A highly recommended best practice in securing Windows Servers is to stop unnecessary services and disable unused functionality. A brief checklist containing high level definitions of tasks to be performed would help administrators reduce the attack surface of their servers. A typical checklist would include: Stopping and disabling all unnecessary services and applications Renaming the Administrator account Creating a new user account named Administrator with a complex password and disabling this new fake account Removing or disabling all unnecessary user accounts Delegating remaining user accounts based on the principle of least privilege Requiring strong authentication of users Performing regular operating systems and applications updates Installing/running protective software with the latest updates Document and verify systems configurations Check logs on regular basis – create a routine job Remove nonessential executables For highly critical servers you can have system integrity tools that monitor the system configuration and files for changes And the list goes on depending on your environment and threat levels!
WindowsNetworking team would like to wish all the best to system administrators out there. Have fun, guys!!!
How many caring parents would like to have the appropriate tools to manage their kids' online activities! With MS Windows Live Family Safety 2011, parents can manage which websites their children are allowed to visit, which programs they can run and for how long they can use the computer. The product records the children online activity and has some cool administrative features such as, enforcing the same settings on several computers and viewing reports online without logging on to the child's PC. Windows Live Family Safety is part of Windows Live Essentials and runs on Windows Vista, Windows 7 and Windows Server 2008 R2. To download and read more about Windows Live Family Safety go here.
Managing outbound traffic has become very crucial in determining computer infections. Malware infects computers and then tries to send out stolen data to perpetrators. Viruses seek to replicate themselves by attempting to send packets to infect other computers. Users might use unapproved applications which may result in the transmission of confidential data. Therefore, it is appropriate to review your Windows Servers 2008 firewall rules as these do not filter outbound traffic by default. This means that Windows Servers allow all outbound traffic. On the other hand, Windows Servers 2008 include outbound filters for core networking services, which will give you a hand when enabling outbound filtering. The default outbound rules for the basic network functionality are for DHCP traffic, DNS traffic, Group Policies, IGMP and IPv6. But take note that many other built-in Windows features fail when you enable outbound filtering. For instance, Windows Updates will no longer be able to retrieve updates and you need to create a specific outbound rule for Windows Updates. There might be other third-party applications that stop communicating with the network and it is recommended to test the environment before pushing these adjustments to your production machines.
The RODC (Read-Only Domain Controller) in AD DS environments is designed specifically for the branch office scenario. RODC receives authentication requests from branch office users and forwards them to a domain controller in the hub site for authentication. There are two types of configuration scenarios, one option is to allow caching of branch office users login credentials and the other to prevent the caching of this sensitive information. To enable users to authenticate locally through the cache, will improve authentication time, and especially if the connection between the branch office and the hub site is slow, however, this scenario introduces some security risks. If an organization implements a RODC because the trust level at a particular branch office is low then if that RODC is compromised then the cached users' credentials can be exposed. From a recovery point of view, only the user accounts that had been cached on that RODC must have their passwords changed. The high-level steps to install a RODC are as follows: Ensure that the forest functional level is Windows Server 2003 or higher. If the forest has any DCs running Microsoft Windows Server 2003, run Adprep /rodcprep. Ensure that at least one writable DC is running Windows Server 2008 Install the RODC Writable domain controllers maintain a list of all cached credentials on individual RODCs.