I need your help with brainstorming ideas:
I am considering writing an EE (go-to) article that outlines best practices for locking down WINDOWS domains. I can't think of every point and would certainly like to get feedback from you on what really works for you.
Any replies will be directly quoted, where you will be accredited and referenced from your input. Let's show these folks what EE can do for them.
For this article, I wish to leave out names of packaged software. Instead, I hope the reader researches the best software packages for his/her environment.
So far, these are the points I have brainstormed:
MAIN POINT:-don't fall under the false impression that an antivirus package protects the user and administrator from getting infected.
1) You might consider looking for a all inclusive package that has both Antivirus and Antispyware
2) look for an AV package that is user friendly and easy to configure for administrators
3) look for an AV package where the manufacturer provides good customer support and feedback
4) LOOK AT AN AV PACKAGE AS A BUFFER TO ENCORPORATING GOOD IT PRACTICES FOR YOUR DOMAIN USERS AND ADMINISTRATORS.
5) Keep an open mind when administrators tell you that their solution is the best for you and expect IT experts to disagree about the best AV package available out there.
6) ask questions on how to best configure that AV package of your choosing for your domain.
7) look for an antivirus enterprise solution that is centrally managed
8) take some time to test, plan and design and IT security package that best suits your needs
-Consider a WSUS server that downloads and installs all critical security updates and service packs by default
-create group policies to manage your updates and how they install
-create group policies that will:
1) prevent LMhash in a kerberos environment
2) govern complex passwords
3) disable autorun on all periphrial devices.
4) prevent simple file sharing
5) maybe software restriction policies
6) control Windows updates
Educate the users and administrators of your LAN:
1) Create a website that explains the different threats and how they come about. You can model after an already existing web site, such as this:
2) consider a mandatory IT security course for users and administrators
1) the differences between software and hardware/NAT firewalls
Outside access to within the domain: (This is a topic I could use some serious help in since I don't allow outside access to my domains)
1) securing outside access to inside the domain. Example secure web access to mail services.
1) preventing open relays
2) Spam controls
Compliance monitoring and enforcement:
Example: Network Access Controls, Vulnerabilty scanners, and IT security awareness coursework monitoring.
1) Enterprise Vulnerabilty auditing tools (Free and commercial)
>>>Examples of these would be helpful<<<
2) Mac filtering for DHCP recipients
>>>More brainstorming can be done on this topic as well<<<
PLS REMEMBER THERE ARE NO WRONG ANSWERS AND YOU WILL BE SITED/ACKNOWLEGED FOR YOUR INPUT.