Solved

Securing a stand-alone DC and file server

Posted on 2011-03-13
2
455 Views
Last Modified: 2012-08-14
I'm configuring my first Windows Server 2008 R2 Standard.  This will be the one and only DC for this company and the only server.  The server will be used for a file server, it will control the virus protection for the computers (currently 10 computers) in the company.  The computers access to certain resources and drives will be controlled by the server but that is basically all it will be used for.  The computers accessing the server will be Windows XP SP3 and 1 laptop running Windows 7.  The reason for this post, is to find IT personnel that have had experience in this area and give me ideas or best pratices from experience to lock down this server.  For all I know maybe it is locked down pretty much all the way now, so any knowledge from anyone would be helpful.  Any questions will be answered that might help you help give me better insight.

Thanks in advance
0
Comment
Question by:Zantis
2 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
Comment Utility
2008 installs a minimal set of roles and features - you have to add the ones you want.  You then add the roles and features you want (pre-requesites should be noted and automatically installed). In general, if you create user accounts and assign them to the Domain Users group, they should have no access to the server other than for Authentication and file and printer sharing.

If this is the first time you are installing 2008 R2 as a domain controller, I suggest running through it a couple of times at least and playing a bit to learn it.  Then ask more specific questions.  THEN install it in production.  Either that, or hire a consultant to ensure it gets done right from the start.  (Often, setups are among the most complicated - once setup properly, maintenance is fairly easy, but if not setup properly, it can be expensive and a PITA to get it working as it should be).
0
 
LVL 9

Accepted Solution

by:
Chev_PCN earned 500 total points
Comment Utility
As this is a fairly limited environment, I would recommend not going too overboard ITO Security (unless your company is a sub-branch of the NSA. . .)
I would recommend putting the user data on a separate drive to the OS.
If you are using IIS for any reason, put the inetpub folder on the data drive as well.
I've attached a CIS benchmark doc that I've found useful. Don't apply everything - you may break stuff, and apply changes in small increments so that you can roll back if something does stop working.
Do you have an adequate backup system in place? With only one server, if there's a crash, then you need to have a way to recover everything.
Do the users access the internet? How does that work? (e.g. router / proxy?) That should be one of your primary focal points for security.
Good luck!


CIS-Windows-Server-2008-Benchmar.pdf
0

Featured Post

What Should I Do With This Threat Intelligence?

Are you wondering if you actually need threat intelligence? The answer is yes. We explain the basics for creating useful threat intelligence.

Join & Write a Comment

Scenario:  You do full backups to a internal hard drive in either product (SBS or Server 2008).  All goes well for a very long time.  One day, backups begin to fail with a message that the disk is full.  Your disk contains many, many more backups th…
I had a question today where the user wanted to know how to delete an SSL Certificate, so I thought that I would quickly add this How to! Article for your reference. WHY WOULD YOU WANT TO DELETE A CERTIFICATE? 1. If an incorrect certificate was …
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

744 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question

Need Help in Real-Time?

Connect with top rated Experts

18 Experts available now in Live!

Get 1:1 Help Now