Three Windows Server Security Tips to Stop Intruders in Their Tracks
There is no end to the powerful, complicated and expensive add-ins designed to improve the
security of your Windows networks. The marketplace is rife with everything from facial recognition
biometric systems to RFID proximity sensors that log you out once you are more than a few meters
from your workstation. In larger and more distributed environments you’ll see single sign on,
identity management and other impressive solutions. But did you know that with minimal effort
and with minimal to no cost, you can vastly enhance the security of your Windows network? Let’s
touch on the three basics integrated with every Windows Server, Group Policies, Access Based
Enumeration (Need to Know) and some nifty DHCP tweaks, including MAC filtering.
Group Policies (GPOs)
With each passing version of Windows, GPOs become more powerful, more numerous and more
complicated to administer. While a thorough discussion of GPOs could (and does) fill an entire
volume, a basic understanding of GPOs can provide you instant security benefits. Group Policies
are requirements or restrictions placed upon computers, users or groups. Some simple examples
include drive mapping under Windows 2008 R2 and newer and enforcement of patching delivered
through Windows Software Update Server (WSUS). Group Policies can also be used to limit access
to objects in Active Directory, to force complex passwords and more. Even more interesting,
GPOs can prevent users from installing software or even storing data locally. Learn about GPOs!
Access Based Enumeration (Need to Know)
Roughly ten years ago, Microsoft quietly slipped Access Based Enumeration (ABE) into Windows
Server 2003 SP1. Eventually, in Server 2008, this became a standard feature of the OS. ABE is the
option to turn off the ability for users to see network shares that they have no access to. This
basically puts those shares on a “need to know basis” and renders them invisible to those without
access to them. This is a particularly powerful option when combined with desktop lock downs
available with GPOs (see above). Many admins are still surprised to hear about ABE, but those of
us that came from a Novell background were equally shocked that it was not available way back at
the birth of Active Directory. This is one of those things it just makes sense to enable, so just do it.
DHCP Tweaks; MAC Address Filtering
First of all, setup your DHCP scope appropriately. If you have just ten workstations on your
network, don’t setup a scope that allows for 100 (this applies to any DHCP assigning device as well).
And use DHCP exclusions and/or reservations sparingly as well. Finally, ever since Windows 2008
R2, the ability to restrict the assignment of IP addresses to “known” MAC addresses has been in the
DHCP Server. You can very easily get this going by turning this feature on after the first time
everyone has their IP leases (letting DHCP “learn” those existing MAC addresses). This way
nobody can add a “rogue” device to your network and it will pay off handsomely the very first time
someone brings in an unauthorized, virus infected device!
But Really . . . Why Do I Need It?
Your job as a network administrator or consultant must start and finish with security in mind. So
take advantage these simple and free options to enhance your security profile should always be top
of mind. Some of these options (learning to use and deploy Group Policies) will require some study,
while others, such as Access Based Enumeration and MAC Address Filtering are simple and fast to
deploy. So, take the time to make these options part of your security toolkit. And remember, we’ve
really just scratched the surface with these suggestions. Windows has a wealth of security options
built in that, if properly exploited, can give you a real leg up in your struggle to stay ahead of the
cretins out there. Learn them, plan it out, and use them!
