The security controls will need to be more strict using smart cards or tokens or even biometric devices as a second layer to the authentication process. Establish a threshold of failed attempts for logon attempts while maintaining auditing logon events. These logs will provide you with a record of traffic and who and when someone entered or exited the system.
The first phase that needs to be addressed is the 7 domains of your infrastructure. We will look at the User Domain this is who has access to an organizations information system. There are roles, tasks and responsibilities and accountability from the employees in the organization to keep sensitive information secure. As we know that human error is the greatest weakness in any IT infrastructure.
The second domain is the workstation this is where your employees actually connect to the network, could be a laptop a desktop computer, smartphone or even remote access. This is where you want to make sure everyone is required to logon to system with strong passwords and that they are required at least every quarter to change their passwords. This is typically where malicious software in found in the system or installed on the workstation. The key here is to check for unauthorized users and make sure the anti-virus protection is up to date and all patches are installed.
Your external firewall stops unauthorized traffic from entering or leaving your network. As packets of data travel the internet you external firewall adds a layer of protection by filtering every packet that arrives at either side of the firewall.
Intrusion Detection System IDS - The IDS is in a location you want it to be in a place that will identify possible points of entry into the network. The IDS must be configured properly but it can add a layer of integrity to the infrastructure and trace user activity, notify you when the system is under attack. It can detect errors in the system configuration. The IDS will also help to mitigate some DoS attacks from occurring.
Exchange Server - This is placed properly behind the firewall and with the DMZ, now we must configure it so that we disable the HTTP and only allow HTTPS this will narrow an attack. We would want to install whitelisting software to add protection from the Remote Administration Tool (RAT) gaining entry.
File Transfer Protocol FTP - uses TCP as a connection oriented data transmission but it is in clear-text. The packets are numbered and acknowledged as being received to increase integrity of the file transfer. However these packets can easily be "eavesdropped" upon and therefore need to be protected. You would want to hide the data with cryptography or encryption.
Third domain is LAN domain this is where computers connect to one another connection like the file servers or printer server. These should be configured with access controls to require logon ID and password authentication for access so only the required people have access to those servers that are supposed to. This domain is where data is usually transmitted unencrypted and the spreading of malicious software takes place. Implement encryption between workstations to maintain confidentiality.
Wireless Access Point allows wireless capable devices and wired networks to connect like a hotspot. So this device needs to be behind the internal firewall and mac address filtering. Change password on settings from the default password. Change the SSID network name name of the device. Set your static IP address for your wireless networks. configure security settings change encryption on wireless settings and change to WPA or WPA2 if available. Server 2008 Domain Controller (DC) This is pretty standard now days and