Re: windows groups and users
- From: "Ace Fekay [MVP]" <PleaseSubstituteMyActualFirstName&LastNameHere@xxxxxxxxxxx>
- Date: Sat, 20 Aug 2005 12:14:33 -0400
In news:BA534F12-3EBA-4BD7-BCB6-FA49529F7449@xxxxxxxxxxxxx,
Joe <Joe@xxxxxxxxxxxxxxxxxxxxxxxxx> made this post, which I then commented
about below:
> Hi,
> said i would help setup a win 2003 server for someone but to be honest
> windows machines are not my expertease, He wants to make it as
> sercure as it can be, There are many diffrent types of user and group
> accounts and he only wants to keep the most esential of accounts. I.E
> he doesnt want to be locked out of the machine. Other than the admin
> account and group and enterprise group is there any other user
> accounts or groups he must keep in order to login to the win2003
> server so as not to lock himself out?
>
> P.S he wants to use terminal services admin so does he need the TS
> accounts?
>
> Many thanks
These are default user and group accounts you want to delete. For security,
I would look at other facets to lock down. Keep in mind, it doesn;t matter
what accounts exists, including the Admin accounts, since an attacker, if
they can gain any sort of access thru easily available tools (such as
Metasploit), they can enumerate the SIDs and figure out which accounts are
admin by the -500 suffix on the SID.
Your best bet, and best practice, is to make sure you stay up to date with
all security hotfixes and updates to insure any known exploitable
vulnerabilities are shut down or addresses. Keep a low or non-existent port
profile from the Internet from any internal machine, especially the DCs.
Firewalls, especially ISA or any other security appliance is advised to be
implemented.
You can run the MBSA as a security scanner. THere are many third party tools
available as well, such as eEye's Internet Security Scanner. You can use a
tool such as Fport (www.foundstone.com) that will scan your machine for open
ports and what app is listening on each port. The IIS lockdown tool and URL
scan are important as well.
There are many more security concerns to look at. Visit:
http://www.microsoft.com/security/default.mspx
for more information on what to look for. There are other sites on the
Internet that will actually tell you exactly what tools attackers are using
and how to protect yourself from them.
--
Regards,
Ace
Please direct all replies ONLY to the Microsoft public newsgroups
so all can benefit.
This posting is provided "AS-IS" with no warranties or guarantees
and confers no rights.
Ace Fekay, MCSE 2003 & 2000, MCSA 2003 & 2000, MCSE+I, MCT, MVP
Microsoft Windows MVP - Windows Server - Directory Services
Infinite Diversities in Infinite Combinations.
=================================
.
- Follow-Ups:
- Re: windows groups and users
- From: Joe
- Re: windows groups and users
- References:
- windows groups and users
- From: Joe
- windows groups and users
- Prev by Date: Re: Infrastructure Master and Global Catalog
- Next by Date: Re: Infrastructure Master and Global Catalog
- Previous by thread: windows groups and users
- Next by thread: Re: windows groups and users
- Index(es):
Relevant Pages
|
