/smallbusiness/support/computer-security.mspx --
>> Small business security guidance center
>> http://www.microsoft.com/technet/security/default.mspx --- TechNet
>> Security
>> Center
>>
>>
>> "Eddie" <Eddie@discussions.microsoft.com> wrote in message
>> news:350C21EF-AFDE-4912-8045-1649B9270462@microsoft.com...
>> > I have a windows 2003 single domain in native mode. All of my
>> > workstations
>> > are windows 2000 pro or xp pro. all of my windows servers are 2003. I
>> > want
>> > to
>> > lock down security but I am affraid of causing problems. any articals i
>> > can
>> > read. also any advise would be great.
>>
>>
>>

Eddie
07-09-2005, 10:53 PM
thanks

"Steven L Umbach" wrote:

> It sounds like you are using XP but I am not sure if you are using XP Pro or
> XP Home. I am not very familiar with XP Home but it is my understanding that
> for XP Home you "might" be able to access the built in administrator account
> by booting into safe mode and entering administrator for logon name an leave
> the password blank. This of course assumes that the built in administrator
> account has not been configured. Otherwise for XP Home and XP Pro there is a
> free utility available on the internet that allows you to create a bootable
> floppy or cdrom to reset the built in administrator account to allow you to
> logon to your computer. See the link below for details and instructions. If
> you reinstall your operating system as an "upgrade" install it will not fix
> your problem and a fresh/new install would require you to reinstall all of
> your applications and erase your data files that are on the same drive
> partition as your operating system IF you format your hard drive during the
> installation. If the instructions sound complicated to you try to find a
> friend or family member that knows a bit about computers to help you. --
> Steve
>
> http://www.petri.co.il/forgot_administrator_password.htm
> http://home.eunet.no/~pnordahl/ntpasswd/
>
> "Kymberley" <Kymberley@discussions.microsoft.com> wrote in message
> news:957AC18C-5ED0-4305-80AB-33563DC458C8@microsoft.com...
> > The info provided to 'eddie' sounds experienced & educated. I have a
> > question of my own. I did a dumb thing and i don't know how to "undo' it.
> > i
> > set up a system password - and promptly forgot it - ; I also changed the
> > logon screen from "welcome" to the more secure logon screen using a
> > username
> > and password.. I have no idea how to get around it. Please help!!! Can
> > you
> > help me? Can I reload my windows xp application cd and get around the
> > login
> > password that way.?
> >
> > "Steven L Umbach" wrote:
> >
> >> There are plenty to great articles as shown in the links below. The main
> >> things that you can do to start are the following many of which are
> >> common
> >> sense items that need to be implemented and used. By far the biggest risk
> >> to
> >> a network is weak or no passwords followed by malicious user on your
> >> network.
> >>
> >> -- Use password policy to enforce strong passwords in the domain by
> >> enabling
> >> password complexity and using password no less that seven characters in
> >> length. Be sure to educate users of any pending changes to password
> >> policy
> >> and get users to think of pass phrases instead of passwords.
> >>
> >> -- Be sure that computers are kept current of critical security updates
> >> from
> >> Windows Updates or using a SUS server to authorize and distribute
> >> security
> >> updates which can be done automatically with Automatic Updates.
> >>
> >> -- Have virus protection on all of your computers that also is kept
> >> current
> >> with virus definitions, scans all emails, and does scheduled full system
> >> virus scans.
> >>
> >> -- Modify the user rights for access this computer from the network to
> >> restrict which users/groups can access a computer for file and print
> >> sharing. Be careful using the deny access to this computer from the
> >> network
> >> as it overrides the allow user right and remember that administrators are
> >> also in the users/everyone group.
> >>
> >> -- Have an action plan now for what to do if you discover viruses on your
> >> network including how to isolate and repair infected computers. The free
> >> Antivirus in Depth Guide available at the TechNet Security Center can
