Mid Sized Company System Administrators United

This document is an initial fast startup guide, intended for beginning System Administrators all over the world. The purpose of this document is to unite and form an alliance against attackers worldwide. So what I ask of you is to submit your comments and idea’s for helping out System Administrators who are new to the field. The more information we can bring each other, the safer we are in an online world.

Note: this is a one night write up and additional information can be (added /) commented by you.

Comment here on this document:

The goal is, to make it generally usable with leading technologies.

Starter points for a System Administrator to consider

Let’s begin from our start point to eventually your end users.


Starter points for a System Administrator to consider

Let’s begin from our start point to eventually your end users.

Your Internet connection / Internal Network

Do a port scan from your home address and see if any unusual ports have been left open.

  • Use nmap gui for Windows and perform an intense scan.
  • Every port not encrypted such as 80, 21 etc should be avoided. Use 443 / 22

Reconsider your Router/Firewall/Switch environment with devices attached if you need VLANS.

Determine your needs bases on the following article:



Provide access to internet and divide your network into several segments. (


ISP1 (local subnet 1)

ISP2 (local subnet 2)


For ISP1 you set a DHCP scope and route them via ISP1 gateway

For ISP2 you set a DHCP scope and route them via ISP2 gateway

  • Or you make ISP2 the failover network when ISP1 goes down.

Make a primary network for your clients /

Make a secondary network for your clients /

Make a third network for your printers (no internet)

Make a fourth network segment for guest vlan (limited no corporate network, internet only)

Make a fifth subnet for Mobiles (that should not be on the corporate network)

-          If there are any developers you can provide access via firewall rules to allow access to a specific network segment. In that case you make reservation on your DHCP Scope / DNS.

Make a sixth network for your IT Vlan

Make a seventh network for your Servers

Refer to your supplier on how to set this up: aka / cisco / hp / fortinet… etc

Refer to your supplier on how to allow / deny access via vlans

Refer to your supplier on how to setup VPN Access / Allow Access to company services


Server Room

Cool your hardware with regulated air conditioning. 28 degrees Celsius is sufficient.

The lifetime of your hardware will prolong due to a constant temperature and prevent condensation.


Uninterruptible Power Supply

Provide an UPS for your hardware. It will prolong the lifetime and components of your hardware in case of regularly outages and spikes.


Network - Patching - Connections

Use colored cables (black/blue) for your clients from patch panel to your switch.

Prefer to keep the order of your Patch Panel Port 1-1-1 in Switch port GigabitEthernet 0/1 and Patch Panel Port 1-1-25 in GigabitEthernet 0/25

Use a different color set for your Internet Connection and another different color for your Servers. Label your Server cables.


Router / Firewall / Switches

  • Never use a basic first subnet address.
    • If a router for testing purposes is connected to your network, your internet will go down.
    • This is also applicable for the network.


Disable the following protocol

  • Disable telnet usage (this is an insecure protocol)
  • Set passwords for your devices
  • Set enable passwords for your devices
  • Add a disclaimer to the login functionality (bannerx).


General Rule: Export your settings!!! Before and After!!!


General Rule to ensure you can keep things running:

Alway’s export your settings.

Alway’s keep a backup:


  • before change backup and
  • after change backup.


Basic Domain Setup / Active Directory / DHCP / DNS


Preferred method:

Alway’s stay up to date with your servers. You do not need to buy license directly when a product is released. You should wait a minimum of 6 months where the most functions are updated and secured after the initial release.


Get Started with Windows Server 2016



Setup Active Directory via the best practices of Microsoft



Step-By-Step: Setting up Active Directory in Windows Server 2016



Group Policy Settings Reference for Windows and Windows Server (Recommendations)



Setup DHCP via the best practices of Microsoft


Step-by-Step: Configure DHCP Using Policy-based Assignment



Setup DNS via a Best Practice



Setup a File Share





Active Directory

Do not touch the Active Directory Firewall profiles! Period.


IT Management

Do make a GPO Advanced Firewall Policy to allow ICMPv4 and Remote Desktop and allow all profiles: domain to the IP Scope of the allowed internal network (this could be the IT VLAN).

Make a disallow / disable state for public and private.


File Servers

On other servers such as File Servers make sure only domain profiles are applied to File and Printer sharing. Disable / block public and private rules.


Web Servers

On Webservers that do not need to be access from outside allow the internal IP scope only.


  • Filter on IP Scope whenever possible!


Basic knowledge of Windows Server Firewalls.


Most companies are afraid to use the Windows Built-in Firewall.

My recommendation is you enable it after some investigation.


  • Know what services are running and on which ports

You could scan this by executing the following command in cmd



When you have summarized all the ports you know of are required, but them in a GPO (local or domain) and publish them to that server. This way it cannot be altered, disabled or overwritten with a restore firewall settings or user interference.


  • You could restore the Default Firewall Policy in the Advanced settings in the Top (root) setting > Actions > Restore Firewall Policy (do not do this just yet).

The best practice for doing this is to Export the Current Firewall (if you have already enabled this and ports are open) and import it in the Advanced Firewall Policy.


Delete all basic Windows Built-In Firewall Settings and leave the custom ports enabled.


