Best Practices

Posted on 2003-03-05
Medium Priority
Last Modified: 2013-12-04
I'm looking for a general list of "Best Practices" for administrating Microsoft networks and Exchange.


- Log settings
- How often logs should be viewed
- Security settings
- Profile settings
- User groups

Does anyone know of such list?  I know there are more detailed "Best Practices" lists for specific servers (IIS, Exchange, etc.), but I'm looking for something more general.

Question by:YellowCurb
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
LVL 24

Expert Comment

ID: 8074491
No I don't know. But IMO the first best practise is to never run more that one MS application on a server for two reasons. (1) MS OS history is embroidered in failures of applications and failures of handling multiple apps. (2) Security problem, uptime problem, and troubleshooting problem. Namely: If a server fails, is it due to one app failing or another; and - If one app fails and causes server to go down, do we really want to permit that to also break the other application?! IMO not if it can run standalone, so it it can run separately, then design network to accomodate that. So separate eMail server from database server from internet server from firewall... etc.

One typical EM issue is size. Both size of EMs permitted on network and size of disk storage permitted to users for their EMs. What answer has become is that admins are more tolerant of increasing sizes (FTP anyone? Maybe no need); and of users who never care to delete anything. EM is in fact becoming a solution to some for remote storage solution that they cannot get on local file server.

I suppose much response could be on 3rd party add-ons for things like bad EMs, virus and worm control, but I don't read that into this question. I dunno, Maybe you'll like this one:

MS MSC: http://www.microsoft.com/windows2000/technologies/management/mmc/default.asp

Accepted Solution

NEOsporin earned 150 total points
ID: 8077301
Ohhh- that is a spikey question. It will be up to you (or your company)ultimately to decide these things, however you can read other's ground work, and see what will work for you. my company is rather large, and looking through the log's is not an option, yet, someone on high in the company insisted that they be done daily. On our firewall no problem, easy- on NT it became daunting. We used a 3rd party tool from GFI- God I love them. S.E.L.M http://www.gfi.com/lanselm/
I was put in charge of doing much of what your asking, and more. I don't have a website, but I read everything I could get. I recommend the "hacking exposed" series, not one page is bad in those www.hackingexposed.com Also: http://www.oreilly.com/catalog/incidentres/ a great book, boring but good.
My small list for this post is: (in no particular order of importance)
1- daily backup's- tapes should be stored OFF-SITE
2- Anti-Virus software- E-mail servers should have one, and all PC's should have one, kept up to date
3- Firewalls- block everything coming in (deny any any)permit only what needs permitted (statically), 80 for these servers, port 21 for this one, port 1234 for these etc...- block outgoing ports as needed, otherwise allow all.
4- set ntfs permissions for sensitive or classified files/folders/shares
5- users are given the poweruser group, maximum, admins can install with "RunAs"
6- periodic password audits, signed off by the CEO, CIO. passwords will be checked for strength, and then everyone is asked to reset theirs, and follow new guidlines if need be.
7- Review log's daily, both firewall and NT event log's of the DC's
8- use trusted 3rd party encryption on senitive or classified data, be it on a disk, or over a Ds3.

There are tooo many fine details to go into, that is a general sense of what i did. Security isn't a program, it's a process, this is going to take time to do correctly. In M$ 2k and XP i often go to the run line and type "secpol.msc" and mess with the preconfigured setting in there, real easy GUI to use, and has some of the more popular settings that admins use to harden systems. I think you'll find it useful, but google is your bestest friend.

Author Comment

ID: 8113616
The third party tool GFI was a very helpful.  

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

This is a guide to the following problem (not exclusive but here) on Windows: Users need our support and we supporters often use global administrative accounts to do this. Using these accounts safely is a real challenge. Any admin who takes se…
Container Orchestration platforms empower organizations to scale their apps at an exceptional rate. This is the reason numerous innovation-driven companies are moving apps to an appropriated datacenter wide platform that empowers them to scale at a …
Michael from AdRem Software outlines event notifications and Automatic Corrective Actions in network monitoring. Automatic Corrective Actions are scripts, which can automatically run upon discovery of a certain undesirable condition in your network.…
Have you created a query with information for a calendar? ... and then, abra-cadabra, the calendar is done?! I am going to show you how to make that happen. Visualize your data!  ... really see it To use the code to create a calendar from a q…
Suggested Courses
Course of the Month13 days, 17 hours left to enroll

800 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question