Plugging Common Mouse Holes
Windows Server 2008 has a handful of common security holes that you need to look for and fill. Fortunately, we crawled around on our hands and knees so you don't have to. Just follow our advice, and you'll be all snug and secure.
Unseen administrative shares
Each time Windows Server 2008 boots, a hidden administrative share is created for every drive. These shares are backup paths for the system just in case direct access to system files is somehow interrupted. In other words, it's a redundancy you don't need! The administrative shares are disabled by adding AutoShareServer to the following Registry key:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanMa
nServer\Parameters
A value of 0 turns administrative shares off, and a value of 1 turns them back on. Consult Microsoft TechNet for info about disabling administrative shares.
A hidden share is just like any other share, except a dollar sign appears as the last character in its name. This tells the system not to display that share in standard browser share listings. You can use the System Manager to view hidden shares. You can create your own hidden share just by adding a dollar sign to the end of the share name.
The problem with administrative shares is that they offer unrestricted access to every file on a drive. If the username and password of an administrator account ever get compromised, anyone can map to any administrative share on the network. Therefore, it's a good idea to turn off the administrative shares just as a precaution.
Decoy accounts
Everyone knows the name of the most important user account on your system. Because Windows Server 2008 creates the Administrator account when Windows Server 2008 is installed, everyone already knows that you have such an account and exactly what its name is. Therefore, you must change it!
Don't just change the name. Go one better and create a new dummy account with absolutely no access or privileges and name it Administrator. This dummy account can serve as a decoy to lure hackers away from real access. Creating decoys for other common accounts, such as the Guest account and IUSR account (the one created by IIS), is also a good idea.
Last logged on username
By default, when Ctrl+Alt+Delete is pressed, the logon dialog box displays the username of the last person to log on successfully. This is insecure. To prevent this dialog box from appearing, enable the option titled Interactive Logon: Do Not Display Last User Name Policy. This option appears in the Security Options area of the Group Policy. (See the "User rights" section for details on finding this area.)
When good floppies go bad
A nifty tool called NTFSDOS v3.02 (which you can find by searching your favorite search engine) enables anyone to read NTFS files after booting from a DOS floppy. (This utility was once part of Winternals, now owned by Microsoft, which has since been abandoned and all traces removed from the Microsoft site.) The NTFSDOS drivers make possible what Microsoft once claimed was impossible. Now, anyone with physical access to your system can reboot with a floppy and copy files right from NTFS-protected drives. If you value your data (and your job), remove floppy drives from critical systems.
