• Status: Solved
  • Priority: Medium
  • Security: Public
  • Views: 281
  • Last Modified:

Best Practices

I'm looking for a general list of "Best Practices" for administrating Microsoft networks and Exchange.


- Log settings
- How often logs should be viewed
- Security settings
- Profile settings
- User groups

Does anyone know of such list?  I know there are more detailed "Best Practices" lists for specific servers (IIS, Exchange, etc.), but I'm looking for something more general.

1 Solution
No I don't know. But IMO the first best practise is to never run more that one MS application on a server for two reasons. (1) MS OS history is embroidered in failures of applications and failures of handling multiple apps. (2) Security problem, uptime problem, and troubleshooting problem. Namely: If a server fails, is it due to one app failing or another; and - If one app fails and causes server to go down, do we really want to permit that to also break the other application?! IMO not if it can run standalone, so it it can run separately, then design network to accomodate that. So separate eMail server from database server from internet server from firewall... etc.

One typical EM issue is size. Both size of EMs permitted on network and size of disk storage permitted to users for their EMs. What answer has become is that admins are more tolerant of increasing sizes (FTP anyone? Maybe no need); and of users who never care to delete anything. EM is in fact becoming a solution to some for remote storage solution that they cannot get on local file server.

I suppose much response could be on 3rd party add-ons for things like bad EMs, virus and worm control, but I don't read that into this question. I dunno, Maybe you'll like this one:

MS MSC: http://www.microsoft.com/windows2000/technologies/management/mmc/default.asp
Ohhh- that is a spikey question. It will be up to you (or your company)ultimately to decide these things, however you can read other's ground work, and see what will work for you. my company is rather large, and looking through the log's is not an option, yet, someone on high in the company insisted that they be done daily. On our firewall no problem, easy- on NT it became daunting. We used a 3rd party tool from GFI- God I love them. S.E.L.M http://www.gfi.com/lanselm/
I was put in charge of doing much of what your asking, and more. I don't have a website, but I read everything I could get. I recommend the "hacking exposed" series, not one page is bad in those www.hackingexposed.com Also: http://www.oreilly.com/catalog/incidentres/ a great book, boring but good.
My small list for this post is: (in no particular order of importance)
1- daily backup's- tapes should be stored OFF-SITE
2- Anti-Virus software- E-mail servers should have one, and all PC's should have one, kept up to date
3- Firewalls- block everything coming in (deny any any)permit only what needs permitted (statically), 80 for these servers, port 21 for this one, port 1234 for these etc...- block outgoing ports as needed, otherwise allow all.
4- set ntfs permissions for sensitive or classified files/folders/shares
5- users are given the poweruser group, maximum, admins can install with "RunAs"
6- periodic password audits, signed off by the CEO, CIO. passwords will be checked for strength, and then everyone is asked to reset theirs, and follow new guidlines if need be.
7- Review log's daily, both firewall and NT event log's of the DC's
8- use trusted 3rd party encryption on senitive or classified data, be it on a disk, or over a Ds3.

There are tooo many fine details to go into, that is a general sense of what i did. Security isn't a program, it's a process, this is going to take time to do correctly. In M$ 2k and XP i often go to the run line and type "secpol.msc" and mess with the preconfigured setting in there, real easy GUI to use, and has some of the more popular settings that admins use to harden systems. I think you'll find it useful, but google is your bestest friend.
YellowCurbAuthor Commented:
The third party tool GFI was a very helpful.  

Featured Post

Receive 1:1 tech help

Solve your biggest tech problems alongside global tech experts with 1:1 help.

Tackle projects and never again get stuck behind a technical roadblock.
Join Now