Re: Best Practices for deploying Windows 2000 in Remote Sites

From: Dusko Savatovic (savatovic.removespam_at_hotmail.com)
Date: 06/23/04 

Date: Wed, 23 Jun 2004 09:49:33 +0200

Yes,
other guys are right. Physical security is number 1 requirement in all
scenarios.
Imagine this.
Your server has system disk configured as mirror.
Your server has hot-plug disks to speed up recovery, replacements etc.
A Black Hat (probably an inside employee) comes to remote office on friday
afternoon and steals one hard disk (half of a mirror).
Since remote office is closed during weekend, you don't have anybody to call
until Monday morning.
On monday morning, Black Hat returns to work and replaces stolen disk as if
nothing happens.
The chances are that within several hours, the mirror will be resynchronized
and the theft might end up unnoticed.
In the meantime, Black Hat has taken copy of your system disk which
conntains complete AD database.
He/she can run password cracking program like l0phtcrack LC4.

If you are intersted in security recommendation guides, you can find many on
this web site:
http://nsa2.www.conxion.com/win2k/download.htm

It is also good practice to keep an eye on various security related web
sites and news groups.

Dusko Savatovic

"silvy" <silvy@discussions.microsoft.com> wrote in message
news:9A0902A1-9A23-4976-9EBB-A72AD4ED6F7C@microsoft.com...
> Thanks everyone.
>
> Security is definitely a problem in small sites like ours. Hence was
worried on the network performance if DC"s and other critical servers are
housed in main/head office.
>
> In the meanwhile, I'll review the suggestions/documentations as suggested
by Dusko. If you guys are aware of any registry settings changes(
knowledgebase/technet articles) on the Win2k workstation/member server which
can improve network performance over the VPN ( quick fix if we have
performance realted issues) kindly let me know.
>
> Thank you,
>
> Silvester
>
> "Erik Szewczyk" wrote:
>
> > Agreed. I was sweating reading this thread up until now :)
> >
> > Maintaining good physical security of your DCs should be a very high
priority.
> >
> > -Erik
> >
> > "Oli Restorick [MVP]" wrote:
> >
> > > Just one thing to add to that. If you place a DC in a remote office,
you
> > > have to be sure of its security. If someone nicks a DC, you have a
problem
> > > and it's time to reset all passwords in the domain, at the very least.
> > >
> > > Oli
> > >
> > >
> > >
> > > "Dusko Savatovic" <savatovic.removespam@hotmail.com> wrote in message
> > > news:uHAmjmFVEHA.716@TK2MSFTNGP11.phx.gbl...
> > > >I would personally install DC, DNS, DHCP, WINS and Terminal Services
in
> > > > Admin mode on the server in remote location. Since you are adding a
server
> > > > anyway, it implies that infrastructure is already in place. And
modern
> > > > servers can handle extra load without problems.
> > > >
> > > > Anyway, I suggest you read deployment guide inWin2k resource kit.
> > > >
> > > > Planning, testing, documenting, managing, maintaining are necesary
steps
> > > > in
> > > > any project like this. Even if it looks small at the beginning and
not
> > > > worth
> > > > the effort. But you will win in the long run.
> > > >
> > > > I'd personally write a policy:
> > > > 1. Site policy. Any site with more than n-number of employees should
have
> > > > a
> > > > DC etc
> > > > 2. Hardware policy. Each server having DC role should have mirrored
system
> > > > disk etc.
> > > > 3. Antivirus policy
> > > > 4. Backup (disaster recovery) policy
> > > > 5. User policy
> > > > 6. Support routes
> > > > 7. Exchange, e-mail policy
> > > > 8. Communications policy (x Mbps per n employees) etc
> > > >
> > > > And so on.
> > > >
> > > > When you have all on paper (or spread***), everything will fit in
nicely
> > > > (hopefully).
> > > > Since you are doing this job professionally, I'd suggest you go for
MCSE
> > > > certificate. You may start by looking for a training kit that
addresses
> > > > design of Windows network infrastructure.
> > > >
> > > > Dusko Savatovic
> > > >
> > > > "silvy" <silvy@discussions.microsoft.com> wrote in message
> > > > news:D6512720-0E0D-42F6-BB98-3DA8ABDB8A63@microsoft.com...
> > > >> Hi,
> > > >>
> > > >> I've a situation whereby the main office houses all the critical
Servers
> > > > for the company which includes Windows 2000 DC's, DNS, Exchange 2000
> > > > Server
> > > > and File and Print Services.
> > > >>
> > > >> We have opened a new remote site(20 users) which is connected by
VPN(via
> > > > internet) to this main office. The Remote site currently has only
desktops
> > > > (domain mode) and are authenticated by the DC's in the main office
via the
> > > > VPN link ( email access is also done remotely via VPN). There are no
> > > > administrators in the remote site.
> > > >>
> > > >> We wish to provide file and print services to this remote site by
> > > > installing a File & Print Server at that site (to provide better
access to
> > > > resources) but would like to reduce the overhead of installing DC's,
DNS,
> > > > Server maintenance and at the same time would like to provide
reasonable
> > > > performance to these remote users.
> > > >>
> > > >> What would be the best and most economical way to accomplish this ?
> > > >> Having
> > > > a dedicated link between the sites is too expensive and business
cannot
> > > > afford.
> > > >
> > > >
> > >
> > >
> > >