Crypto

ICT Infrastructure

Mid Sized Company System Administrators United

This document is an initial fast startup guide, intended for beginning System Administrators all over the world. The purpose of this document is to unite and form an alliance against attackers worldwide. So what I ask of you is to submit your comments and idea’s for helping out System Administrators who are new to the field. The more information we can bring each other, the safer we are in an online world.

Note: this is a one night write up and additional information can be (added /) commented by you.

Comment here on this document:

The goal is, to make it generally usable with leading technologies.

Starter points for a System Administrator to consider

Let’s begin from our start point to eventually your end users.

                                                                                    

Starter points for a System Administrator to consider

Let’s begin from our start point to eventually your end users.

 

Your Internet connection / Internal Network

Do a port scan from your home address and see if any unusual ports have been left open.

  • Use nmap gui for Windows and perform an intense scan.
  • Every port not encrypted such as 80, 21 etc should be avoided. Use 443 / 22

Reconsider your Router/Firewall/Switch environment with devices attached if you need VLANS.

Determine your needs bases on the following article:

https://supportforums.cisco.com/t5/lan-switching-and-routing/are-vlans-necessary/td-p/1459985

 

Provide access to internet and divide your network into several segments.

 

10.0.0.0/16 (10.0.0.0/255.255.0.0)

 

ISP1 (local subnet 1) 10.0.0.0/23

ISP2 (local subnet 2) 10.0.2.0/23

 

For ISP1 you set a DHCP scope and route them via ISP1 gateway

For ISP2 you set a DHCP scope and route them via ISP2 gateway

  • Or you make ISP2 the failover network when ISP1 goes down.

Make a primary network for your clients 10.0.0.0/23 / 10.0.0.0/22

Make a secondary network for your clients 10.0.2.0/23 / 10.0.0.0/22

Make a third network for your printers (no internet) 10.0.4.0/24

Make a fourth network segment for guest vlan 10.0.5.0/23 (limited no corporate network, internet only)

Make a fifth subnet for Mobiles (that should not be on the corporate network) 10.0.7.0/23

-          If there are any developers you can provide access via firewall rules to allow access to a specific network segment. In that case you make reservation on your DHCP Scope / DNS.

Make a sixth network for your IT Vlan

Make a seventh network for your Servers 10.0.10.0/24

Refer to your supplier on how to set this up: aka / cisco / hp / fortinet… etc

Refer to your supplier on how to allow / deny access via vlans

Refer to your supplier on how to setup VPN Access / Allow Access to company services

 

Server Room

Cool your hardware with regulated air conditioning. 28 degrees Celsius is sufficient.

The lifetime of your hardware will prolong due to a constant temperature and prevent condensation.

 

Uninterruptible Power Supply

Provide an UPS for your hardware. It will prolong the lifetime and components of your hardware in case of regularly outages and spikes.

 

Network - Patching - Connections

Use colored cables (black/blue) for your clients from patch panel to your switch.

Prefer to keep the order of your Patch Panel Port 1-1-1 in Switch port GigabitEthernet 0/1 and Patch Panel Port 1-1-25 in GigabitEthernet 0/25

Use a different color set for your Internet Connection and another different color for your Servers. Label your Server cables.

 

Router / Firewall / Switches

  • Never use a basic first subnet 192.168.1.1 address.
    • If a router for testing purposes is connected to your network, your internet will go down.
    • This is also applicable for the 10.0.0.1/24 network.

 

Disable the following protocol

  • Disable telnet usage (this is an insecure protocol)
  • Set passwords for your devices
  • Set enable passwords for your devices
  • Add a disclaimer to the login functionality (bannerx).

 

General Rule: Export your settings!!! Before and After!!!

 

General Rule to ensure you can keep things running:

Alway’s export your settings.

Alway’s keep a backup:

 

  • before change backup and
  • after change backup.

