Solved

Securing a stand-alone DC and file server

Posted on 2011-03-13
2
461 Views
Last Modified: 2012-08-14
I'm configuring my first Windows Server 2008 R2 Standard.  This will be the one and only DC for this company and the only server.  The server will be used for a file server, it will control the virus protection for the computers (currently 10 computers) in the company.  The computers access to certain resources and drives will be controlled by the server but that is basically all it will be used for.  The computers accessing the server will be Windows XP SP3 and 1 laptop running Windows 7.  The reason for this post, is to find IT personnel that have had experience in this area and give me ideas or best pratices from experience to lock down this server.  For all I know maybe it is locked down pretty much all the way now, so any knowledge from anyone would be helpful.  Any questions will be answered that might help you help give me better insight.

Thanks in advance
0
Comment
Question by:Zantis
2 Comments
 
LVL 95

Expert Comment

by:Lee W, MVP
ID: 35125419
2008 installs a minimal set of roles and features - you have to add the ones you want.  You then add the roles and features you want (pre-requesites should be noted and automatically installed). In general, if you create user accounts and assign them to the Domain Users group, they should have no access to the server other than for Authentication and file and printer sharing.

If this is the first time you are installing 2008 R2 as a domain controller, I suggest running through it a couple of times at least and playing a bit to learn it.  Then ask more specific questions.  THEN install it in production.  Either that, or hire a consultant to ensure it gets done right from the start.  (Often, setups are among the most complicated - once setup properly, maintenance is fairly easy, but if not setup properly, it can be expensive and a PITA to get it working as it should be).
0
 
LVL 9

Accepted Solution

by:
Chev_PCN earned 500 total points
ID: 35126594
As this is a fairly limited environment, I would recommend not going too overboard ITO Security (unless your company is a sub-branch of the NSA. . .)
I would recommend putting the user data on a separate drive to the OS.
If you are using IIS for any reason, put the inetpub folder on the data drive as well.
I've attached a CIS benchmark doc that I've found useful. Don't apply everything - you may break stuff, and apply changes in small increments so that you can roll back if something does stop working.
Do you have an adequate backup system in place? With only one server, if there's a crash, then you need to have a way to recover everything.
Do the users access the internet? How does that work? (e.g. router / proxy?) That should be one of your primary focal points for security.
Good luck!


CIS-Windows-Server-2008-Benchmar.pdf
0

Featured Post

Windows Server 2016: All you need to know

Learn about Hyper-V features that increase functionality and usability of Microsoft Windows Server 2016. Also, throughout this eBook, you’ll find some basic PowerShell examples that will help you leverage the scripts in your environments!

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

While rebooting windows server 2003 server , it's showing "active directory rebuilding indices please wait" at startup. It took a little while for this process to complete and once we logged on not all the services were started so another reboot is …
This article outlines the process to identify and resolve account lockout in an Active Directory environment.
This tutorial will walk an individual through configuring a drive on a Windows Server 2008 to perform shadow copies in order to quickly recover deleted files and folders. Click on Start and then select Computer to view the available drives on the se…
This tutorial will walk an individual through the steps necessary to install and configure the Windows Server Backup Utility. Directly connect an external storage device such as a USB drive, or CD\DVD burner: If the device is a USB drive, ensure i…

770 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question