smpvm
asked on
Implement widnows server security
Hello Expert,
Our management is bringing an external security auditor to audit Domain Controllers and a File server that I am managing now, please help I need an expert advice to understand what all are the important security best practices or check list should follow to pass the security audit successfully.
The domain controllers are running on windows 2008 with following:-
1)DNS
2)DHCP
3)Global Catalog (GC)
4)FSMO roles
One file server which is ruining on windows 2012 R2 all share level and NTFS permissions are properly configured
So far what did is as follows:-
Security check list for Domain Controllers:-
1)Installed Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
2)Windows is updated to latest
3)Firewall is enabled with appropriate port exceptions
4)DNS is configured with Secure Dynamic Updates and Reverse lookups are properly configured
5)DHCP is Authorized in Active Directory
6)Unused service accounts are deleted and all the administrator group memberships are properly reassigned
7)Password Policies implemented:-
Enforce password history 10 passwords remembered
Maximum password age 30 days
Minimum password age 0 days
Minimum password length 8 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Enabled
8)Account Lockout Policy
Account lockout duration 60 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 60 minutes
9)Implemented GPO to auto lock system after 5 minutes of Idle time
10)Implemented GPO to set Default Desktop wallpaper for all systems
11)This is where I'm stuck.
Expert can you please advise me what all remaining things I have to concentrate to tighten the AD security
Security check list for file server:-
1) Installed Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
2) Windows is updated to latest
3) Firewall is enabled with appropriate port exceptions
4) All shared folder are made Hidden
5) All the shared folders are Assigned with correct share and NTFS permission
6) This is where I'm stuck. Expert can you please advise me what all remaining things I have to concentrate to tighten the File Server security
The goal is to pass the security audit on Domain Controllers and File Server.
Waiting for your expert support
Regards,
Our management is bringing an external security auditor to audit Domain Controllers and a File server that I am managing now, please help I need an expert advice to understand what all are the important security best practices or check list should follow to pass the security audit successfully.
The domain controllers are running on windows 2008 with following:-
1)DNS
2)DHCP
3)Global Catalog (GC)
4)FSMO roles
One file server which is ruining on windows 2012 R2 all share level and NTFS permissions are properly configured
So far what did is as follows:-
Security check list for Domain Controllers:-
1)Installed Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
2)Windows is updated to latest
3)Firewall is enabled with appropriate port exceptions
4)DNS is configured with Secure Dynamic Updates and Reverse lookups are properly configured
5)DHCP is Authorized in Active Directory
6)Unused service accounts are deleted and all the administrator group memberships are properly reassigned
7)Password Policies implemented:-
Enforce password history 10 passwords remembered
Maximum password age 30 days
Minimum password age 0 days
Minimum password length 8 characters
Password must meet complexity requirements Enabled
Store passwords using reversible encryption Enabled
8)Account Lockout Policy
Account lockout duration 60 minutes
Account lockout threshold 5 invalid logon attempts
Reset account lockout counter after 60 minutes
9)Implemented GPO to auto lock system after 5 minutes of Idle time
10)Implemented GPO to set Default Desktop wallpaper for all systems
11)This is where I'm stuck.
Expert can you please advise me what all remaining things I have to concentrate to tighten the AD security
Security check list for file server:-
1) Installed Antivirus:- McAfee VirusScan Enterprise +Antispyware Enterprise
2) Windows is updated to latest
3) Firewall is enabled with appropriate port exceptions
4) All shared folder are made Hidden
5) All the shared folders are Assigned with correct share and NTFS permission
6) This is where I'm stuck. Expert can you please advise me what all remaining things I have to concentrate to tighten the File Server security
The goal is to pass the security audit on Domain Controllers and File Server.
Waiting for your expert support
Regards,
ASKER
Hello Peter,
Above mentioned list completed do you know how to harden the security for the following:-
1) hardening of Active Directory
2)hardening of file server
3)list of very important Security GPOs need to be implemented to secure the windows domain environment
Regards
Above mentioned list completed do you know how to harden the security for the following:-
1) hardening of Active Directory
2)hardening of file server
3)list of very important Security GPOs need to be implemented to secure the windows domain environment
Regards
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
Windows server 2008 hardening
1. Check membership of admin groups e.g. Enterprise Admins, Domain Admins, Schema Admins, Administrators, DHCP Admins.
2. Obsolete accounts are disabled and/or deleted.
3. Windows updates are applied to servers and desktops on a regular basis esp. Security updates
4. Special account passwords are recorded and stored in a secure location e.g. fire safe.
5. All copies of software meet license requirements and media with software stored in a secure location with any serial/product codes for Disaster Recovery (DR).
6. Regular backups of data kept offsite and secure.
7. Documentation of systems kept up to date and is secured (offline copies kept for DR).