Posted by: Yasir Irfan
Microsoft Windows, Network Documentation Policy, Network Policies, Networking, Routers, Server Security, Servers, Switches
Now we are proceeding towards the Server Security Policy, which was quite tiresome to draft.
“IS” CONSIDERED THE FOLLOWING:
1. Limit the number of protocols in use throughout the network to the extent possible.
2. Use connection-monitoring software like the performance monitor to alert the network administrator to potential intrusion attempts.
3. Antivirus software must be chosen from a proven leading supplier
4. Remove the keyboard and monitor from servers if possible. They can be reattached when administration is necessary. Certain mouse devices will not reset properly when reattached; they should be left attached.
5. Add trust relationships between domains only when several users need access.
6. Create groups based on natural associations in the Dept. Assign file permissions by groups. Make user accounts members of the groups that need access to certain files.
7. Don’t allow unrestricted file sharing. Use files sharing with user-based authentication or, at the very least, passwords.
8. Limit the rights of Guest and Anonymous accounts.
9. Never enable the Guest account.
10. Try to arrange data so that as few user accounts as possible are required for users to access it.
11. Do not make Internet Information Server user accounts members of the Users or Domain Users groups. A void making these accounts members of groups that would grant these users additional rights or access permissions.
12. Do not make script virtual directories readable, do not make other virtual directories executable.
13. Create a group for Internet users for lIS; apply permissions to that group account.
14. Do not allow users to place scripts in their own WWW service virtual directories.
15. Use the logging facilities of lIS to watch for a high proportion of unauthorized, forbidden, and not found access attempts.
16. Do not allow NetBIOS connections to be made over the Internet.
17. Replace the default Everyone, Full Control permission with a Domain Users, Change permission on all drives except the system and boot volumes.
18. On each Window 2003 server inside the network, establish filters to pass only those protocols that are explicitly served. This prevents software from working in unexpected ways.
19. To make administration easier and leave less possibility for error, use several shares on one workstation rather than scattering them among several workstations, if possible.
20. Use the No Access permission only then necessary to override other permitted access.
21. Grant permissions for a share to a specific group or set of users, rather than using the everyone group and attempting to restrict users at the subdirectory level.
22. Use NTFS volumes for file sharing whenever possible, and use file-level security rather than share-level security when possible.
23. Keep sensitive information out of the shopper table because that information is accessible to a web browser.
24. Use both a secure port (HTTPS) and Secure Socket Layer encryption, and use strong NTFS permissions restrictions on WWW service virtual directories.
25. Require all possible network connections to services outside the network security to go through a proxy server.
26. Configure the DNS server to exchange information with only computers within the network security and with the DNS server “up” the network tree from them.
27. Remove all instances of the Everyone, Full Control permission. Do not set a default permission to replace it so that all subdirectories from the root do not by default inherit permissions. Add permissions only where specifically required.
28. Access to operating systems is to be restricted to those persons who are authorized to perform systems administration/management functions. Even then such access must be operated under dual control requiring the specific approval of senior management.
29. Staff with access to the $ prompt or command line, could succeed in executing system command,which could damage and corrupt your system and data.
30. Operating System commands could be used to disable or circumvent access control and audit log facilities, etc System access must be monitored regularly to prevent attempts at unauthorized access and to confirm that access control standards are effective.
31. Apply intrusion detection sensor for each server you want to protect.
32. Make sure the audit or accounting functions are turned on.
33. Keep try to find the last patches found for both the Operating systems and applications installed on that servers .That will help for closed O.S and Application holes.
34. Have servers in a physically secure location to prevent unauthorized access.
35. On a regular basis, run programs (for example, Crack, Tiger, COPS and Satan) to check for system weaknesses.
36. Make timely system backups.
37. Keep one copy of backup tapes in a secure facility offsite.
38. Use a virus-checker program.
39. Modify registry in windows severs for maximum security issues according to Microsoft security check list.