 

Basic Domain Setup / Active Directory / DHCP / DNS

 

Preferred method:

Alway’s stay up to date with your servers. You do not need to buy license directly when a product is released. You should wait a minimum of 6 months where the most functions are updated and secured after the initial release.

 

Get Started with Windows Server 2016

https://docs.microsoft.com/en-us/windows-server/get-started/server-basics

 

Setup Active Directory via the best practices of Microsoft

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/ad-ds-getting-started

 

Step-By-Step: Setting up Active Directory in Windows Server 2016

https://blogs.technet.microsoft.com/canitpro/2017/02/22/step-by-step-setting-up-active-directory-in-windows-server-2016/

 

Group Policy Settings Reference for Windows and Windows Server (Recommendations)

https://www.microsoft.com/en-us/download/details.aspx?id=25250

 

Setup DHCP via the best practices of Microsoft

https://technet.microsoft.com/en-us/library/cc958920.aspx

Step-by-Step: Configure DHCP Using Policy-based Assignment

https://technet.microsoft.com/en-us/library/hh831538(v=ws.11).aspx

 

Setup DNS via a Best Practice

http://firelogic.net/best-practices-for-windows-server-dns-and-how-to-avoid-the-common-pitfalls/

 

Setup a File Share

http://www.tomsitpro.com/articles/create-file-share-windows-server-2016,1-3364.html

 

Firewalls

 

Active Directory

Do not touch the Active Directory Firewall profiles! Period.

 

IT Management

Do make a GPO Advanced Firewall Policy to allow ICMPv4 and Remote Desktop and allow all profiles: domain to the IP Scope of the allowed internal network (this could be the IT VLAN).

Make a disallow / disable state for public and private.

 

File Servers

On other servers such as File Servers make sure only domain profiles are applied to File and Printer sharing. Disable / block public and private rules.

 

Web Servers

On Webservers that do not need to be access from outside allow the internal IP scope only.

 

  • Filter on IP Scope whenever possible!

 

Basic knowledge of Windows Server Firewalls.

 

Most companies are afraid to use the Windows Built-in Firewall.

My recommendation is you enable it after some investigation.

 

  • Know what services are running and on which ports

You could scan this by executing the following command in cmd

 

Netstat

When you have summarized all the ports you know of are required, but them in a GPO (local or domain) and publish them to that server. This way it cannot be altered, disabled or overwritten with a restore firewall settings or user interference.

 

  • You could restore the Default Firewall Policy in the Advanced settings in the Top (root) setting > Actions > Restore Firewall Policy (do not do this just yet).

The best practice for doing this is to Export the Current Firewall (if you have already enabled this and ports are open) and import it in the Advanced Firewall Policy.

 

Delete all basic Windows Built-In Firewall Settings and leave the custom ports enabled.

 

Extra considerations Windows Firewalls

 

  • Standard Windows Features en Roles that require for a port to be opened are enabled with a restore default policy (maybe except WDS which requires additional ports to be opened based on setup needs).
  • Remote Desktop - File and Printer Sharing are disabled by default
    • Make a General GPO Advanced Firewall Policy for all your servers on Domain basis, not public/private for mentioned services
  • When you have Server 2016 in place you will have incompatibility with Server 2008r2
    • In that case you need to open up TCP and UDP PORT (not built-in list) 3389 for the Server to be reachable again.

After all considerations have been implemented you could do an gpupdate /force to see if this was working for you. To be on the safe side, you must have physical access to your servers you’re planning to perform this on.

