How to tighten up security?

[jimbow]

Hi,

I have inherited an older system that has not been maintained for a number of years, and appears to have been hacked around a bit.

Three servers running Win 2k3
1=AD plus Exchange plus plus plus plus bits
2=AD plus SMS
3=Terminal Server

There are around 75 plus workstations ranging from laptops to desktops and a mixture of student and teacher configurations

The login script is using something called kixstart and is full of errors and registry hacks.

There is very little in teh way of GPO settings

The AD is poorly organised and not making efficient use of OUG's

Where do I start?

I am no expert, just well informed, so I would need a lot of asssistance.

The first thing I want to be able to do is stop students from launching any applications/scripts/batch files from anywhere accept the authorised locations such as C drive etc. How do I do that?

Second, I want to re rationalise policies/profiles and login scripts.

At the moment each logon creates a profile on teh machine which slowly fills the local machines hard drive and kills it. Would Mandatory Profiles stop this or not?

I want to be able to first lock the system down for students and also for some staff who are useless at security to protect the sytsme from hackers and wasteful malicious pranks.

Also would like to expand in the future to add student laptops with a variety of OS's and capablities

Also would like to know how subnetting could work, as we are only using one domain and if that could have subnets as we are running out of IP address!

I appreciate your help in advance

Jim

[Chris_Jones]

From the sounds of it the system could do with a rebuild from the ground up, though this probably isnt practical.

What I would look at is

1. Seperate Server for Exchange
Either buy/build a new server and move exchange over to it, or use a new server as a Domain Controller and dcpromo the Exchange box down to a member server (Disclaimer: I am not an Exchange expert so I dont know how feasable this is, or what problems may occur)

2. Ultimately a seperate server running SMS and all the other bits, so your Domain Cotrollers are just doing AD, DNS and DHCP.

3. Move to Mandatory Profiles for pupils, these can be used to give quicker logins and to control exactly what icons etc the pupils get. Combine with a shutdown script for the PC running DELPROF (ms utility) which will clean up profiles that havent been used recently (I think the default is 2 weeks)

4.Group policy /AD
Have a good look at what policies are set, and how they are applied to OUs. Here we have policys for whole site (things like Proxy server, IE Branding etc) Pupils (locked down everything) Staff (less restrictive) Pupil workstations and Staff workstations. getting the Group policys right will save you a lot of trouble down the line - its probably best to build new policies then remove the old ones, rather than just add on and change existing.

5. Regarding Laptops with a variety of OS's - is there any way you can rationalise these? its a lot simpler from your point of view if you only have a few configurations to manage, than having lots of different combinations. Ultimatly the Hardware isnt as important in this as the software on it.

6. Finally re subnetting, I think your best making a seperate post on this in the network forum, with more details of your current setup. eg if you get your Internet connection Via an ADSL router, and dont connect to any other schools there is nothing stopping you changing to a different subnet, or expanding you existing (ie you could change to 10.0.0.0/255.0.0.0 and have 16.7 million addresses ) but if you are connected to other schools etc this wouldnt be possible. in summary - need more info

I hope my ramblings are of some use to you, if you need any more info on a specific point let me know

[tmcd35]

Here's what I did here, from a similar starting point (I was replacing Winsuite with GPO's).

Firstly build a new OU tree. Don't delete any existing OU's. I created a new OU called 'Summer09change' and designed my new OU structure in there.

Once you have the OU structure you can start working out your GPO's. What policys you want to apply to which OU's. This is a laborous task and the only way to do it is to read through the GPO options one at a time and deside if that setting applys at that level of the OU.

Then you'll need a couple of test machines and test users you can place in your new OU strucute and check the GPO's behave how you expect. Once you've tested the new structure and GPO's you can migrate your existing users and machines into the new structure.

To be on the save side we re-imaged all our machines before adding them to the new structure and deleted all our users existing profiles.

Once everything is moved accross you can delete the old empty OU's and old unused GPO's and move your shiney new OU tree out of the 'summer09change' (or what ever you call it) OU.

Problem is the the job takes a lot of planning and testing. Took me 6 months before I was ready to move everything into the new OU structure. And even now I'm still tweeking the old GPO.

[jimbow]

From the sounds of it the system could do with a rebuild from the ground up, though this probably isnt practical.

4.Group policy /AD
Have a good look at what policies are set, and how they are applied to OUs. Here we have policys for whole site (things like Proxy server, IE Branding etc) Pupils (locked down everything) Staff (less restrictive) Pupil workstations and Staff workstations. getting the Group policys right will save you a lot of trouble down the line - its probably best to build new policies then remove the old ones, rather than just add on and change existing.

How do I lock down everything for the students.. Is there a guide somewhere?
This is the most urgent and important aspect and I will need guidance...

Cheers

Jim

[Edu-IT]

You'll probably want to read up on group policies.