> >> help
> >> you plan such.
> >>
> >> -- Use a firewall at the perimeter to protect your network computers and
> >> periodically scan it from the outside to make sure it is doing its job as
> >> configured. The free self scan sites such as http://scan.sygatetech.com/
> >> can
> >> be of help.
> >>
> >> -- Make sure that the number of domain administrators is kept to a
> >> minimum
> >> of qualified and trustworthy people and that regular domain users are not
> >> also "local" administrators unless you have a compelling business reason
> >> for
> >> such. Never allow any domain user to share user accounts or passwords.
> >>
> >> -- Windows 2003 should already have auditing enabled by default in Domain
> >> Controller Security Policy. Be sure to check the security logs
> >> periodically
> >> looking for unauthorized account management events and suspicious failed
> >> logon attempts.
> >>
> >> -- Never logon to a domain workstation computer that is not a secure
> >> admin
> >> workstation as a domain administrator as you risk capture of your
> >> credentials or their exploitation by malware/hacker.
> >>
> >> -- Disable non essential services on domain computers. Use the Microsoft
> >> Baseline Security Analyzer to help with such as it can scan your network
> >> computers and also report other vulnerabilities such as missing critical
> >> security updates.
> >>
> >> -- Physically protect to some degree your domain controllers and any
> >> other
> >> critical domain computers with sensitive information.
> >>
> >> -- Don't underestimate the impact of social engineering on network
> >> security.
> >> Helpful users often gladly give access or passwords to those that ask for
> >> such nicely posing to be part of the IT staff or a big boss. Training,
> >> strict procedures, and awareness is the best defense against such.
> >>
> >> -- Don't tolerate unauthorized computers or Wireless Access Points on
> >> your
> >> network that may be poorly secured or even infected with malware. This
> >> mainly can be employee laptops. Have a written computer use policy that
> >> the
> >> employee/user signs and understands the consequences.
> >>
> >> -- Use Group and security policy to uniformly manage security and
> >> configuration of your domain computers. One good example would be to
> >> force
> >> computers to lock their desktop after a period of idle time. The free
> >> Group
> >> Policy Management Console can make that task much easier.
> >>
> >> -- Backups are a must part of securing a network. For domain controllers
> >> be
> >> sure to backup the "System State" on a regular basis as that is where
> >> your
> >> Group Policy and other Active Directory objects such as users, groups,
> >> and
> >> computers are stored. Have a disaster recovery plan and try it out
> >> sometime
> >> on a test network so that you know what to do if the real deal happens.
> >>
> >> -- If you want to try and change security policy settings such as
> >> security
> >> options it is best to test out the changes on a test computer in a test
> >> Organizational Unit.
> >>
> >> That should be a start but maybe it is not what you expected. Securing a
> >> network is much more than some registry tweaks and modifying ntfs
> >> permissions. Be sure to read the Windows 2003 Server Security guide and
> >> the
> >> Threats and Countermeasures Guide that are available at TechNet Security
> >> Center. --- Steve
> >>
> >> http://www.microsoft.com/technet/security/tools/mbsahome.mspx --- MBSA
> >> http://www.microsoft.com/windowsserver2003/gpmc/default.mspx --- GPMC
> >> http://www.microsoft.com/smallbusiness/support/computer-security.mspx --
> >> Small business security guidance center
> >> http://www.microsoft.com/technet/security/default.mspx --- TechNet
> >> Security
> >> Center
> >>
> >>
> >> "Eddie" <Eddie@discussions.microsoft.com> wrote in message
> >> news:350C21EF-AFDE-4912-8045-1649B9270462@microsoft.com...
> >> > I have a windows 2003 single domain in native mode. All of my
> >> > workstations
> >> > are windows 2000 pro or xp pro. all of my windows servers are 2003. I
> >> > want
> >> > to
> >> > lock down security but I am affraid of causing problems. any articals i
> >> > can
> >> > read. also any advise would be great.
> >>
> >>
> >>
>
>
>


Basic Security Help