TechSpot

How to make Server 2003 and Stations on Network more Secure

By gexamb
May 8, 2008
  1. Hello all.

    I need to prepare some kind of plan or steps in order to make a network more secure.

    Heres the setup: WinServer 2003 and about 20 stations connected through lan as a DNS network. Our internet service is DHCP with an ADSL modem/router but the network is Static. He have a main 16 port switch and a few 4 port switches that branch off the main switch. There are 2 network printers in this network as well.

    The stations are setup through our static domain and every station has the limited user profile and the administrator profile. There are network drives connected to each station, about an average of 6 drives.

    Our server is not connected to the internet. It is a standalone static networked server, but has access to the internet.

    Internet comes to the router/modem > main 16 port switch > one line branches off to the server and the other lines branch off to the stations.

    Now the question is how can I make our network more secure? make it harder for people trying to guess user id's and passwords? make it harder for people on internet to hack into the network? a possible double log in feature?

    BTW our only firewall is Windows Firewall, we don't really need hardware as we are not connected with the net.

    Any and all suggestions will be extremely appreciated. Thanks.
     
  2. jobeard

    jobeard TS Ambassador Posts: 13,446   +324

    (2) would normally allow ALL systems internet access, contradicting (1,3)

    UNLESS you configure a firewall to deny access to specific IP addresses (or address range), (1,3) can not be enforced.

    Please clarify!!
     
  3. gexamb

    gexamb TS Rookie Topic Starter Posts: 129

    1. when i say server not connected to net, i meant to say that the server has not been enabled to use internet services, remote assistance, and is not a web server. It just has internet access through a browser.

    2. is right.

    3. each station is configured the same as the server. it has internet access. and we have Norton AV corporate edition for the server and all stations.

    im sorry for the confusion. It was a LLOONNNGGG day yesterday at the office.
     
  4. jobeard

    jobeard TS Ambassador Posts: 13,446   +324

    it ok, we've all been there -- just needed to make sure we start on the same page! ;)

    Removal of IIS is a good thing as is Remote Assistance.

    Issue can be classified as
    1. Intrusions from unknown locations/users
    2. Undesirable hitch-hikers, like ActiveX or Email downloads
    3. and 'white-collar' breach of privacy or out right theft of data

    A router and even the lowly default windows firewall on all systems will close most cases of (1).
    VPN access is another topic altogether -- can be risky!

    (2) is always an on-going battle;
    a-Security Updates need to be enforced via the GPO policies.
    b-Never use the browser on the server unless absolutely necessary.
    c-Consider loading Firefox on ALL systems and making it the default browser. :)
    d-Get a good set of browser options and ensure they are used everywhere
    (eg Allow Singed ActiveX, deny unsigned).
    e-Get a copy of the hostfile from http://www.mvps.org/winhelp2002/hosts.htm and place it on ALL
    client systems -- make it read-only.
    f-Install an AV product, configure it to scan email, and
    g-schedule a full client HD scan
    every weekend.

    (3) can be an issue for data going out the back door; on someones laptop to visit
    a client, work at home, or even data copied to a USB thumb drive.
    Google for Locking down USB devices if this might be an issue for your company.

    Maybe over supper I'll come up with some more ....
     
  5. gexamb

    gexamb TS Rookie Topic Starter Posts: 129

    Thank you for all your help.

    You have given me a good outline of what I can do for our company. I appreciate it.

    The things you mentioned pretty much cover anyone or anything that might try to access the stations or server from the outside of the network or from the net.

    Now, what about from inside the network? How can I make our network more secure from the actual people using the stations. The user accounts are all set to restricted users except for the administrators of course. Our server is not set up to enforce specified user profiles other than the default WinServer 2003 profile. How can I create a user profile of my liking to be enforced on each station so that each station has the exact same permissions, abilities, and access to windows. I have it setup pretty tight on who has access to certain network drives and who doesn't.

    However, users can still login as an administrator when they logon as administrator on the station account with the same user password, not the domain account. Can I disable the stations from being logged on as admin under the station account? Because this pretty much gives the station admin rights on the computer for installing software, changing certain windows settings, etc as the user account signed on the domain restricts this ability.

    Can I implement a more secure way of logging on the station? One thing i thought of was changing passwords, but that will get too confusing and time consuming for the office employees and for me, I am the server admin BTW. Is there some kind of login feature where a user would have to enter their user id and password, and then have to enter some other specified password, something like an answer to a secret question, or the last four digits of their SS number?

    I dont mean to ask dumb questions, as this sounds like. The problem is my boss is paranoid and does not trust anyone. I dont know how he trusts me, lol. I appreciate the help you have given me. I hope to hear from you or anyone else that has some suggestions. Thanks.
     
  6. k.jacko

    k.jacko TS Rookie Posts: 743

    I assume your'e using active directory?
    If so, and this is what i've done with our win server 2003 domain and 50+ clients:
    Make sure every pc is logged into the 'domain' and no local user accounts are accessible by your users (why should they be?). Simply alter the password on all local 'admin' accounts and disable the local 'user' account so they can only log onto the domain and thus be policed by active directory. This can be done globally from AD, without the need for hopping from pc to pc.
    If they log onto the domain when using their pc, then you can set policy to have them renew their password every so many days, you can change the min. character length required for passwords, making them stronger and more secure.
    Use group policy to do clamp down on their activities on the pc.
    Do your users have software installed on their pc's or do they RDP into Terminal Services?
    Your setup sounds similar to ours, but i'd definitely get a decent hardware firewall. We use a Firebox Edge.
    Also, enable renumeration on each share, so that the users can only see the files/folders that they actually have permission to access.
    Hope this helps a little.
     
  7. jobeard

    jobeard TS Ambassador Posts: 13,446   +324

    Learn to use the DOMAIN Global Policies (hint: modify the Template versions)
    Bad idea.
    1. go around to every station and CHANGE the admin password immediately
    2. create a common DOMAIN user-id and give it Power User privs.
    The station user can still install, but not change the system or security settings.
    Only people who should have ADMIN PW are the admin staff and their manager.
    If others complain, then get it in writing that you can not be responsible for system
    security or operations as the environment would then be totally uncontrolled.
    NEVER USE SSN!!! There is a GPO for password complexity -- it (imo) ought to be used. There's another for password aging (ie after xx days the pw must be changed.
     
  8. gexamb

    gexamb TS Rookie Topic Starter Posts: 129

    Thanks for the replies.

    And yes k.jacko we are using AD and there are multiple programs installed on the stations: ex Photoshop, Acrobat, Dreamweaver, QuickBooks, FileMaker, etc, etc.

    The group policy was what I was trying to refer to, but forgot the name. Thanks.

    All of your suggestions were very helpful. I will make a plan/outline of all these things and present them. Thanks guys for all your help, I appreciate it.
     
Topic Status:
Not open for further replies.


Add New Comment

TechSpot Members
Login or sign up for free,
it takes about 30 seconds.
You may also...


Get complete access to the TechSpot community. Join thousands of technology enthusiasts that contribute and share knowledge in our forum. Get a private inbox, upload your own photo gallery and more.