Rules to Better Networks

Networks are the lifeblood of any business. This is why we have developed a few rules for a better Networks.​​

Hold on a second! How would you like to view this content?
Just the title! A brief blurb! Gimme everything!

  1. Do you have a server reboot/restart policy?

    If your servers are down or have to go down during business hours you should notify the users at least 15 minutes beforehand so you will not get 101 people all asking you if the computer is down.

    For short outages (under 15 minutes) that only affect only a few people (under 5 people), or are outside of business hours, then IM is the best method. If you use Teams or Skype a quick message will do. 

    Note: If they are not online on Teams or Skype, then they can't complain that they were not warned.

    For extended or planned outages, or if you have a larger number of users (50+), email is the suggested method.​​

    Email

    If you send an email it is a good idea to tell the user a way to monitor the network themselves. Eg. Software solutions like SCOM or WhatsUp Gold.

    Include a "To myself". It gives visibility to others who are interested in what needs to be done to fix the problem and makes
    it easier to remember to send the 'done' email. E.g. "done - CRM is alive again". 

    Example:

    To: SSWALL

    Hi All,

    Here is the summary of the outage plan:

    Planned/Unplanned:Planned
    Change Description:Install Windows Updates and Restart Server
    Risk (see table below):LOW RISK (LOW Probability and MEDIUM Impact)
    Reason For Change:Windows 2016 Windows Updates
    Uptime over last month:91.361%

    Planned Outage (mins):150
    Planned Start Time:26 October 9:00 PM
    Planned Finish Time:26 October 11:30 PM
    Affected Services:\\Windows Server 2016
    http://sharepoint.ssw.com.au
    http://intranet.ssw.com.au
    http://projects.ssw.com.au


    Risk Lookup Table by Probability and Impact:
    Risk

    Probability

    Low

    Medium

    High

    Unknown

    Impact

    Low

    Low risk

    Low Risk

    Low Risk

    Medium Risk

    Medium

    Low Risk

    Medium Risk

    Medium Risk

    High Risk

    High

    		Medium Risk

    High Risk

    High Risk

    High Risk

    Unknown

    		Medium Risk

    High Risk

    High Risk

    High Risk

    Figure: Clearly showing the potential risks

    Note: The following servers will be affected

    rule-outage-1.jpg
    http://wug.ssw.com.au/

    rule-outage-2.jpg

    To myself,

    To show others who are interested in what needs to be done to fix the problem:
    Detailed Change Plan:
    1) Lockout users via IIS
    2) Backup server
    3) Install Windows Updates 
    4) Reboot server
    5) Follow test plan
    6) Based on result of test plan, follow backout plan if procedure failed
    7) Procedure completed

    Test Plan:
    1) Check Event log for errors
    2) Check each affected service is running
    3) Call test users to start “Test Please” on the affect services 
    4) Get result of user “Test Please” by email by 11:15 PM

    Backout Plan:
    1) Restore server from backup

    Note: <This is as per rule What is your server reboot/restart policy? >

    Immediately before the scheduled downtime, check for logged in users, file access, and database connections.

    Users

    Open 'Windows Task Manager' (Run > taskmgr) and select the 'Users' tab. Check with users if they have active connections, then have them log off.

    rule-outage-3.gif
    Figure: Connected users can be viewed in Task Manager

    Files

    Open 'Computer Management' (Run > compmgmt.msc), then 'System Tools > Shared Folders'. Check 'Session' and 'Open Files' for user connections.

    rule-outage-4.gif
    Figure: Computer Management 'Open Files' View

    Database

    Open SQL Server Management Studio on the server. Connect to the local SQL Server. Expand 'Management' and double-click 'Activity Manager'.

    rule-outage-5.gif
    Figure: SQL Management Studio 'Active Connections' View

    Once these have been checked for active users, and users have logged off, maintenance can be carried out.

    Restarts should only be performed during the following time periods

    1. Between 7am and 7:05am
    2. Between 1pm and 1:05pm
    3. Between 7pm and 7:05pm

    If a scheduled shutdown is required, use the PsShutdown utility from Microsoft's Sys Internals page.