 

General Security Rules

 

Disable SMBv1 Protocol via Domain GPO

DisableSMBv1.bat

::  Description: Script to Disable SMBV1 protocol for WannaCry / Wannacrypt Ransomware

::  Remarks: Restart the system after script executed successfully

::  Configuration Type - COMPUTER

::  =================================================================== reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters" /v "SMB1" /t REG_DWORD /d 0 /f

sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi

sc.exe config mrxsmb10 start= disabled

 

:: END

Disable NTLM > Switch to NTLMv2

Set UAC at at least Level 2

UAC Settings Level 1, 2, 3, 4

 

Use DFS Shares

 

Deploy DFS in Windows Server 2012 R2 (also goes for Server 2016)

https://mizitechinfo.wordpress.com/2013/08/21/step-by-step-deploy-dfs-in-windows-server-2012-r2/

 

DFS Namespaces and DFS Replication Overview

https://technet.microsoft.com/en-us/library/jj127250(v=ws.11).aspx

Audit events for GDPR

 

Scenario: Get Insight into Your Data by Using Classification

https://docs.microsoft.com/en-us/windows-server/identity/solution-guides/scenario--get-insight-into-your-data-by-using-classification

 

Use the Microsoft Data Classification Toolkit

https://www.microsoft.com/en-us/download/details.aspx?id=27123

 

Best Practices Audit Policy Recommendations.

https://docs.microsoft.com/en-us/windows-server/identity/ad-ds/plan/security-best-practices/audit-policy-recommendations

 

Auditing File Access on File Servers

https://blogs.technet.microsoft.com/mspfe/2013/08/26/auditing-file-access-on-file-servers/

 

ICT Training

  • Allway’s start out in an test environment!
  • Tell users what your are going to do and if tests have succeeded
  • Keep a roadmap on the intranet  
  • Tell them what to expect.
  • Give a timeframe
  • Ask for feedback
  • Be polite! Rude once, never get another thing done with that user and to who’m he/she talks about it.
  • Document IT ALL. I’ll do it later is a guarantee it will never be done! Count on it.
  • Double your works estimates! Always! You will find time is rare within ICT.
  • Do hire an external supplier when you’re in over your head. It’s no shame! They will help you as long as you pay!
  • Training: https://www.cbtnuggets.com/ (example).
  • Incident Report: https://sysadmincasts.com/episodes/20-how-to-write-an-incident-report-postmortem

 

Know your network / software / hardware

  • Know when licenses expire
  • Provide a cost estimate to your responsible teamlead in time.
  • Know when hardware is to be replaced
  • Mail on NTFS Errors when they occur
  • Be aware of any storage limits and quotas on your machines.
  • Scan your network for shares outside your domain aka, softperfect network scanner in a Windows Environment not joined to the domain and find your weaknesses.

 

User Training

  • Communication is key. Keep it short and readable!
  • Make sure Notifications are enabled with Endpoint Security
  • Inform them about possible attacks via e-mail.
    • Phishing mails
    • Attachments
    • Responding to never requested e-mails.
    • Hyperlinks (mouse-over to check)
    • Never pay by e-mail
    • Knowing usernames and passwords are never to be requested via mail.
    • Reply to the e-mail and before responding – check the senders mail address and use your common sense.

 

Mandatory Software Considerations

 

Implement a WDS/PXE Server for deployment of your clients.

http://www.techrepublic.com/article/how-to-deploy-windows-using-mdt-and-wds/

https://www.youtube.com/watch?v=QOgvECpIsAI

 

(3:20 hour during video)

 

And if a client is to be deployed, use UEFI and Secure boot both, WOL and set a BIOS password.

Tools can be found to adjust bios settings via tools such as HP/DELL/Lenovo for example when TPM needs to be enabled for bitlocker.

Buy Proper Endpoint Security / File Server Security

 

  • www.eset.com
  • www.sophos.com
  • www.f-secure.com

Buy Patch management software!!!

 

Patch, Patch, PATCH!

ManageEngine Desktop Central (or only patch management)

https://www.manageengine.com/products/desktop-central/ (example)

 

Overview:

https://www.manageengine.com/products/desktop-central/desktop-administration-overview.html

 

  • Deploy patches you approve
  • Deploy software
  • Inventory Report
  • Remote Support

 

System Center Configuration Manager

https://www.microsoft.com/en-us/cloud-platform/system-center-configuration-manager

Overview:

https://technet.microsoft.com/library/mt627909.aspx

Backup Software for your Servers / Clients / Data

 

Backup, backup, BACKUP!

