This document is an initial fast startup guide, intended for beginning System Administrators all over the world. The purpose of this document is to unite and form an alliance against attackers worldwide. So what I ask of you is to submit your comments and idea’s for helping out System Administrators who are new to the field. The more information we can bring each other, the safer we are in an online world.
Note: this is a one night write up and additional information can be (added /) commented by you.
Comment here on this document:
The goal is, to make it generally usable with leading technologies.
Starter points for a System Administrator to consider
Let’s begin from our start point to eventually your end users.
Starter points for a System Administrator to consider
Let’s begin from our start point to eventually your end users.
Your Internet connection / Internal Network
Do a port scan from your home address and see if any unusual ports have been left open.
- Use nmap gui for Windows and perform an intense scan.
- Every port not encrypted such as 80, 21 etc should be avoided. Use 443 / 22
Reconsider your Router/Firewall/Switch environment with devices attached if you need VLANS.
Determine your needs bases on the following article:
Provide access to internet and divide your network into several segments.
ISP1 (local subnet 1) 10.0.0.0/23
ISP2 (local subnet 2) 10.0.2.0/23
For ISP1 you set a DHCP scope and route them via ISP1 gateway
For ISP2 you set a DHCP scope and route them via ISP2 gateway
- Or you make ISP2 the failover network when ISP1 goes down.
Make a primary network for your clients 10.0.0.0/23 / 10.0.0.0/22
Make a secondary network for your clients 10.0.2.0/23 / 10.0.0.0/22
Make a third network for your printers (no internet) 10.0.4.0/24
Make a fourth network segment for guest vlan 10.0.5.0/23 (limited no corporate network, internet only)
Make a fifth subnet for Mobiles (that should not be on the corporate network) 10.0.7.0/23
- If there are any developers you can provide access via firewall rules to allow access to a specific network segment. In that case you make reservation on your DHCP Scope / DNS.
Make a sixth network for your IT Vlan
Make a seventh network for your Servers 10.0.10.0/24
Refer to your supplier on how to set this up: aka / cisco / hp / fortinet… etc
Refer to your supplier on how to allow / deny access via vlans
Refer to your supplier on how to setup VPN Access / Allow Access to company services
Cool your hardware with regulated air conditioning. 28 degrees Celsius is sufficient.
The lifetime of your hardware will prolong due to a constant temperature and prevent condensation.
Uninterruptible Power Supply
Provide an UPS for your hardware. It will prolong the lifetime and components of your hardware in case of regularly outages and spikes.
Network - Patching - Connections
Use colored cables (black/blue) for your clients from patch panel to your switch.
Prefer to keep the order of your Patch Panel Port 1-1-1 in Switch port GigabitEthernet 0/1 and Patch Panel Port 1-1-25 in GigabitEthernet 0/25
Use a different color set for your Internet Connection and another different color for your Servers. Label your Server cables.
Router / Firewall / Switches
- Never use a basic first subnet 192.168.1.1 address.
- If a router for testing purposes is connected to your network, your internet will go down.
- This is also applicable for the 10.0.0.1/24 network.
Disable the following protocol
- Disable telnet usage (this is an insecure protocol)
- Set passwords for your devices
- Set enable passwords for your devices
- Add a disclaimer to the login functionality (bannerx).
General Rule: Export your settings!!! Before and After!!!
General Rule to ensure you can keep things running:
Alway’s export your settings.
Alway’s keep a backup:
- before change backup and
- after change backup.
Basic Domain Setup / Active Directory / DHCP / DNS
Alway’s stay up to date with your servers. You do not need to buy license directly when a product is released. You should wait a minimum of 6 months where the most functions are updated and secured after the initial release.
Get Started with Windows Server 2016
Setup Active Directory via the best practices of Microsoft
Step-By-Step: Setting up Active Directory in Windows Server 2016
Group Policy Settings Reference for Windows and Windows Server (Recommendations)
Setup DHCP via the best practices of Microsoft
Step-by-Step: Configure DHCP Using Policy-based Assignment
Setup DNS via a Best Practice
Setup a File Share
Do not touch the Active Directory Firewall profiles! Period.
Do make a GPO Advanced Firewall Policy to allow ICMPv4 and Remote Desktop and allow all profiles: domain to the IP Scope of the allowed internal network (this could be the IT VLAN).
Make a disallow / disable state for public and private.
On other servers such as File Servers make sure only domain profiles are applied to File and Printer sharing. Disable / block public and private rules.
On Webservers that do not need to be access from outside allow the internal IP scope only.
- Filter on IP Scope whenever possible!
Basic knowledge of Windows Server Firewalls.
Most companies are afraid to use the Windows Built-in Firewall.
My recommendation is you enable it after some investigation.
- Know what services are running and on which ports
You could scan this by executing the following command in cmd
When you have summarized all the ports you know of are required, but them in a GPO (local or domain) and publish them to that server. This way it cannot be altered, disabled or overwritten with a restore firewall settings or user interference.
- You could restore the Default Firewall Policy in the Advanced settings in the Top (root) setting > Actions > Restore Firewall Policy (do not do this just yet).
The best practice for doing this is to Export the Current Firewall (if you have already enabled this and ports are open) and import it in the Advanced Firewall Policy.