    Always reply 'Done' when you finish the task.

    Read more about Do you have a server reboot/restart policy?

  2. Do you have a strict password security policy?

    We recommend enforcing strict password policies.

    Below is a capture of the settings we use:​​


    ADSecurityPolicy.png

    When passwords have to be changed they must meet the following minimum requirements:

    • Not contain all or part of the user's account name
    • Be at least six characters in length
    • Contain characters from three of the following four categories:
      • English uppercase characters (A through Z)
      • English lowercase characters (a through z)
      • Base 10 digits (0 through 9)
      • Non-alphanumeric characters (e.g., !, $, #, %)
    Rember it is always good to use an even number for password length ;) https://www.troyhunt.com/how-long-is-long-enough-minimum-password-lengths-by-the-worlds-top-sites/​

    Complexity requirements are enforced when passwords are changed or created.


    ​Every 180 days clients will be required to change their password, they can change it when:

    • Login to their ​computer
    • Terminal server to another computer
    • VPN

    This allows users to change their password by making a VPN connection to the office.

    We also enforce a lockout policy so if a user gets their password wrong 5 times, their account will be locked out for 15 minutes.​

    If you want to change your password sooner, press [ctrl] [alt] [delete] then click "Change Password" button.

    Read more about Do you have a strict password security policy?

  3. Do you have MFA (Multi Factor Authentication) enabled?

    Do you protect your users and administrator accounts with more than one authentication method?​

    What is Multi-Factor Authentication (MFA)?

    MFA is another layer of security for your users and administrators, it adds another 'password' or code that you can receive in a device that you possess - a phone, for example - to make it more difficult for attackers to steal your account.
    If they guess or brute-force your password, they still need the second code to make it to your account.

    Generally, every time you log in on a service, it will ask for your normal password and an additional code. This code can be retrieved through an authenticator app, through an SMS, or even through a phone call to your mobile.

    It is best practice to apply MFA to your Administrators first, as their accounts are the most important on the company and have access to all resources, and your users second, which still benefits from added security.

    Read more about Do you have MFA (Multi Factor Authentication) enabled?

  4. Do you have Password Writeback enabled?

    Do you have Password Writeback enabled in your Azure AD Connect?

    If you want to let your users reset their own, on-premises passwords directly from the cloud, you need to have Password Writeback enabled in Azure AD Connect!

    You can read more about Password Writeback from the Microsoft Documentation: https://docs.microsoft.com/en-us/azure/active-directory/authentication/howto-sspr-writeback

    When setting up Azure AD Connect, you need to set the "Password Writeback" option:

    enablepasswordwriteback.png 

    Good Example: Setting up Password Writeback in Azure AD Connect

    Read more about Do you have Password Writeback enabled?

  5. Do you have your UPS send an email when it kicks in?

    Of course, all your servers are on UPS. (If not they should be!) How do you know that all the money you paid for a UPS was worth it thought? How many times has it saved our servers? How long do the battery's last for before they go flat? Why was a server off when you came in in the morning?

    If you get your UPS to email you when an event occurs then you will have answers to these questions.
    The problem is that there is no uniform software that will work with all UPS's as they all have their own format.
    All UPS's come with management software that can perform these actions. You just need to install it.

    We use an MGE UPS so we use Personal Solution Pac which allows you to run script files on events. We just call a script file which will send us an email.

    MGEUPSSettings.gif
    Read more about Do you have your UPS send an email when it kicks in?

  6. Do you keep your file servers clean?

    How often do you find files on your network file server that clearly shouldn't be there? Developers are notorious for creating temporary files and littering your file system with them. So how can you identify exactly who created or modified the file, and when?​

    networkauditing_00.gif
    Figure: Who created this file?
    networkauditing_06.gif
    Figure: Terminal into your file server using Terminal Services
    networkauditing_07.gif
    Figure: It was Jatin!

    The easiest way is to configure Windows file auditing.

    Thankfully, Windows XP and Server come with built-in file auditing. Any changes create and delete can be logged to your system event log. Here's how to set it up.

