Best practices for Security Settings
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Be cautious when creating new policies
Always test a newly-created policy on a test computer before applying it to your network.
Be aware that more than one policy can be applied to a computer
Because of this, there can be conflicts in security policy settings. The order of precedence from highest precedence to lowest precedence is:
- Organizational unit
You can use Resultant Set of Policy to find out what policies apply to a certain computer. For more information , see Resultant Set of Policy.
Keep in mind that there can only be one account policy in a domain: the Default Domain Policy
For more information, see Account and local policies.
Apply templates appropriately
Do not apply the Compatible template to Domain Controller computers. For example, do not import the Compatible template to Default Domain Policy or Default Domain Controller Policy.
Do not apply the Setup security template through Group Policy.
Use the correct tools for configuring local policy
For local security policy, use the Local Security Policy shortcut for editing and fine-tuning security policy. Use Security Templates to create a local policy and then use Security Configuration and Analysis to apply the policy.