Digg This!     StumbleUpon     Del.icio.us

Security is often an optional component of a computer implementation. Though we've made good strides in the implementation of default security, it's still not enough. To secure systems from desktops to servers, someone has to decide on what steps to take and make sure they are taken. Unfortunately, even a sound security policy backed by management is not always applied consistently and regularly. Even worse, it can be undone by a clueless user with administrative privileges, or by administrators who know better but "temporarily" change things during troubleshooting or forget some detail of a specific configuration. This predicament is resolvable. A modern Windows computer can be configured to automatically apply and even reapply security settings. Some of these are aptly named "Security Options." Today it's time to get the big picture -- the details and how-to information will follow in additional checklists. To get you started, the following mini-checklists will help you take the "optional" out of security for different Windows assets. TABLE OF CONTENTS:    Required security in standalone or workgroup computers    Required security in an Active Directory domain

You may download a printer-friendly version.

Checklist: Required security in standalone or workgroup computers

Update each computer to the appropriate service pack and patch level

You can do this by visiting Windows Update. Open Internet Explorer and select "Windows Update" from the Tools menu. Once there follow the instructions. Do review the possible

updates. Many of them are not critical security updates but driver and application updates that may or may not be desirable for your environment at this time.

Use Automatic Updates to maintain security

For Windows XP and above, set Automatic Updates to automatically download and install new security updates as they become available. In Windows XP, go to Start/Settings/

Control Panel/Automatic Updates applet.

Add the Security Templates snap-in

Add the Security Templates snap-in to a Microsoft Management console and examine the available templates. (For instructions on doing so for Windows Server 2003 see this

Microsoft support page). Security templates, as well as a security guide for Windows Server 2003, may be downloaded at Microsoft TechNet. Using those recommendations, create a

template that provides the security desired, then use the Security Configuration and Analysis tool (another snap-in) to apply your template. (Instructions for doing so are also

available from Microsoft support.

Keep security settings in place

Periodically reapply your template to ensure that security settings remain in place.

Turn on Windows XP Firewall

Make sure Windows Firewall in XP is turned on, and periodically check to see that it remains so.

Set up defenses

Run antivirus and antispyware tools, and keep them updated.

Checklist: Required security in an Active Directory domain

Update each computer to the appropriate service pack and patch level

Ideally the current service pack and patches are applied before each new computer is added to the network.

Put a patch management process in place

Implement a change and patch management process that includes awareness of new security updates, testing of updates for your systems and the use of Software Update

Services (soon to be Windows Update Services), Microsoft Systems Management Server or a third-party alternative product to automatically update systems with approved patches.

Implement appropriate security with GPOs

Develop Group Policy Objects (GPOs) that implement appropriate security based on computer and user roles on the network. The Windows security section of the GPO includes

the basic equivalent of the security template, and it is automatically refreshed and applied both when changes are made and at computer startup.

Use network and host-based firewalls

Use network firewalls and a host-based firewall where appropriate. Monitor firewalls and services to make sure controls are in place.

Automatically update network antivirus, antispyware and antispam

Use network-based and managed antivirus, antispyware and antispam controls in addition to host-based controls, and make sure they are automatically updated.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor to suggest additional checklist topics.

ABOUT THE AUTHOR:   Go back to Checklists

Roberta Bragg is author of "Hardening Windows systems" and a SearchWindowsSecurity.com resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker. Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004

Rate this Tip To rate tips, you must be a member of SearchEnterpriseDesktop.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Endpoint security management tools The right security tools for finding Windows desktop weaknesses Using BitLocker in Windows 7 20 days to a more secure enterprise How to get -- and keep -- user support with security MDOP for Windows 7 available now Microsoft's Online Desktop Manager caters to small IT shops Monitoring user activity with network analyzers Using third-party technologies with Microsoft's NAP Understanding Microsoft's NAP's internal and external components Microsoft's NAP can ensure security compliance RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary system tray  (SearchEnterpriseDesktop.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.