    How to implement auditing on your file server

    1. Terminal Server into the file server
    2. In Windows Explorer, locate the directory you want to configure logging for (e.g. C:\Inetpub\wwwroot for logging changes to your website files)
    3. Select Security tab | Advanced
      networkauditing_01.gif
      Figure: Select the folder you want to configure auditing for
    4. Click the Auditing tab
    5. Select the users whose usage you want to monitor (usually all users, so select Everyone)
      networkauditing_02.gif
      Figure: Select Everyone so that anyone who modifies any of the files will be logged
    6. Select what you want to monitor. For best performance, we only tick the options in shown in the figure below - there's no need to log when someone opens a file.
      networkauditing_03.gif
      Figure: Select these 4 options (only audit the events you need to audit - there's no need to log when someone opens a file)
    7. Click OK and OK again to apply the changes. The process may take some time depending on the number of subfolders and files selected.
      Now you need to configure the system event log.
    8. Open Control Panel->Administrative Tools->Event Viewer
    9. Right-click the Security node and Control Panel | Administrative Tools | Event Viewer
    10. Right-click the sure Overwrite events as needed is checked
      networkauditing_04.gif
      Figure: Keep your log file to about 250MB - otherwise, your system performance may suffer

    Checking who created the file

    Now test to see if auditing is working.

    1. On the server, create a file called "test.aspx" somewhere in the path that is being audited
    2. Open Control Panel->Administrative Tools->Event Viewer
    3. Select the Security node, and notice the entries that have been created. They will have a similar format to the figure below.
      networkauditing_05.gif
      Figure: Any creates, deletes and updates now get logged to the Event Log

    That's all! It is also great for finding out who accidentally deleted files from the file system.

    Furthermore, we can dump the event log to an Access or SQL Server database to make it easier to handle. Here is how to do it:

    • Download the scripts: one for Access database and the other for SQL Server.
    • Find and change the strEventDBConn variable to your connection string, also, modify strEventDB and tblEvents variable to your database name and table name.
    • Write down the names of the servers to monitor in EventHosts.txt.

    Done, now you need only double-click to start it.

    EventLogger.gif
    Figure: Caught an action on remote server and logged it to database

    This script is originally from http://pubs.logicalexpressions.com/pub0009/LPMArticle.asp?ID=340.​​

    Read more about Do you keep your file servers clean?

  7. Do you keep your network hardware reliable?

    When purchasing new network hardware you should always choose the most reliable option. ​​

    ​​​​At SSW we have discovered that:​​

    1. Ubiquity is the best. Its software is the best in class and helps our SysAdmins manage the wifi networks much easier, and across many site and countries, even. Its Unifi Access Points are easy to manage and install and can be upgraded and provisioned with the touch of a button. 
      ​​UAP-AC-LITE.jpg
    2. Linksys is the second best. ​Google Answers helped in our decision - Linksys is the safer choice based on user ratings. http://answers.google.com/answers/threadview?id=2588
      LinkSys
    3. Netgear is OK. The hardware works, the drivers work, and the support is excellent. 
      However, they tend to be “simple" devices. They generally lack advanced features and are aimed more at the home user market. Netgear

    4. DLink is NOT recommended. We will never buy this brand ever again
      They tend not to last longer than the warranty period
      DLink

    More Links:

    Read more about Do you keep your network hardware reliable?

  8. Do you know the pros and cons of joining the domain?

    Do you know if your computer should be joined to the domain or not?

    Joining your company's domain is a trade-off. If you join the domain, the company is the one responsible for managing your device, so all company rules and policies will be applied to it (Windows Update frequency, users, password resets, etc) and you will need to go through your SysAdmins if you have troubles with it.

    If you choose to not join the domain, the machine management is all yours, giving you more freedom on the machine, but any automatic scripts would need to be done manually.

    Below some pros and cons of joining the domain:

    Pros (+)
    		Cons (-)
    Machine Management
    		Client management through GPOs (Group Policy Objects)
    		Lack of autonomy
    Resource Access
    		Direct access to resources (e.g. fileserver)
    		Needs to sign in first, or be attached to a VPN or the network to access resources
    Automatic Scripts
    		GPOs apply automatic scripts like the Login Script and Backup Scripts
    		Need to run Login and Backup scripts manually
    Support Level
    		More support from your SysAdmins, you have someone to rely on for any troubleshooting on all computer applications
    		Less support from SysAdmins, you can run any obscure application on your computer but that may not be supported by your company




    Read more about Do you know the pros and cons of joining the domain?

