Public key infrastructure (PKI) is a vital element when designing the overall security policy of businesses. The foundation of PKI is to create and distribute digital certificates that can then be used to authenticate users and machines on the network. One option is to use the services of organizations that provide professional authentication services, but this is a relatively high cost. If your server has Windows 2000 or Windows Server 2003 operating system installed, you already have an 'authentication service provider' with the Microsoft Certificate Services service to certify all computers and users in your network. You can configure Microsoft Certificate Services to work with Active Directory's group policy to automatically deploy digital certificates for all managed computers in the Active Directory domain.
2. Windows Firewall of Windows XP Service Pack 2
Microsoft's first firewall solution for personal computers is Internet Connection Firewall (ICF). Although ICF works well, it lacks the flexibility and centralized management capabilities. All that has changed with Windows Firewall. Windows Firewall allows you to block malicious connections to Windows-based workstations or to configure exceptions by application or port number. You can fine-tune the exceptions and allow some connections from certain network addresses or machine addresses. Windows Firewall can be centrally managed through Active Directory group policy.
3. Microsoft Baseline Security Analyzer (MBSA)
MBSA is a free tool that allows you to scan client and server systems on your network to detect potential problems in the configuration of these systems. You can use the tool's command-line interface to set a scan schedule. The information will be stored in a database with fairly complete and clear content.
8 security features of Windows operating system Picture 14. VPN for network segments requires high security
Most administrators and security experts think that VPN is merely a remote access solution. Although VPN is a very good remote access solution, you can also use it to separate areas that require high security with the rest of the corporate network. For example, there is no reason why all employees of the company need to access servers and workstations on the network of Human Resources. Of course, some people need it but the majority don't. In that case, you can put a Microsoft VPN server at the edge of the HR department network and ask all employees of the company to connect to that network via L2TP / IPSec. L2TP / IPSec requires machines to be authenticated by digital certificates and you can enhance security by requiring authentication for both users.
5. Software restriction policy
Microsoft's software restrictions policy allows you to control the programs running on your computer. You can create a policy that prevents certain types of software from running in the attachment download folder in your e-mail program if you are concerned that recipients will receive messages with viruses attached. In a computer with many users, you can also only allow certain people to have access to certain types of files.
The software restriction policy also allows you to control who can add trusted publishers to managed computers. Using a software restriction policy, you can prevent any files from running on your computer, your organization, or your domain. For example, if there is a known virus, you can use a software restriction policy to prevent your computer from opening files that contain viruses.
6. IPSec domain separator
IPSec domain separator is a method of controlling traffic between all computers on your Active Directory network. Do the computer systems really need to connect to all servers on your network? Are all servers, even servers in the same security zone, connected to each other? Of course not. Although most of us are inclined to think IPSec is a security method, it will take up less processing power of the computer while still performing equally well if you don't deploy encryption.
7. Internet Authentication Server
The Internet Authentication Server (Internet Authentication Server) is Microsoft's Radius version, allowing you to authenticate all your Active Directory agaist users from non-domain members. It is especially useful for LAN access, remote access VPN connections, and Web proxy client authentication. IAS is part of the Windows 2003 operating system and you can install or remove it easily.
8. TCP / IP filtering
Windows 2000 and Windows 2003 versions all feature TCP / IP filtering, which allows you to control connections by protocol and port number. You can see this feature in the Advanced TCP / IP Properties dialog box (Options tab). You can configure TCP / IP filtering to allow users to access only certain ports (TCP, UDP) or certain protocols (by specifying the protocol number). TCP / IP filtering can be applied to all interfaces on the computer. One of the drawbacks of this feature is that it does not allow blocking or controlling ICMP messages.