Can a DC harden a private network?

John Crawford
John Crawford used Ask the Experts™
on
W2K DC in small production environment, 20 pc's, about 3 people are able to connect their laptops as "workgroup", they can access internet no problem, Can W2K harden this private network or do i need W2003 Server Ent, 2008, 2012 etc?

Yes there is a domain setup in active directory. All workers login in their own accounts.
Yes I am in rush process to upgrade.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Windows 2000 and 2003 are Security risks and won’t protect you against anything. You need at least Server 2012 or higher with the firewall set up .

I prefer to add a hardware VPN to provide secure access and keep all others out
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Also since you are dealing with these old products, be sure you get rid of SMBv1 and all Workstations earlier than Windows 7.
Adam BrownSenior Systems Admin
Top Expert 2010

Commented:
Unless you are adding the computers to a Windows domain, you can't really use any version of Windows to harden a private network. If you do add the computers to the domain, you can use Group Policy to harden all the systems that are part of the domain and limit user privileges. Note, however, that what John says is pretty accurate. You'll want server 2012 at a minimum because server 2008 will be falling off of extended support with MS soon and will not receive security updates after it falls off extended support.

The group policy options you have available in Server 2000/2003 are not sufficient to harden anything against modern threats and so many vulnerabilities exist in these versions of Windows Server that they are a complete waste of effort to use in securing anything at all.
Ensure you’re charging the right price for your IT

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden using our free interactive tool and use it to determine the right price for your IT services. Start calculating Now!

John CrawfordIT Administrator

Author

Commented:
Let me ask the question this way, I am also building from scratch a 2012 R2 domain controller, in a private network, does 2012 have to tools to block access to internet with my 2 or 3 users plugging in their own personal laptops (probably win 10 Home)? Of course they are not logged in to the domain, workgroup machines only.
Using a domain controler will re enforce security toward users but not toward outside threats.
On the machine point of view security priorities are  1: firewall 2: windows updates 3:good antivirus (nod 32 for ex)
The rest is human risk (that you can limit with gpo id a domain controler is enabled) but what a loss of time !
And don't forget to save an image of each worksation and the server with the veeam free licence software (world leader in backup).
They have a disaster recovery restore option (creating a boot stik). All this will take less than one hour an save douzains of hours in case of massive attack (crypto virus etc).
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Build a guest network (VLAN) for personal devices. That will be easier than trying to do all this with Server 2012.  We have guest networks for personal smart devices as users rarely (never) bring in their own computers. Discourage that (easily done in a small shop).
John CrawfordIT Administrator

Author

Commented:
Eric or John, it looks like the answer is "no" to my question,please clarify? Another words, an employee can plug in there own laptop, obtain from DHCP and start browsing?? Even with Server 2012 R2.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018
Commented:
Server 2012 hands out DHCP addresses to all machines. So (to the best of my knowledge) you would have to enable MAC address filtering to prevent a machine connecting by Ethernet.  Messy

https://technet.microsoft.com/en-us/library/ff521761.aspx
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Also you say this is a tiny shop. Just tell them not to bring computers in. Why?  You have no control over the security on their machines.
In case you don't want unknown machines  to connect to the @, you can put a false gateway IP in the DHCP server for them...and the good one for familiar machines based on their mac address.
Senior Systems Admin
Top Expert 2010
Commented:
Windows server is not designed to serve as a network boundary device or firewall on its own. What you want is a web proxy. MS used to provide a solution for this but discontinued it with the release of server 2012. If you would like recommendations, look a pfsense or untangle.
Shaun VermaakTechnical Specialist
Awarded 2017
Distinguished Expert 2018

Commented:
Seems to me you are looking for a NAC solution. Have a look at this OpenSource project.
https://packetfence.org/
John CrawfordIT Administrator

Author

Commented:
What are companies such as MacDonald's and Best Western using to block access? Is that what you call a NAS solution? I know about firewall solutions with the yearly subscription charges.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
To block people out, they would use an edge firewall solution.

W2K DC in small production environment, 20 pc's,  <-- For you, for internal issues, it is more a management observation issue.
John CrawfordIT Administrator

Author

Commented:
"Windows server is not designed to serve as a network boundary device or firewall on its own." From Adam.
JohnBusiness Consultant (Owner)
Most Valuable Expert 2012
Expert of the Year 2018

Commented:
Thanks and I was happy to help

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial