?
Solved

Securing a stand-alone DC and file server

Posted on 2011-03-13
2
Medium Priority
?
476 Views
Last Modified: 2012-08-14
I'm configuring my first Windows Server 2008 R2 Standard.  This will be the one and only DC for this company and the only server.  The server will be used for a file server, it will control the virus protection for the computers (currently 10 computers) in the company.  The computers access to certain resources and drives will be controlled by the server but that is basically all it will be used for.  The computers accessing the server will be Windows XP SP3 and 1 laptop running Windows 7.  The reason for this post, is to find IT personnel that have had experience in this area and give me ideas or best pratices from experience to lock down this server.  For all I know maybe it is locked down pretty much all the way now, so any knowledge from anyone would be helpful.  Any questions will be answered that might help you help give me better insight.

Thanks in advance
0
Comment
Question by:Zantis
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
2 Comments
 
LVL 96

Expert Comment

by:Lee W, MVP
ID: 35125419
2008 installs a minimal set of roles and features - you have to add the ones you want.  You then add the roles and features you want (pre-requesites should be noted and automatically installed). In general, if you create user accounts and assign them to the Domain Users group, they should have no access to the server other than for Authentication and file and printer sharing.

If this is the first time you are installing 2008 R2 as a domain controller, I suggest running through it a couple of times at least and playing a bit to learn it.  Then ask more specific questions.  THEN install it in production.  Either that, or hire a consultant to ensure it gets done right from the start.  (Often, setups are among the most complicated - once setup properly, maintenance is fairly easy, but if not setup properly, it can be expensive and a PITA to get it working as it should be).
0
 
LVL 9

Accepted Solution

by:
Chev_PCN earned 2000 total points
ID: 35126594
As this is a fairly limited environment, I would recommend not going too overboard ITO Security (unless your company is a sub-branch of the NSA. . .)
I would recommend putting the user data on a separate drive to the OS.
If you are using IIS for any reason, put the inetpub folder on the data drive as well.
I've attached a CIS benchmark doc that I've found useful. Don't apply everything - you may break stuff, and apply changes in small increments so that you can roll back if something does stop working.
Do you have an adequate backup system in place? With only one server, if there's a crash, then you need to have a way to recover everything.
Do the users access the internet? How does that work? (e.g. router / proxy?) That should be one of your primary focal points for security.
Good luck!


CIS-Windows-Server-2008-Benchmar.pdf
0

Featured Post

Get 15 Days FREE Full-Featured Trial

Benefit from a mission critical IT monitoring with Monitis Premium or get it FREE for your entry level monitoring needs.
-Over 200,000 users
-More than 300,000 websites monitored
-Used in 197 countries
-Recommended by 98% of users

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

Always backup Domain, SYSVOL etc.using processes according to Microsoft Best Practices. This is meant as a disaster recovery process for small environments that did not implement backup processes and did not run a secondary domain controller that ne…
Recently, Microsoft released a best-practice guide for securing Active Directory. It's a whopping 300+ pages long. Those of us tasked with securing our company’s databases and systems would, ideally, have time to devote to learning the ins and outs…
This tutorial will walk an individual through setting the global and backup job media overwrite and protection periods in Backup Exec 2012. Log onto the Backup Exec Central Administration Server. Examine the services. If all or most of them are stop…
This video shows how to use Hyena, from SystemTools Software, to update 100 user accounts from an external text file. View in 1080p for best video quality.
Suggested Courses
Course of the Month11 days, 10 hours left to enroll

752 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question