Advice on Secureing a Windows Server 2003 Network....

[>Dart>]

Alright...sorry I could not post back faster...been having a lot going on. Iv learned a little more about the company...all the employees files are mostly in the My Docs folder on ALL the computers. I talked to the manager about "regulations" and he says he does not know of any. None of the HDs are encrypted I found out...the company seems like it was put together slapdash....but im working with what I can. I made each person a account on the server and assigned them there own share with a users group share for collaboration, like some of you suggested. Works great. Also I dont think they can pay even one person $20,000 a year...the company works hard to save a cent I found out.

I had my first Disaster on Thursday. Well after determining that they did not need AD (I think) I rolled it back to give the server more resources....I got a call back a on Friday saying the server was randomly shutting down....? I went back to the office and looked a the event logs and it said something like "Is not a domain controller thus voiding the EULA, Server shutting down in 30 minutes." What the heck?

Well I solved it by reinstalling AD...well just leave the workstations/laptops as a Workgroup...bad news is the broke Sharepoint and crashed the Embedded SQL thing that it was running off of....By playing with service permissions I got the SQL service to start back up but Sharepoint still threw out errors. I did some MS reserach and found that it was a documented bug...and tried there workaround but as I thought it failed miserably....I had to do a reformat.

A day later were back up and running. Sharepoint gave me a ton load of errors during the install...worked fine the first time and it took most of the time getting that up and going...had to find a hotfix on MS website. I got rid of the shares...I made one backup Share and made a batch file to copy the documents and desktop folders to a corresponding folder for the employee and then a batch script to copy that backup folder to a pen drive for the manager. Thats what they can use for backup. The manager installed a Time Clock program on the server and the only things its used for is Sharepoint, Time Clock, and Backup...and now the server is not rebooting.

I got the manager to sign up for 3 months for Godaddy....He wants to host it himself to save $$$ But im realllly trying to get him to host it somewhere else...but I looked at IIS lockdown, a DMZ support and VMWare and encrypting HDs (Depends how it will impact the backup setup). Also ill make him buy like Norton 360 or something for the web server.

So theres a update...

[lupin]

Is not a domain controller thus voiding the EULA, Server shutting down in 30 minutes.

Have to love Microsoft licensing. It bites paying customers in the ass without causing much of an issue for the pirates.

Well I solved it by reinstalling AD...

If you have to have AD you may as well use it, it will give benefits in terms of easier system management.

I made one backup Share and made a batch file to copy the documents and desktop folders to a corresponding folder for the employee and then a batch script to copy that backup folder to a pen drive for the manager. Thats what they can use for backup.

Do they take the USB off site so it wont burn up in an office fire? Is the USB encrypted so it cant be read when it gets lost or stolen? Do the backups get tested on a regular basis? Backups are the one thing you do NOT want to get wrong.

The manager installed a Time Clock program on the server

Installing random bits of software on your server is not a great move.

I got the manager to sign up for 3 months for Godaddy....He wants to host it himself to save $$$ But im realllly trying to get him to host it somewhere else...

Ask him what the impact of any of the following would be on his business:

• Malware is distributed to clients from the companies website
• Website is defaced, the content deleted or website otherwise make unavailable for extended period
• The website experiences a DOS attack, potentially affecting access to the website, Internet and email access for the company and/or affecting the performance of their file server (because its installed on the same physical machine)
• Data stored on the company file server is stolen and provided to a competitor, leaked or deleted

If any of those will cause a significant impact to the business, the he should host the website at a hosting provider. Judging by the description you've given, these systems are just waiting to get owned, so minimise risk by outsourcing high risk activities like Internet facing websites.

The only time that a website should be hosted under the conditions you have described is when the website doesn't matter and nothing on the server or the machines it can directly access is important.

[imported_chrisso]

Yeah, SBS isnt a fan of having itself demoted from DC to workgroups. Thank GOD I did a little research on that before doing the exact same thing. Usually I just do it, and pay for it later. Glad im moving past that!

If your boss does the Domain deal in house, he can surely start using Exchange which I find has a bunch of cool features for small to Medium Business. Even more so now that everyone and their uncles have a damn iPhone. Though I do agree with Lupin, hosting a site in house under the same Static IP, on the same server as EVERYTHING else, is just begging to have someone kick you to the curb. I wouldnt do it. Besides, there are plenty of places you can find stupid cheap web hosting deals.

As for Norton 360, I personally would stay away from it on a server environment! This is just my personal belief, however Ive seen that program create alllll kinds of havoc, by slowing down resources. And no telling what it would do with a server actively using SQL. I myself would recommend something like AVG business, either network or internet on the server.

Just my 2cents.

-Chrisso

[Thorn]

...

As for Norton 360, I personally would stay away from it on a server environment! This is just my personal belief, however Ive seen that program create alllll kinds of havoc, by slowing down resources. And no telling what it would do with a server actively using SQL. I myself would recommend something like AVG business, either network or internet on the server.

If you want a Symantec product, you really want Symantec Enterprise on an SBS server; not Norton 360.

[Archangel-Amael]

If you want a Symantec product, you really want Symantec Enterprise on an SBS server; not Norton 360.

I ran Norton enterprise 8 for a long time. I never had a problem with it on any of my servers. It was easy to setup and maintain.

[imported_chrisso]

Symantec Enterprise worked great on a sbs server in Dallas I manage. However, the dang thing didnt uninstall very easy when we moved on past it.

But it did infact run great. Used very few resources, and never bothered you unless you managed to really foul up your system. I can say that it had the beset server management console I have seen yet on a server, regarding Antivirus, etc.

-Chrisso

[Thorn]

Symantec Enterprise worked great on a sbs server in Dallas I manage. However, the dang thing didnt uninstall very easy when we moved on past it.

But it did infact run great. Used very few resources, and never bothered you unless you managed to really foul up your system. I can say that it had the beset server management console I have seen yet on a server, regarding Antivirus, etc.

-Chrisso

McAfee's enterprise level AV isn't bad either. I have it running on a client's SBS setup. The management console is pretty easy to use, although I prefer Symantec's.