  9. Do you know the right notification for backups?

    ​You need to log a record on success so you can check for backups that have failed.
    backup_notification_bad.jpg
    Figure: Bad example - an email is sent on completion
    backup_notification_good.jpg
    Figure: Good example - a record is logged on completion

    ​​​Now you are able to be aware of missing backups. You can make automatically notification based on above table e.g. by SQL Reporting Services data-driven subscription

    ​​
    Read more about Do you know the right notification for backups?

  10. Do you monitor the uptimes of all your servers daily?

    It is important that the network administrator can easily find out how reliable his servers are. This can be achieved using tools like What's Up Gold (Add a link to What's up gold better third party software) to monitor the uptime and SQL Reporting Services to create a report showing server uptime.

    Here is a report that we use to monitor our servers on a daily basis:

    ​​​​​NW_Uptime_1.jpg
    Figure: Good example - We can easily see the uptime of all our servers
    Read more about Do you monitor the uptimes of all your servers daily?

  11. Do you secure your wireless connection?

    Wireless networks are everywhere now. You can't drive down the street without finding a network which is insecure. However, in an office environment, there is a lot more to lose than a bit of bandwidth. It is vital that wireless is kept secure.​

    WEP, No SSID broadcast, allowed MAC addresses are all OK but these are more home security.

    Figure: Bad example - the above settings are not suitable for a company's wireless access point

    For the office, you need something a bit more robust and not requiring much management overhead.

    It is recommended to use Radius authentication to integrate with your Active Directory.

    Figure: Good example - configure your wireless access point to authenticate against AD

    This article explains how to setup your wireless AP to use WPA2-enterprise. WPA2-Enterprise verifies network users (AD a/c's) through a server (Domain Controller).

    The recommended method of authentication is PEAP (Protected Extensible Authentication Protocol), which authenticates wireless LAN clients using only server-side digital certificates (In our case we used an AD CA) by creating an encrypted SSL/TLS tunnel between the client and the authentication server. The tunnel then protects the subsequent user authentication exchange.

    Requirements:

    • 802.1X-capable 802.11 wireless access points (APs)
    • Active Directory with group policy
    • Network Policy Server (NPS) servers
    • Active Directory Certificate Services based PKI for Server certificates for NPS computer/s and your wireless PC's

    Assumptions:

    This document assumes you have some knowledge of how to configure your wireless access points and install server roles. It also assumes that you have already configured an Enterprise Certificate Authority on your Active Directory Domain.

    1. Configure your wireless access points

      2. In SSW we use Cisco (Linksys) EA4500 Series access. I have configured these access points to:

      Cisco Linksys EA4500 Series
      Figure: EA4500 wireless router
      1. Broadcast the SSID
      2. Use AES-CCM Cipher for encryption
      3. Use WPA2 (mandatory)
      4. Use the native VLAN
      5. Configure a shared secret that you will use with the NPS Radius server

      Recommend using WPA2-EAP with AES as your encryption cipher.

    2. Install NPS on your server

      3. On Windows 2008 or 2008 R2 open up the server manager and:

      1. Add the "Network Policy and Access Services" Role

      Under role services add:

      • Network Policy Server
      • Routing and Remote Access Services
    3. Configure Radius Clients on NPS

      4. Open up the NPS Console. Right click on "Radius Clients", and then click on "New".

      Fill out the fields for Friendly Name (enter the name of the wireless access point), Address (IP address) and then add the shared secret (Keep this safe for example we use Keepass as a password repository) you configure on your access point.

      Radius client settings
      Figure: Radius client settings
    4. Configure 802.1x on the NPS server

      5. In the NAP servers Server Manager, open "Roles", then "Network Policy and Access Services" then click on NPS (Local).

      In the right-hand pane under standard configuration choose "Radius Server for 802.1x Wireless or Wired Connections", and then click on "Configure 802.1X" to start a wizard-based configuration.

