[dt_highlight color=""]Three Easy Steps to a More Secure Windows Network[/dt_highlight]
Introduction
Did you know that with minimal effort and with minimal to no cost, you can have a vastly more secure windows network? Let’s touch on three key security related capabilities that are
Looking for a more secure Windows network?
integrated with every Windows Server. These are Group Policies, Access Based Enumeration (Need to Know) and some nifty DHCP tweaks, including MAC address filtering.
1. Group Policies (GPOs)
With each passing version of Windows, GPOs become more powerful, more numerous and more complicated to administer. While a thorough discussion of GPOs fills volumes, a basic
understanding of GPOs can provide you instant security benefits. GPOs are requirements or restrictions placed upon computers, users or groups. Some simple examples include drive
mapping under Windows 2008 R2 and newer and enforcement of patching delivered through Windows Software Update Server (WSUS). Group Policies can also be used to limit access to objects in Active Directory, to force complex passwords and more. Even more interesting, GPOs can prevent users from installing software or even storing data locally. Learn your GPOs.
2. Access Based Enumeration (Need to Know)
Roughly ten years ago, Microsoft quietly released Access Based Enumeration (ABE) as an addon to Windows Server 2003 SP1. With Windows Server 2008, this became a standard feature. ABE is the option to turn off the ability for users to see network shares that they have no access to. This basically puts those shares on a “need to know basis” and renders them invisible to those without access to them. This is a particularly powerful option when combined with desktop lock downs available with GPOs (see above). Many admins are still surprised to hear about ABE, but those of us that came from a Novell background were equally shocked that it was not available from day one of Active Directory. This one is a no brainer, so just do it.
3. DHCP Tweaks & MAC Address Filtering
First of all, setup your DHCP scope appropriately. If you have just ten workstations on your network, don’t setup a scope that allows for 100 (this applies to any DHCP assigning device as well). And use DHCP exclusions and/or reservations sparingly as well. Finally, ever since Windows 2008 R2, the ability to restrict the assignment of IP addresses to “known” MAC
addresses has been in the DHCP Server. You can very easily get this going by turning this feature on after the first time everyone has their IP leases (letting DHCP “learn” those existing
MAC addresses). This way nobody can add a “rogue” device to your network and it will pay off handsomely the very first time someone brings in an unauthorized, virus infected device!
4. Summary
Group Policies provide tremendous control over a vast range of user and machine behaviors
and learning to use them lies at the very heart of having a more secure windows network. Access Based Enumeration
belongs in every security toolkit, is easy to implement and should always be used. And even the
lowly DHCP Manager can be used to strengthen your Windows Security, so learn how.
