Can a DC harden a private network?

W2K DC in small production environment, 20 pc's, about 3 people are able to connect their laptops as "workgroup", they can access internet no problem, Can W2K harden this private network or do i need W2003 Server Ent, 2008, 2012 etc?

Yes there is a domain setup in active directory. All workers login in their own accounts.
Yes I am in rush process to upgrade.
John CrawfordIT AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

JohnBusiness Consultant (Owner)Commented:
Windows 2000 and 2003 are Security risks and won’t protect you against anything. You need at least Server 2012 or higher with the firewall set up .

I prefer to add a hardware VPN to provide secure access and keep all others out
JohnBusiness Consultant (Owner)Commented:
Also since you are dealing with these old products, be sure you get rid of SMBv1 and all Workstations earlier than Windows 7.
Adam BrownSenior Systems AdminCommented:
Unless you are adding the computers to a Windows domain, you can't really use any version of Windows to harden a private network. If you do add the computers to the domain, you can use Group Policy to harden all the systems that are part of the domain and limit user privileges. Note, however, that what John says is pretty accurate. You'll want server 2012 at a minimum because server 2008 will be falling off of extended support with MS soon and will not receive security updates after it falls off extended support.

The group policy options you have available in Server 2000/2003 are not sufficient to harden anything against modern threats and so many vulnerabilities exist in these versions of Windows Server that they are a complete waste of effort to use in securing anything at all.
Active Protection takes the fight to cryptojacking

While there were several headline-grabbing ransomware attacks during in 2017, another big threat started appearing at the same time that didn’t get the same coverage – illicit cryptomining.

John CrawfordIT AdministratorAuthor Commented:
Let me ask the question this way, I am also building from scratch a 2012 R2 domain controller, in a private network, does 2012 have to tools to block access to internet with my 2 or 3 users plugging in their own personal laptops (probably win 10 Home)? Of course they are not logged in to the domain, workgroup machines only.
Eric BLANCCommented:
Using a domain controler will re enforce security toward users but not toward outside threats.
On the machine point of view security priorities are  1: firewall 2: windows updates 3:good antivirus (nod 32 for ex)
The rest is human risk (that you can limit with gpo id a domain controler is enabled) but what a loss of time !
And don't forget to save an image of each worksation and the server with the veeam free licence software (world leader in backup).
They have a disaster recovery restore option (creating a boot stik). All this will take less than one hour an save douzains of hours in case of massive attack (crypto virus etc).
JohnBusiness Consultant (Owner)Commented:
Build a guest network (VLAN) for personal devices. That will be easier than trying to do all this with Server 2012.  We have guest networks for personal smart devices as users rarely (never) bring in their own computers. Discourage that (easily done in a small shop).
John CrawfordIT AdministratorAuthor Commented:
Eric or John, it looks like the answer is "no" to my question,please clarify? Another words, an employee can plug in there own laptop, obtain from DHCP and start browsing?? Even with Server 2012 R2.
JohnBusiness Consultant (Owner)Commented:
Server 2012 hands out DHCP addresses to all machines. So (to the best of my knowledge) you would have to enable MAC address filtering to prevent a machine connecting by Ethernet.  Messy
JohnBusiness Consultant (Owner)Commented:
Also you say this is a tiny shop. Just tell them not to bring computers in. Why?  You have no control over the security on their machines.
Eric BLANCCommented:
In case you don't want unknown machines  to connect to the @, you can put a false gateway IP in the DHCP server for them...and the good one for familiar machines based on their mac address.
Adam BrownSenior Systems AdminCommented:
Windows server is not designed to serve as a network boundary device or firewall on its own. What you want is a web proxy. MS used to provide a solution for this but discontinued it with the release of server 2012. If you would like recommendations, look a pfsense or untangle.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Shaun VermaakTechnical SpecialistCommented:
Seems to me you are looking for a NAC solution. Have a look at this OpenSource project.
John CrawfordIT AdministratorAuthor Commented:
What are companies such as MacDonald's and Best Western using to block access? Is that what you call a NAS solution? I know about firewall solutions with the yearly subscription charges.
JohnBusiness Consultant (Owner)Commented:
To block people out, they would use an edge firewall solution.

W2K DC in small production environment, 20 pc's,  <-- For you, for internal issues, it is more a management observation issue.
John CrawfordIT AdministratorAuthor Commented:
"Windows server is not designed to serve as a network boundary device or firewall on its own." From Adam.
JohnBusiness Consultant (Owner)Commented:
Thanks and I was happy to help
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.