Tek-Tips is the largest IT community on the Internet today!

Members share and learn making Tek-Tips Forums the best source of peer-reviewed technical information on the Internet!

  • Congratulations strongm on being selected by the Tek-Tips community for having the most helpful posts in the forums last week. Way to Go!

Securing Sbs 2003 Questions

Status
Not open for further replies.

logicsound

IS-IT--Management
Jul 14, 2009
6
US
Recently been getting hammered with virus's on a lot of clients. All of them have sbs 2003 server. I have been really easy on my users with hardly any restrictions but desperate times...So If you could tell me how you lock down you server from a user stand point I would appreciate it. a couple questions though.

1. Sbs 2003 makes users admins when you add them through the wizards..I am begining to think that this is very bad..Should I make all user's restricted instead? is there a group policy to do this? what are the disadvantages?if any.

2. What other policy's should I use to lock down the clients without causing problems with running legit programs?

3. I use zenith inforsytems and they are a sonicwall partner. Currently I am just using the windows sbs firewall and sunbelt vipre for virus, should I add a sonicwall device and if so what?

4. Limit interent sites? and how?

Sorry for the long post, but google and the technet sbs forum is getting me nowhere.

Thanks
Trev
 
wow, I guess this is not the right forum to get help at, well at least I tried...LAter
 
Sbs 2003 makes users admins when you add them through the wizard
Only if you use the "Adminsitrator" template to set up new user accounts. You should be using the "User" template.

Download and have a read through this Microsoft document for information on how to secure your SBS 2003 network.

Hope this helps.

Please help us help you. Read Tek-Tips posting polices before posting.
 
ok thanks, 1 question. I do choose the user template in setup but it makes them local admins of the machine.

Like for instance if I create a user in the add user wizard it will make it a user template but when I setup a new pc thru (add computer) It asks me for a user that has permission to join domain (administrator) then after that it asks me to assign users to the pc, when I do this step sbs makes them administrators of the machine even though I choose the user template??
 
You're right, everyone is given local admin rights on their workstations, regardless of which template you use, but only if you set up a workstation for them when you create the user. If you don't specify the workstation, the only thing it doesn't do is add them to the local admin group.

What you want to do is use Restricted Groups. Once you put Restricted Groups into play with Group Policy, the local admin group membership is changed to only allow the users that you've specified on a global level.

Here's a link to a basic description of the groups:

Here's a link regarding implementation:

Dave Shackelford
ThirdTier.net
 
We always do the initial setup with the user as a local admin, we make sure all programs they need are installed and then we remove the local admin rights. Any 3rd party programs that want the user as admin can usually be overcome by simply giving the user write rights to the program folder and registry keys for that program.

If you are getting hammered by viruses, you need to investigate why that is. Your AV should be blocking that crap. Perhaps you need to switch AV products.

I think it is fair to say that there is consensus among many SBS shops to use either Trend Micro or AVG on SBS networks. You need to be looking at what the entry point is for the viruses. Is it the clients via the web or is it via email or people bringing in floppies/cds/usb drives?

I hope you find this post helpful.

Regards,

Mark

Check out my scripting solutions at
Work SMARTER not HARDER. The Spider's Parlor's Admin Script Pack is a collection of Administrative scripts designed to make IT Administration easier! Save time, get more work done, get the Admin Script Pack.
 
Hi,

1 - As others have pointed out, SBS gives local admins rightd to users. Once each PC is setup, make users 'Restricted Users'.
2 - None should be required.
3 - Windows Firewall on it's own isn't good enough. Get an Enterprise class firewall or better still, a Unified Threat Management Appliance such as Watchguard. Model depends on how many users at your client's sites. I'd recommend the WG FB Core 550e. This will strip malware from email/internet traffic, allow you to block sites, allow double authentication for remote users etc.
4 - Use the UTM to disallow sites such as P2P, myspace etc. Also, implement OpenDNS as this will block a lot of wesites for you.

You don't say which AV you are using. Get yourself Trend WFBS 6.0 or Sophos Security Suite 2.5 installed.

Regards Colin.
 
Thanks!! We use to use trend but have been very disappointed with it in the last 2 years, It always seemed like it told me there was a virus but never cleaned it??? I tried to deal with there support but long hold times and not very helpful. We switched to Sunbelt Vipre for av because we use Zenith Infosystems for managed services and they support it. Thanks for all the tips.

Trev
 
Status
Not open for further replies.

Part and Inventory Search

Sponsor

Back
Top