I`m using these tricks whenever I can. They are simple and effective. I learned them mostly while working with Microsoft Windows Server 2000 and SQL Server 2000 (blank SA for example) which are a bit unsecure by default. You probably know these, but anyhow, here we go:
1. Rename admins
Renaming default privileged account like “administrator” is highly effective method of security protection. Attackers presume that their victims use default account names. By changing your privileged usernames you defeat attackers and malware easily, because they need right username for successful password cracking campaign.
2. Disable your admins
This is a hard one, but you can try it. Disable all administrator accounts and groups and give only permissions that are needed. Since every IT admin is used to administrative rights this one will be hard to implement on many levels, but it’s worth a try because your network will be almost completely impenetrable.
3. Password policy
Change your password regularly, not every 42 days if you feel that it’s to annoying, make it every few months, half a year… Passwords should be at least 8 characters long and you should be able to remember them. Simple changing of letters, adding numbers and special characters should make password difficult and effective. For example, setting your password as “password” is not good enough, but if you change it to “P@55w0rD#” that should definitely do the trick.
4. Change default directories
Malware almost every time looks to default directories for files. For example, don’t use C:\inetpub for your website scripts, remove your databases from default SQL installation and change your windows install directory from C:\Windows to something else like C:\Win2008. These steps won`t eliminate all the treats but will reduce the risks. It`s pretty cool to setup a honeypot, install Windows to C:\MyWin and then watch malware drops its load to C:\windows\system32 folder.
5. Setup honeypots
Honeypot is setup solely for one purpose – to be attacked. Honeypots have no value in your network, they just sit and wait to be attacked. They are also monitored, so when they are touched, you can see and analyze the attacks that are mounted against your network. It`s great early warning system.
6. Turn on screensavers
It`s simple and effective technique for protecting your network workstations and servers. Turn on screensavers with passwords. If user is away for some time, screensaver turns on and next time someone touches computer password is required.
7. Disable internet browsing on servers
This has to be a habit. Don`t use your servers for browsing internet, or worse, use them as your everyday computer. Majority of the problem are incurred by user actions on the internet, so avoid it.
8. Use nondefault ports
This is one of the most effective techniques in preventing attacks. Especially when zero day attacks are in question. Worms and viruses almost always go for default ports and by changing your ports, you`ll definitely reduce risks of attack.
9. Install AV
I was thinking about putting this one onto list, because I thought that everybody knows this one by now, but still nowadays I can spot a computer without antivirus protection. Install AV and make it a habit. There are many good free AV programs like Microsoft Essentials, Avira, AWG…