Windows Server best practise security and audit purpose

please shared the industry best practice in the following

AD member PCs local administrator recommended  practice  - Do we need to rename the use /....etc
AD based auditing
windows update  for win 7 and 8  recommended practice - patch deployments
why the system will take the long time to update the patch . how do we  manage this in the  24 x 24  system
curAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

Tony GiangrecoCommented:
You should schedule a weekly or monthly maintenance window that allows you to patch and restart the servers and workstations to keep them secure.  Most organizations have this automated using the Windows WSUS services. It allows updates to be downloaded ahead of time to the WSUS server and then pushed to the workstations at a predetermined time. Normally it's 3AM or whatever time is appropriate for your organization.

here is a link to that service and how to set it up.

https://technet.microsoft.com/en-us/windowsserver/bb332157.aspx

Hope this helps!
0
Will SzymkowskiSenior Solution ArchitectCommented:
Local admin accounts should be renamed to something unique and it should differ from workstations to servers.

Microsoft does recommend that you disable the admin account completely and create your own admin account. However it really all depends on what your company standard are.

As for patches security and critical should be installed when available. You should test these first in a lab and then applied to production in chunks. Most companies have monthly maintenance weekends as well which I would also recommend this way the business has an upfront scheulde of when business applications might be unavailable with no surprises.

Will.
0
btanExec ConsultantCommented:
Yes pls rename your administrator but the in-built one you cannot change that. Security by default and there should be named account for the privileged user - in this case those belonging into the administrator grp.

Yes, importantly are those audit security events such as authentication and authorization failures. See "Active Directory Objects and Attributes to Monitor" specifically on the whole listing practices
https://technet.microsoft.com/en-us/library/dn487457.aspx
======

This is good snapshot summary as well regardless from the OS perspective applicable to AD itself
https://www.ultimatewindowssecurity.com/wiki/WindowsSecuritySettings/Recommended-Baseline-Audit-Policy-for-Windows-Server-2008

Other planning ref - Planning and Deploying Advanced Security Audit Policies
https://technet.microsoft.com/en-us/library/ee513968(WS.10).aspx
======

The patching is really down to priority based on severity and assessment of impact to fixes as it should go through diligence testing rather than immediate production rollout. For US-CERT, they have a old paper but it can help direct your strategy as a whole (not just endpoint) in handling patching urgency.
If the urgency determination requires immediate action and a work-around solution is either not
available or not the best option, then the following actions should to be taken:
1. Where possible, create a backup/archive and verify its integrity by deploying it on a standby system.
2. Create a checklist/procedure for patch activities and deploy the patch on the standby system.
3. Test the patched standby system for operational functionality and compatibility with other resident
applications.
4. Swap the patched standby system into production and keep the previous unpatched production system
as a standby for emergency patch regression.
5. Closely monitor the patched production system for any issues not identified during testing.
6. Patch the standby system (old production) after confidence is established with the production unit.
7. Update software configuration management plan and related records.
Ref - https://ics-cert.us-cert.gov/sites/default/files/recommended_practices/PatchManagementRecommendedPractice_Final.pdf

For MS, they also has the recommendation in "Best Practices for Applying Service Packs, Hotfixes and Security Patches " which one of the key one is chartering security patches
When should one apply Windows Security Patches
1.Apply only on exact match: Apply Security Patch only when you are certain that that the update will fix the problem encountered by you.
2.Apply admin patches to install build areas: The post mentions, Admin patches differ from the client patch and are usually located in a different location to the client-side patches.
https://msdn.microsoft.com/en-us/library/cc750077.aspx

=========

The time to patch as mentioned is not immediate - you need to verify, backup and be ready for roll back contingencies if the fixes are not working well as well as application breaks if any. so it is not straightforward...to sum up it is really down to your risk assessment before actions
1] Install all rollups available since the previous milestone, ie from Windows 8 to Windows 8.1, or from Windows Server 2012 to Windows Server 2012 R2.
2] Use Windows Update or Windows Server Update Services. They will evaluate patches  currently installed, what patches are available, examine superseded patches, and offer a list of currently available patches.
3] Critical Updates should be tested and installed as soon as possible with high priority.
4] Important updates should be tested as soon as practical, and installed as soon as practical.
5] Recommended and Optional updates may be reviewed, tested, and installed as applicable, according to convenience.

Restarting for completion is a must for some fixes and indeed the 24hr server can be tough to shutdown hence there is downtime and HA clone or even HA site to handle during downtime. The Ref from the US-CERT shed some light but overall, I suggest never to adopt the status quo unless really with great repercussion like critical infra supply power, energy, water... some may be thinking "if aint broken, don't fix it" mindset - can be risk aversive stance but it does have rationale beyond general understanding..
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Windows Server 2008

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.