Re: Inheriting network, first steps?
- From: "Roger Abell [MVP]" <mvpNoSpam@xxxxxxx>
- Date: Wed, 1 Mar 2006 08:44:04 -0700
On day one
1. determine that you can log in with the highest admin rights on each box
Prioritize this. Domain controllers first, critical servers next, etc.
2. interleave with the above, at the earliest possible moment
a. disable known accounts of the individual
b. inventory all accounts with admin rights, and for each either
disable or change password - but be careful of machine local
accounts that might be used for services, for backup access, etc.
If there are obvious excess
You may need to invest some interruption for sake of the time
bought while you move through 1 and 2, then return and make
the temporarily broken whole again.
Look at Schema Admins, Enterprise Admins, Domain Admins,
Administrators, Server Operators, Power Users, etc.
c.after a group has been adjusted per 2 b. revisit it to make sure
the adjustments stuck (at 5 plus minutes if domain group, 90
plus minutes if machine local groups). If a change is noticed
from how you set it you need to seek out restricted group defs
in GPOs linked to the Domain or Domain Controllers OU in
the (5 minute) case of domain groups, else in a GPO linked
potentially anywhere that can impact the machine with the
(90 minute case) local group.
d. again, prioritized by machine kind, examine the user rights
that govern the different login types and make sure these are
reasonable and understood, and that any excessive login
(as service, as batch, local on a domain controller or production
server, etc.) is by a known account for a know reason.
3. check what exists as scheduled tasks
4. check all that controlls access via the VPN to make sure only
accounts desired are able to log in.
5 strongly consider reviewing the password policy, adjusting to
strengthen is politically possible, and then expiring all passwords
for user accounts (that you have not been able to change in 2).
This may not be easy to sell, but it would prevent use of other
peoples accounts if the password is known by other than the
account holder.
The list continues, quite far actually, such as reviewing all services
to make sure they are known, needed, etc. checking for detectable
root kits, etc.
However, the 1 to 5 is a good set of actions for day one, hour one
and would probably make for a pretty full day.
<mattptodd@xxxxxxxxx> wrote in message
news:1141218545.583181.227280@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
Ok in a month I will be inheriting someone else's network who is
probably not going to be happy he got ousted. I don't even know the
configuration/settings/etc on the network or even how many servers he
has running. At least I do know they are all Windows Servers.
Anyway, just wanting to get a handle on my first steps.
1. Remove Administrator (actually rename it to something else)
2. Remove Guest (if it's there)
3. Somehow view all users and make sure no one is admin on the
servers.
I was thinking I should also contact AT&T and get a new IP address(s)
for the servers and for the VPN. I'm not sure yet if there is anything
IP specific on the server that will cause any problems if I do this,
besides the VPN settings already on the users' laptops.
Am I missing anything to do on day/week one?
Any help would be appreciated.
Thanks.
-Matt
.
- Follow-Ups:
- Re: Inheriting network, first steps?
- From: Roger Abell [MVP]
- Re: Inheriting network, first steps?
- References:
- Inheriting network, first steps?
- From: mattptodd
- Inheriting network, first steps?
- Prev by Date: Re: CTRL-ALT-DEL SCREEN VANISHES
- Next by Date: Re: Inheriting network, first steps?
- Previous by thread: Inheriting network, first steps?
- Next by thread: Re: Inheriting network, first steps?
- Index(es):
Relevant Pages
|
