Windows security on a local area network
- Windows security on a local area network
- Strong passwords
- Securing the Windows systems
- Physical security
- Educating users
- Online security
Strong passwords
Enforcing strong passwords with Active Directory is another way to keep the network safe. Users may be tempted to use something like passwordme1 or mypasswordisStrong1 but those passwords are not secure enough anymore. Setting passwords for them is a better approach. IN Windows Server 2016 and Windows 10 later The passwords are stored encrypted with DES for backwards compatibility and then with CNG BCrypt AES-256 (see CNG BCRYPT_AES_ALGORITHM). Previous Windows versions encrypt NT hashes using two layers of DES + RC4 encryption. This is quite sufficient to provide a lot of security for users. This is why Active Directory is so important these days. It offers so much control over the users on the network.
Securing the Windows systems
Securing a Windows system is very important; if Windows servers and desktops are used in a network with file sharing; then securing the machines is very important. With NTFS permissions applied and users divided into groups; the security of the network may be preserved. If you have a shared folder that all users in a group may access then give the correct permissions to this directory; this will only allow users within that group to see this directory. This directory could be mapped to a drive letter and given out with Active Directory. This way all users would be able to access this directory if they are in the correct group.
Physical security
Physical security is another issue that is very important. Keeping the server machines locked away will prevent someone from physically accessing the server and the data that is held on the machine. Any desktop machines that have access to the server for administration must be secured when not in use.
Educating users
Educating users in proper computer practices is a good way to avoid computer issues. If users are trained to not download strange attachments from E-Mail, this can avoid infections from malicious software. Deterring users from downloading unwanted files and from bringing in files on removable media is also important. Software Restriction Policies enforced over Group Policy are the best way to stop unwanted software from being executed on computers. Even if the executable is renamed to *.bin for example, it still will not run. This is therefore a very powerful tool for network administrators.
There is an example here of how to implement this with Active Directory: https://thesolving.com/server-room/how-to-software-restriction-policy-for-ad-domain-users/.
Online security
When using the Internet to access local network resources remotely, security must be practised. Using a VPN like OpenVPN and connecting to a VPN server, that then provides access to SSH and other features through a secure tunnel is a very good idea. Working from home over a VPN would still allow access to the Active Directory system and allow remote work, but the keys must be very secure and the machine used to connect to the network must be kept safe.