      1. Select the top radio button “Secure Wireless Connections" click next
      2. On the Specify 802.1X Switches Page check the AP's you have configured under Radius Clients are in that list then click next
      3. Now the authentication method. From the Drop Down lists select Protected EAP (PEAP)
        NOTE: This method requires a Computer Certificate and the Radius Server and either a computer or user certificate on the client machine
      4. Select the groups (eg. Domain\WirelessAccess) you would like to give wireless access to. You can do this by user or computer or both
      5. If you need to configure VLan's in the next step, wasn't required in my case I just used the defaults
      6. You then need to register the server with Active Directory. So right click on NPS (local) and select Register Server in Active Directory
        7. How to register NAP server with AD
        Figure: How to register NAP server with AD

      You should now have a Connection Request Policy and a Network Policy. Remove the MS-CHAP v1 authentication method from the network policy (under the constraint's tab).

    5. Configure Certificate Auto enrolment

      6. First open Group Policy Management.

      1. Create a new GPO policy and name it "Cert_Enrollment_Wireless" or whatever name you deem suitable and link it to the root of the domain or a specific OU depending on your needs and OU structure
      2. Under the security filtering scope for what the policy gets applied to remove "Authenticated Users" and add your AD created. This ensures that the policy, once configured, is applied only to members of those groups.
      3. Edit the settings of the group policy and go to:
        1. Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies

          2. In the details pane, you need to right-click the Certificate Services Client – Auto-enrolment and then select properties.

          In the Properties, dialog box select enabled from the drop down box and then place a tick in all the remaining tick boxes. This makes sure that the computer auto-enrolls for a certificate from AD CA.

        2. Now navigate to Computer Configuration\Policies\Windows Settings\Security Settings\Public Key Policies\Automatic Certificate Request Settings

          3. Right-click in the details pane and select New | Automatic Certificate Request.

          This will open up a wizard and you can select a Computer Certificate.

          Group policy settings
          Figure: Group policy settings
    6. Creating a Vista (or XP) Wireless 802.1x GPO Policy (Vista policy works with Windows 7 & 8)
      1. Now go to Computer Configuration\Policies\Windows Settings\Security Settings\Wireless Network (IEEE 802.11) Policies

        2. Right click and Create a new policy for Windows Vista and later (if you only have XP machines, do only an XP one). If you have Vista you must do a Vista policy or else Vista will try to use the XP policy (not recommended).

      2. Enter a Policy Name (e.g. Beijing_Wifi_Settings) and description and link to the root of the domain.
        3. GP link and scope settings
        Figure: GP link and scope settings
      3. Click "Add" and then enter a Profile Name and then Add the SSID name from the Wireless Access Point/s. Make sure the tick box "Connect Automatically when this network is in range" is ticked...
      4. Click on the Security Tab

        5. Make sure Authentication is "WPA2-Enterprise" and Encryption is "AES).

        Under "Select a network authentication method, choose "Microsoft: Protected EAP (PEAP).

        Under Authentication Mode, you need to choose whether you want to authenticate computers and/or users with your digital certs. Then select "Computer Authentication".

      5. Click on the "Properties" button

        6. Tick "Validate server certificate" and then tick "Connect to these servers". Enter the FQDN of the NPS.

        Then under Trusted Root Certification Authority, tick your Root CA certificate. Then click OK.

        Connection security settings
        Figure: Connection security settings
      6. Click OK twice.

        7. Optional: Under Network Permission tab you can use the tick boxes to restrict clients to infrastructure networks or only GPO profiled allowed networks if you desire.

      7. Click OK and you have completed your Vista Wireless Policy
        8. Wifi_Settings settings
        Figure: Wifi_Settings settings
    Read more about Do you secure your wireless connection?

  12. Do you use service accounts?

    Do you use service accounts for recurring tasks and systems, or do you use user and personal accounts?


    ​As a rule, you should never use a user account for accessing systems, reports, tasks and other long-running applications that do not need human or user interaction to run.

