OK. Well the link I referred to should be a good start on account policy but
below are some major points.
-- If not done already, create an account for each user in AD Users and
Computers and for regular users leave them in just the default users group
and make sure they are not in the local administrators group on their
workstation via individual or group membership unless you have a real need
for them to be in that group.
-- Check the membership of the domain admins, admimistrators, schema
anministrators, and enterprise admins groups [assuming in a domain] to make
sure only authorized members are in that group and then have all
administrators in the domain change their passwords and never logon to an
"untrusted" domain machine with an account that has admin credentials in the
domain as there may be keyboard loggers etc installed there. Make sure the
guest account is disabled on the domain controller in AD Users and Computers
and on any domain machine unless you specifically want it enabled. The guest
account being enabled can let ANYONE access a share without authentication
if the resource has the everyone group included in effective permissions.
-- Create a password policy suitable for your needs but consider enabling
"password complexity" and setting reasonable maximum age for passwords and
implement a password lockout policy with threshold of no less than ten
attempts and a lockout period of say ten minutes. I do not recommend setting
maximum password length to more than seven in your policy. Inform users of
impending new password policy including examples of what new passwords are
acceptable and when the deadline is for the change.
-- Check user account properties in AD Users and Computers to make sure
their account password is NOT set to password never expires unless that is
what you want as they will not be subject to maximum password age then. Also
consider limiting what domain computers they can logon to in their account
properties if it suits your businees needs.
-- In the appropriate security policy - domain/OU/local configure the user
rights assingments under security settings/local policies/user rights, for
the right users/groups to have the user right for logon locally and access
this computer from the network. If normal users have no need to access other
domain worksations, remove the everyone/users group from access this
computer from the network so that only administrators and other priviliged
accounts have access. Do NOT change the "access this computer from the
network" setting on the domain controller or in DC Security Policy. Keep in
mind that in Local Security Policy the "effective" setting is what applies
as domain/OU policy can override the same defined setting in local policy.
-- If users need access to shares. Check the share permissions to see that
they are not excessive. By default the everyone group has full control on a
newly created share. Usually you want to change that to users with just read
or read/change.Ntfs permissions also work in conjunction with share
permissions for network users.
-- Enable auditing of account logon events on your domain controller and
logon events for success and failure on any domain computers offering shares
to domain users being sure to increase the size of the security log to at
least 5MB. You can view the security log in Event Viewer.
-- Let us know if you need more info, but this should get you off to a good
start. -- Steve
wetbehindears said:
Steve,
We have about 55 user with all W2K workstations. We are trying to tighten
up security with logging in. Right now we have absolutely no security what
so ever and my responsibility is to change that.
