Best practices for security
Updated: January 21, 2005
Applies To: Windows Server 2003, Windows Server 2003 R2, Windows Server 2003 with SP1, Windows Server 2003 with SP2
Restrict physical access to computers, especially domain controllers, to trusted personnel
Physical access to a server is a high security risk. Physical access to a server by an intruder could result in unauthorized data access or modification as well as installation of hardware or software designed to circumvent security. To maintain a secure environment, you must restrict physical access to all servers and network hardware.
For administrative tasks, use the principle of least privilege
Using the principle of least privilege, Administrators should use an account with restrictive permissions to perform routine, nonadministrative tasks and use an account with broader permissions only when performing specific administrative tasks.
To accomplish this without logging off and back on, log on with a regular user account and use the Runas command to run the tools that require the broader permissions.
For more information, see Run a program with administrative credentials and Runas.
Define groups and their membership
When deciding on the default level of computer access that end users will have, the determining factor is the installed base of applications that need to be supported. If your organization uses only applications that belong to the Windows Logo for Software program, then you can make all your end users members of the Users group. If not, you may have to make your end users part of the Power Users group or relax the Users group's permissions security settings. Both are less secure options.
Running legacy programs on Windows 2000 or Windows XP Professional often requires you to modify access to certain system settings. The same default permissions that allow Power Users to run legacy programs also make it possible for a Power User to gain additional privileges on the system, even complete administrative control. Therefore, it is important to deploy Windows 2000 or Windows XP Professional programs in the Windows Logo program for Software in order to achieve maximum security without sacrificing program functionality.
For more information, see the Windows Logo program for Software page at the Microsoft Web site.
All domain administrators (including child domain administrators) who can modify the system software on domain controllers in a forest must be equally trusted.
Domain administrators and enterprise administrators should be the only users allowed to link a Group Policy object to an organizational unit. This is the default setting.
Authenticated users only need Read and Apply Group Policy object permissions.
Secure data on computers
Ensure that the system files and the registry are protected using strong access control lists.
For more information, see Access Control.
Use Syskey to provide additional protection of the security account manager (SAM), especially on your domain controllers.
For more information, see The system key utility.
Use strong passwords throughout your organization
Most authentication methods require the user to provide a password to prove their identity. These passwords are normally chosen by the user, who may want a simple password that is easily remembered. In most cases, these passwords are weak and may be easily guessed or determined by an intruder. Weak passwords can circumvent this security element and become the weak point of an otherwise strong security environment. Strong passwords tend to be more difficult for an intruder to discern and, as a result, help provide an effective defense of your organization’s resources.
For more information, see Strong passwords.
Do not download or run programs that come from untrusted sources
programs can contain instructions to violate security in a number of ways including data theft, denial of service and data destruction. These malicious programs often masquerade as legitimate software and can be difficult to identify. To avoid these programs, you should only download and run software that is guaranteed authentic and obtained from a trusted source. You should also ensure a current virus scanner is installed and functioning in case this type of software does inadvertently wind up on your computer.
Keep virus scanners up to date
Virus scanners frequently identify infected files by scanning for a signature, which is a known component of a previously identified virus. The scanners keep these virus signatures in a signature file, which is usually stored on the local hard disk. Because new viruses are discovered frequently, this file should also be updated frequently for the virus scanner to easily identify all current viruses.
Keep all software patches up to date
Software patches provide solutions to known security issues. Check software provider Web sites periodically to see if there are new patches available for software used in your organization.
For more information and for the latest recommendations on security, see Security.
In order to subscribe to the product Security Notification Service, see "product Security Notification" at the Microsoft Web site
For more information, see:
Best practices for permissions and user rights
Auditing Security Events Best practices
Encrypting File System best practices
Software Restriction Policies Best Practices
Certificate Services Best practices
Certificate Templates Best practices
For more information on creating and maintaining security policy, see: