Windows Enterprise Domain
IT Administrator Support

Windows System Security

It is critical that any Windows system be updated with the latest service packs and patches and also be running anti-virus software that is updated with virus definitions DAILY. There are several proactive measures implemented at the enterprise level (such as mail virus scanning for mail passing through enteprise mail servers and certain ports being blocked at the campus borders). However, by the nature of our open environment and wide variety of systems that connect via insecure means to off-campus systems (or on-campus people with dubious spare-time activities) you must assume every system is vulnerable to attack from within or without or campus borders. There are several things you should be aware of and are encouraged to do.

• To reduce off-campus Windows account hacking, selected Windows authentication and remote procedure call (RPC) ports are blocked at the campus borders. These blocks became effective November 18, 2003. A "Virtual Private Connection" (VPN) connection will be necessary to use off-campus Windows authentication for file and print sharing after this date. See Port Blocking at the Campus Border for more information.

• Hacking attacks from off-campus often occur using the Windows Remote Desktop Protocol (RDP). This can cause your system to be blocked at the campus border since it is the vector for the attacks. See Remote Desktop Protocol Attack Prevention for current recommendations.

• Anti-virus software for clients and servers is available under a campus-wide site-license for university-owned systems (Microsoft Forefront Endpoint Protection). Non-university-owned systems can select from a number of freeware and commercial anti-virus packages. Microsoft's Security Essentials is one recommendation.

• It is recommended that any Windows system be at the current Service Pack for the OS. This is available from Microsoft.

• Use the "Windows Update" feature (on the "Start" menu) to make sure you have all "Critical" updates installed on your system.

• A local "Windows System Update Server" ("WSUS") is available for the ISU enterprise. This server provides a "local mirror" of Microsoft updates and is available for "on-campus" systems ("*.iastate.edu" and "*.ameslab.gov"). OU administrators in ISU Enterprise domain can configure Group Policy to automatically apply updates to their managed systems. Even systems that are not members of the ISU Enterprise domain can use local security policy settings to automatically be updated from this server. A document on using the ISU Enterprise WSUS server is available here.
  
  
• It is important to apply any security hotfixes in addition to the current Service Pack and the critical updates. Use the following site provided by Microsoft to see what is needed for each product you are running:
  
  Microsoft Security Hotfix List
  
  Example: Supply "Windows Server 2008" for the "Product:" and "Windows Server 2008 Service Pack 2" for the "Service Pack:" fields and click "Go". You will see all security hotfixes which should be applied to a server at SP2. Be sure to get the hotfix list for each product from the list you are running on your servers (IIS, Exchange, etc).

  REVIEW the description of each hotfix before you apply it. Some hotfixes have been superseded by others in the list. Always apply hotfixes so they can be backed off as necessary should they create a problem with your server.

  Another good tool to use is the Microsoft Baseline Security Analyzer. This product provides a scan of your system (or a remote system that you have administrative rights on) for many security issues, including missing security hotfixes, poor passwords, open file shares, etc. Make sure you run this tool with "administrative" rights on the system being scanned!

• An IIS Lockdown Tool is available from Microsoft. IIS admins may want to investigate this.

• In the event you feel a Windows system may have been compromised (as evidenced by missing security hotfix patches or strange system behavior) you should review the Compromised System Forensics document for tips on how to proceed.

Last updated September 30, 2011