Extra considerations Windows Firewalls


  • Standard Windows Features en Roles that require for a port to be opened are enabled with a restore default policy (maybe except WDS which requires additional ports to be opened based on setup needs).
  • Remote Desktop - File and Printer Sharing are disabled by default
    • Make a General GPO Advanced Firewall Policy for all your servers on Domain basis, not public/private for mentioned services
  • When you have Server 2016 in place you will have incompatibility with Server 2008r2
    • In that case you need to open up TCP and UDP PORT (not built-in list) 3389 for the Server to be reachable again.

After all considerations have been implemented you could do an gpupdate /force to see if this was working for you. To be on the safe side, you must have physical access to your servers you’re planning to perform this on.


General Security Rules


Disable SMBv1 Protocol via Domain GPO


::  Description: Script to Disable SMBV1 protocol for WannaCry / Wannacrypt Ransomware

::  Remarks: Restart the system after script executed successfully

::  Configuration Type - COMPUTER

::  =================================================================== reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMB1" /t REG_DWORD /d 0 /f

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled


:: END

Disable NTLM > Switch to NTLMv2

Set UAC at at least Level 2

UAC Settings Level 1, 2, 3, 4


Use DFS Shares


Deploy DFS in Windows Server 2012 R2 (also goes for Server 2016)



DFS Namespaces and DFS Replication Overview


Audit events for GDPR


Scenario: Get Insight into Your Data by Using Classification



Use the Microsoft Data Classification Toolkit



Best Practices Audit Policy Recommendations.



Auditing File Access on File Servers



ICT Training

  • Allway’s start out in an test environment!
  • Tell users what your are going to do and if tests have succeeded
  • Keep a roadmap on the intranet  
  • Tell them what to expect.
  • Give a timeframe
  • Ask for feedback
  • Be polite! Rude once, never get another thing done with that user and to who’m he/she talks about it.
  • Document IT ALL. I’ll do it later is a guarantee it will never be done! Count on it.
  • Double your works estimates! Always! You will find time is rare within ICT.
  • Do hire an external supplier when you’re in over your head. It’s no shame! They will help you as long as you pay!
  • Training: https://www.cbtnuggets.com/ (example).
  • Incident Report: https://sysadmincasts.com/episodes/20-how-to-write-an-incident-report-postmortem


Know your network / software / hardware

  • Know when licenses expire
  • Provide a cost estimate to your responsible teamlead in time.
  • Know when hardware is to be replaced
  • Mail on NTFS Errors when they occur
  • Be aware of any storage limits and quotas on your machines.
  • Scan your network for shares outside your domain aka, softperfect network scanner in a Windows Environment not joined to the domain and find your weaknesses.


User Training

  • Communication is key. Keep it short and readable!
  • Make sure Notifications are enabled with Endpoint Security
  • Inform them about possible attacks via e-mail.
    • Phishing mails
    • Attachments
    • Responding to never requested e-mails.
    • Hyperlinks (mouse-over to check)
    • Never pay by e-mail
    • Knowing usernames and passwords are never to be requested via mail.
    • Reply to the e-mail and before responding – check the senders mail address and use your common sense.


Mandatory Software Considerations


Implement a WDS/PXE Server for deployment of your clients.



(3:20 hour during video)


And if a client is to be deployed, use UEFI and Secure boot both, WOL and set a BIOS password.

Tools can be found to adjust bios settings via tools such as HP/DELL/Lenovo for example when TPM needs to be enabled for bitlocker.

Buy Proper Endpoint Security / File Server Security


  • www.eset.com
  • www.sophos.com
  • www.f-secure.com

Buy Patch management software!!!


Patch, Patch, PATCH!

ManageEngine Desktop Central (or only patch management)

https://www.manageengine.com/products/desktop-central/ (example)





  • Deploy patches you approve
  • Deploy software
  • Inventory Report
  • Remote Support


System Center Configuration Manager




Backup Software for your Servers / Clients / Data


Backup, backup, BACKUP!

Aomei Backupper

http://www.backup-utility.com/technician.html (example)

Veritas Backup Exec




  • 2 backup locations on premise,
  • 1 in the cloud or
  • 1 portable encrypted / password protected disk (with daily swap, in case of fire/water incident)


VM’s Backup solution




Want to make changes to a device / server? Back up first! Seriously!


Buy a SFTP Server to Access to your (online) servers (not port 21, but 22)




Recommended (cost vs functionality)


https://www.syncplify.me/ (example)

Additional automated sftp tasks can be setup for the costs of 50 euro.

Use a Monitoring tool such as Paesler PRTG


https://www.paessler.com/prtg (first 100 sensors are free)

Microsoft gallery for submitted scripts by IT Professionals




Apply Bitlocker Use to better protect against EU Laws such as GDPR

Top Reasons to Use BitLocker and BitLocker To Go


Set up MDT for BitLocker


Backing Up BitLocker and TPM Recovery Information to AD DS


Active Directory and BitLocker - Part 1: Introduction


MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013


How to make your existing Bitlocker encrypted environment FIPS complaint


Best Practices for BitLocker in Windows 7


Here’s why BitLocker encryption is slower on Windows 10 than Windows 7


BitLocker frequently asked questions (FAQ)


How to Check Status of BitLocker Drive Encryption for Drive in Windows 10


Bitlocker and 1511 to 1607 Upgrade via WSUS?


Microsoft Bit-locker Administration & Monitoring (MBAM) - Prerequisites, Deployment Process & Testing - Part 1


Microsoft BitLocker Administration and Monitoring


Request permission to add additions for above documentation in Google Drive:


Kind regards,

Martijn Kamminga


System Administrator