Delete all basic Windows Built-In Firewall Settings and leave the custom ports enabled.
Extra considerations Windows Firewalls
- Standard Windows Features en Roles that require for a port to be opened are enabled with a restore default policy (maybe except WDS which requires additional ports to be opened based on setup needs).
- Remote Desktop - File and Printer Sharing are disabled by default
- Make a General GPO Advanced Firewall Policy for all your servers on Domain basis, not public/private for mentioned services
- When you have Server 2016 in place you will have incompatibility with Server 2008r2
- In that case you need to open up TCP and UDP PORT (not built-in list) 3389 for the Server to be reachable again.
After all considerations have been implemented you could do an gpupdate /force to see if this was working for you. To be on the safe side, you must have physical access to your servers you’re planning to perform this on.
General Security Rules
Disable SMBv1 Protocol via Domain GPO
:: Description: Script to Disable SMBV1 protocol for WannaCry / Wannacrypt Ransomware
:: Remarks: Restart the system after script executed successfully
:: Configuration Type - COMPUTER
:: =================================================================== reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMB1" /t REG_DWORD /d 0 /f
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Disable NTLM > Switch to NTLMv2
Set UAC at at least Level 2
Use DFS Shares
Deploy DFS in Windows Server 2012 R2 (also goes for Server 2016)
DFS Namespaces and DFS Replication Overview
Audit events for GDPR
Scenario: Get Insight into Your Data by Using Classification
Use the Microsoft Data Classification Toolkit
Best Practices Audit Policy Recommendations.
Auditing File Access on File Servers
- Allway’s start out in an test environment!
- Tell users what your are going to do and if tests have succeeded
- Keep a roadmap on the intranet
- Tell them what to expect.
- Give a timeframe
- Ask for feedback
- Be polite! Rude once, never get another thing done with that user and to who’m he/she talks about it.
- Document IT ALL. I’ll do it later is a guarantee it will never be done! Count on it.
- Double your works estimates! Always! You will find time is rare within ICT.
- Do hire an external supplier when you’re in over your head. It’s no shame! They will help you as long as you pay!
- Training: https://www.cbtnuggets.com/ (example).
- Incident Report: https://sysadmincasts.com/episodes/20-how-to-write-an-incident-report-postmortem
Know your network / software / hardware
- Know when licenses expire
- Provide a cost estimate to your responsible teamlead in time.
- Know when hardware is to be replaced
- Mail on NTFS Errors when they occur
- Be aware of any storage limits and quotas on your machines.
- Scan your network for shares outside your domain aka, softperfect network scanner in a Windows Environment not joined to the domain and find your weaknesses.
- Communication is key. Keep it short and readable!
- Make sure Notifications are enabled with Endpoint Security
- Inform them about possible attacks via e-mail.
- Phishing mails
- Responding to never requested e-mails.
- Hyperlinks (mouse-over to check)
- Never pay by e-mail
- Knowing usernames and passwords are never to be requested via mail.
- Reply to the e-mail and before responding – check the senders mail address and use your common sense.
Mandatory Software Considerations
Implement a WDS/PXE Server for deployment of your clients.
(3:20 hour during video)
And if a client is to be deployed, use UEFI and Secure boot both, WOL and set a BIOS password.
Tools can be found to adjust bios settings via tools such as HP/DELL/Lenovo for example when TPM needs to be enabled for bitlocker.
Buy Proper Endpoint Security / File Server Security
Buy Patch management software!!!
Patch, Patch, PATCH!
ManageEngine Desktop Central (or only patch management)
- Deploy patches you approve
- Deploy software
- Inventory Report
- Remote Support
System Center Configuration Manager
Backup Software for your Servers / Clients / Data
Backup, backup, BACKUP!
Veritas Backup Exec
- 2 backup locations on premise,
- 1 in the cloud or
- 1 portable encrypted / password protected disk (with daily swap, in case of fire/water incident)
VM’s Backup solution
Want to make changes to a device / server? Back up first! Seriously!
Buy a SFTP Server to Access to your (online) servers (not port 21, but 22)
Recommended (cost vs functionality)
Additional automated sftp tasks can be setup for the costs of 50 euro.
Use a Monitoring tool such as Paesler PRTG
https://www.paessler.com/prtg (first 100 sensors are free)
Microsoft gallery for submitted scripts by IT Professionals
Apply Bitlocker Use to better protect against EU Laws such as GDPR
Top Reasons to Use BitLocker and BitLocker To Go
Set up MDT for BitLocker
Backing Up BitLocker and TPM Recovery Information to AD DS
Active Directory and BitLocker - Part 1: Introduction
MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013
How to make your existing Bitlocker encrypted environment FIPS complaint
Best Practices for BitLocker in Windows 7
Here’s why BitLocker encryption is slower on Windows 10 than Windows 7
BitLocker frequently asked questions (FAQ)
How to Check Status of BitLocker Drive Encryption for Drive in Windows 10
Bitlocker and 1511 to 1607 Upgrade via WSUS?
Microsoft Bit-locker Administration & Monitoring (MBAM) - Prerequisites, Deployment Process & Testing - Part 1
Microsoft BitLocker Administration and Monitoring
Request permission to add additions for above documentation in Google Drive: