Published: December 31, 2003 | Updated: April 26, 2006
Although this guide discussed many security countermeasures and security settings, it is important to understand that some of them are especially important. This appendix highlights those settings; you may wish to refer to the relevant chapter for an explanation of what the setting does and why it is important.
Which settings to include in this list could be the subject of an extensive debate. In fact, this topic was discussed at great length by a group of security experts within Microsoft. You may feel that some settings are missing, or that some of the listed settings do not need to be on the list. Because each organization has a distinct environment with unique business requirements, different opinions about security issues should be expected. Still, this list might help you prioritize tasks that relate to hardening computers that run Microsoft® Windows®.
Important countermeasures that are not security settings include:
Keep computers up-to-date on service packs and hotfixes with automated tools for testing and deployment.
Install and configure distributed firewall software or organizational IPsec policies.
Deploy and maintain antivirus software.
Deploy and maintain antispyware software on computers that are used to browse Web sites.
Use a non-administrative account for day-to-day tasks. You should only use an account with administrator privileges to perform tasks that require elevated privileges.
Key security settings that are available in Microsoft Windows include:
Password policy, which is discussed in Chapter 3, "The Domain Policy."
Enforce Password History
Maximum Password Age
Minimum Password Length
Passwords must meet complexity requirements
Store Password Using reversible encryption for all users in the domain
User rights, which are discussed in Chapter 4, "The Member Server Baseline Policy."
Access this computer from the network
Act as part of the operating system
Allow logon locally
Allow Log on through Terminal Services
Security options, which are discussed in Chapter 4, "The Member Server Baseline Policy."
Accounts: Limit local account use of blank passwords to console logon only
Domain Member: Digitally encrypt or sign Secure channel Data (always)
Domain Member: Digitally encrypt Secure channel Data (when possible)
Domain Member: Digitally sign Secure channel Data (when possible)
Domain member: require strong (Windows2000 or later) session key