Hyper-V ConceptsIt's time to get familiar with Hyper-V Virtualization, virtual servers, virtual switches, virtual CPUs, virtual deployment infrastructure (VDI) and more.
In our previous article Protecting Enterprise & SMB Networks From Exploits, Hacking & Attacks By Correctly Patching Systems - Part 1, we analysed the implications of unpatched systems and how hackers use these weaknesses to gain access to data and sensitive financial information. Included in the analysis were two major companies, eBay and a number of famous P.F. Chang's chain of restaurants. We then provided some rules IT Departments, Managers and Administrators should follow in order to secure their systems at the best possible level.
This article continues with a number of important tips to further enhance the security of your company systems and how tools such as GFI's LanGuard can be used to scan, identify, patch and automate the whole process of protecting your systems.
Not all computers in the organization need to be patched at the same time. Some computers are more likely to be attacked because they are interface facing. Systems handling e-commerce such as point-of-sales machines and servers holding the customer database are usually more vulnerable to attack. Therefore, prioritize the patching process so that the most critical systems are serviced before others are.
If you use many tools and software programs, you will need to track and install several patches. Standardizing your configuration allows all systems to use the same operating system and tools. That results in easier maintenance and tracking of patches and service pack levels. If possible, lock down the configuration - this can easily be achieved in a Windows environment with the usage of Active Directory Group Policies. Enforcing Group Policies ensures users are not able to make any system configuration changes and all security polices are enforced correctly.
Our previous article covered introduction to the Domain Name System (DNS) and explained the importance of the DNS Server role within the network infrastructure, especially when Active Directory is involved. This article will cover the installation of the DNS server role in Windows 2012 Server and will include all necessary information for the successful deployment and configuration of the DNS service. Users interested can also read our DNS articles covering the Linux operating system or analysis of the DNS Protocol under our Network Protocols section.
The DNS Server can be installed during the deployment of Active Directory Services or as a stand-alone service on any Windows server. We'll be covering both options in this article.
Administrators who are in the process deploying Active Directory Services will be prompted to install the DNS server role during the AD installation process, as shown in the figure 1 below:
Figure 1. DNS Installation via Active Directory Services Deployment
Alternatively Administrators can select to install DNS server role later on or even on a different server, as shown next. We decided to install the DNS Server role on the Active Directory Domain Controller Server.
To begin the installation, open Server Manger and click Add Roles and Features. Click Next on Before you begin page. Now choose Role-based or feature-based installation and click Next:
Protecting Enterprise and Small-Medium Business networks from exploits and hacking attempts is not an easy task.
Each year software giants release new systems that bring new features and functionality to Enterprise and SMB companies aiming to increase collaboration, productivity, and generally make life easier for everyone, except IT Managers, System Engineers and Administrators.
Unfortunately history has proven many times in the past that new operating systems and applications are often bundled with a generous amount of security issues which are usually detected after a security incident.
Almost every company, regardless of its size, whether large or small, has faced data breaches and had important data, personal records and financial information stolen. Sadly, most companies never even know about the data breach until it's too late!
For example, in May 2014, the notorious Syrian Electronic Army attacked and successfully stole credentials from eBay. They managed to steal personal records of over 230 million users, compromising usernames, passwords, phone numbers and physical addresses, leaving eBay users vulnerable to identity theft.
Did you know that the PCI Data Security Standard (PCI DSS) provides a framework for developing a robust data security process - including prevention, detection and appropriate reaction to security incidents?
Last month, a huge data breach at P. F. Chang's, the famous chain restaurant, compromised payment information of their customers. Criminals hacked more than 33 restaurants between October 2013 and June 2014 at P. F. Chang's and managed to record the data belonging to an unestimated number of credit and debit cards used at the restaurant's locations. Subsequently, these newly stolen credit and debit cards were put up for sale on the black market. The identity of the attackers is yet to be worked out, and worst of all, P. F. Chang was alerted in June 2014 by the US Secret Service about the data breach! It seems like they were totally unaware of what was happening for a period of over 9 months!
A majority of the machines had data successfully siphoned off them because they had a common problem – they were not fully patched. It is suspected that software used in the machines had vulnerabilities and attackers used the security holes to enter and steal information. Patches are meant to fix flaws in the software, preventing attackers from gaining access through the flaws. However, applying patches in time is something that most users typically delay. The patching cycle too, adds to the security problems.
Are you aware that GFI's LanGuard is capable of delivering PCI DSS compliance reports, properly evaluating if your organization is up to date with the latest Security Standards? Download your copy now!
The Domain Name System (DNS) is perhaps one of the most important services for Active Directory. DNS provides name resolution services for Active Directory, resolving hostnames, URLs and Fully Qualified Domain Names (FQDN) into IP addresses. The DNS Service uses UDP port 53 and in some cases TCP port 53 - when UDP DNS requests fail consistently. (Double-Check for Windows)
When installed on a Windows Server, DNS uses a database stored in Active Directory or in a file and contains lists of domain names and corresponding IP addresses. When a client requests a website by typing a domain (URL) inside the web browser, the very first thing the browser does is to resolve the domain to an IP address.
To resolve the IP address the browser checks into various places. At first, it checks the local cache of the computer, if there is no entry for the domain in question, it then checks the local hosts file (C:\windows\system32\drivers\etc\hosts), and if no record is found their either, it finally queries the DNS server.
The DNS server returns the IP address to the client and the browser forms the http request which is sent to the destination web server.
The above series of events describes a typical http request to a site on the Internet. The same series of events are usually followed when requesting access to resources within the local network and Active Directory, with the only difference that the local DNS server is aware of all internal hosts and domains.
A DNS Server can be configured in any server running Windows Server 2012 operating system. The DNS server can be Active Directory integrated or not. A few important tasks a DNS server in Windows Server 2012 is used for are:
Our previous article explained what Group Policy Objects (GPO) are and showed how group policies can be configured to help control computers and users within an Active Directory domain. This article takes a look at Group Policy Enforcement, Inheritance and Block Inheritance throughout our Active Directory structure. Users seeking more technical articles on Windows 2012 Server can visit our dedicated Windows 2012 Server section.
Group Policy Enforcement, Inheritance and Block Inheritance provide administrators with the necessary flexibility allowing the successful Group Policy deployment within Active Directory, especially in large organizations where multiple GPOs are applied at different levels within the Active Directory, causing some GPOs to accidently override others.
Thankfully Active Directory provides a simple way for granular control of GPOs:
GPOs can be linked at Site, Domain, OUs and child OUs. By default, group policy settings that are linked to parent objects are inherited to the child objects in the active directory hierarchy. By default, Default Domain Policy is linked to the domain and is inherited to all the child objects of the domain hierarchy.
GPO inheritance let’s administrators to set common set of policies to the domain level or site level and configure more specific polices at the OU level. GPOs inherited from parent objects are processed before GPOs linked to the object itself.
As shown in the figure below, the Default Doman Policy GPO with precedence 2 will be processed first, because the Default Domain Policy is applied at the domain level (firewall.local) where as the WallPaper GPO is applied at the organization unit level:
Figure 1. Group Policy Inheritance