    Service accounts provide a security context where the applications run, without the need to worry about their passwords or privileges. If a user changes their password, you will not break anything, because service account password normally does not expire and changing them is never needed.

    Also, if the security of a user account is breached, you do not have to worry about any other systems being compromised - that account was not being used to run any applications. Always keep your service accounts passwords safe and complex, and you will never need to worry about it.​

    Read more about Do you use service accounts?

  13. Do you use the Distributed File System for your file shares?

    ​Occasionally, one server and its drives will not have sufficient space to store all related files in a network share. For example, you may have a "SetupFiles" directory that stores all Setup executables on your network e.g. \\bee\SetupFiles. There are problems with this approach.
    1. You will run out of space - which means you will have to copy or move old (but still used) setup files around to other drives (\\bee\d$\SetupOld\ ) or other machines e.g. \\tuna\SetupFiles. This fragmentation of your setup files can cause confusion for your users.
    2. When you retire or rename the old server, links to the old server location will not work

    So how do you get around this problem? The answer is in the Distributed File System (DFS). Instead of having several server-specific file share locations, you can have a domain-wide setup location that offers a seamless experience to your users. DFS will even track a history of when and where file locations were moved.

    Network_DistributedFileSystem.gif
    Figure: The Distributed File System consolidates many separate file shares into one convenient location for your users

    Read more about Do you use the Distributed File System for your file shares?

  14. Logon - Do you have a company-wide Word template?

    A company-wide template will be implemented, so users have automatic footers to save time and give better branding.​​
    word-template-bad.jpg
    Figure: Bad Example - creating an email/document does not have the company templates
    word-template-good.jpg
    Figure: Good Example - creating an email/document with the company templates​

    How to have a company-wide Word template:

    • Modify your Normal.dotm file to have the headings and format that you want for Word document
    • Create standard employee email footer files e.g. JamesZhou.htm or JamesZho u.txt
    • Put the files on a network location - this is the place that will have the master copies 
      e.g. \\ssw\ant\standardsinternal\template\
    • Have a logon script which is setup through Group policy that will copy the file to the users' computer when they logon.

    ECHO Copy Office Templates To Workstation >> %LogonLogFile%
    call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\Normal.dot" "%APPDATA%\Microsoft\Templates\Normal.dot" %LogonLogFile%
    call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\Normal.dotm" "%APPDATA%\Microsoft\Templates\Normal.dotm" %LogonLogFile%
    call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\ProposalNormalTemplate.dotx" "%APPDATA%\Microsoft\Templates\ProposalNormalTemplate.dotx" %LogonLogFile%
    call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\NormalEmail.dot" "%APPDATA%\Microsoft\Templates\NormalEmail.dot" %LogonLogFile%
    call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\Microsoft_Normal.dotx" "%APPDATA%\Microsoft\Templates\Microsoft_Normal.dotx" %LogonLogFile%
    call %ScriptFolder%\SSWLogonScript\BatchScript\SafeCopyNewerFile.bat "\\fileserver\DataSSW\DataSSWEmployees\Templates\Blank.potx" "%APPDATA%\Microsoft\Templates\Blank.potx" %LogonLogFile%
    xcopy /Y "\\fileserver\DataSSW\DataSSWEmployees\Templates\NormalEmail.dotm" "%APPDATA%\Microsoft\Templates\" >> %LogonLogFile%
    xcopy /Y "\\fileserver\DataSSW\DataSSWEmployees\Templates\NormalEmail.dotx" "%APPDATA%\Microsoft\QuickStyles\" >> %LogonLogFile%
    ECHO Templates Copied

    Figure: This is a snippet of our login script

    Note: We don't want people using .RTF emails so we include this message in SSW.rtf. Be aware that we don't want to use RTF because of Remove RTF as an option or explain when it is a good choice.

    For more information on why we need to modify the Normal.dotm, you can access the website http://office.microsoft.com/en-us/word/HA100307561033.aspx.

    Tip: You can automatically have your SSW Word doc template on sign-in via a script. See https://github.com/SSWConsulting/LoginScript.

    Related Rule

    Read more about Logon - Do you have a company-wide Word template?