Aomei Backupper

http://www.backup-utility.com/technician.html (example)

Veritas Backup Exec

https://www.veritas.com/product/backup-and-recovery/backup-exec

 

{

  • 2 backup locations on premise,
  • 1 in the cloud or
  • 1 portable encrypted / password protected disk (with daily swap, in case of fire/water incident)

}

VM’s Backup solution

 

https://www.veeamshop.nl/producten/

 

Want to make changes to a device / server? Back up first! Seriously!

 

Buy a SFTP Server to Access to your (online) servers (not port 21, but 22)

 

https://www.pcwdld.com/10-best-free-sftp-servers

 

Recommended (cost vs functionality)

 

https://www.syncplify.me/ (example)

Additional automated sftp tasks can be setup for the costs of 50 euro.

Use a Monitoring tool such as Paesler PRTG

 

https://www.paessler.com/prtg (first 100 sensors are free)

Microsoft gallery for submitted scripts by IT Professionals

 

https://gallery.technet.microsoft.com/site/search?f%5B0%5D.Type=SupportedPlatform&f%5B0%5D.Value=Win10&f%5B0%5D.Text=Windows%2010

 

Apply Bitlocker Use to better protect against EU Laws such as GDPR

Top Reasons to Use BitLocker and BitLocker To Go

http://windowsitpro.com/blog/top-reasons-use-bitlocker-and-bitlocker-go

Set up MDT for BitLocker

https://technet.microsoft.com/nl-nl/itpro/windows/deploy/set-up-mdt-for-bitlocker

Backing Up BitLocker and TPM Recovery Information to AD DS

https://technet.microsoft.com/library/dd875529.aspx

Active Directory and BitLocker - Part 1: Introduction

https://4sysops.com/archives/set-up-active-directory-for-bitlocker-part-1-introduction/

MDT 2013 – Configuring your environment for Bitlocker deployments with TPM, Windows 8.1 and MDT 2013

http://renshollanders.nl/2014/01/mdt-2013-configuring-your-environment-for-bitlocker-deployments-with-tpm-windows-8-1-and-mdt-2013/

How to make your existing Bitlocker encrypted environment FIPS complaint

https://blogs.technet.microsoft.com/askcore/2014/12/29/how-to-make-your-existing-bitlocker-encrypted-environment-fips-complaint/

Best Practices for BitLocker in Windows 7

https://technet.microsoft.com/en-us/library/dd875532(WS.10).aspx

Here’s why BitLocker encryption is slower on Windows 10 than Windows 7

https://mspoweruser.com/heres-bitlocker-slower-windows-10-windows-7/

BitLocker frequently asked questions (FAQ)

https://technet.microsoft.com/nl-nl/itpro/windows/keep-secure/bitlocker-frequently-asked-questions

How to Check Status of BitLocker Drive Encryption for Drive in Windows 10

https://www.tenforums.com/tutorials/36901-check-bitlocker-drive-encryption-status-windows-10-a.html

Bitlocker and 1511 to 1607 Upgrade via WSUS?

https://community.spiceworks.com/topic/1787031-bitlocker-and-1511-to-1607-upgrade-via-wsus

Microsoft Bit-locker Administration & Monitoring (MBAM) - Prerequisites, Deployment Process & Testing - Part 1

http://www.mdtechskillssolutions.com/2016/05/microsoft-bit-locker-administration.html

Microsoft BitLocker Administration and Monitoring

http://windowsitpro.com/security/microsoft-bitlocker-administration-and-monitoring

Request permission to add additions for above documentation in Google Drive:

 

Kind regards,

Martijn Kamminga

 

System Administrator