Administrators should review user accounts on Windows Server across the entire organization and enforce security-minded policies on old and new user accounts.
Ensure every user account password has an expiration date that forces a password change on a regular basis. This procedure restricts the time a hacker has to break into an account. If the password is discovered, a password change can resecure the account.
Review account activity to identify infrequently used accounts. Check for new user accounts that were not updated with a user-specific password after creation.
New user accounts often use a common or easily determined password, which makes them easier to compromise. To harden Windows Server, delete unused or unneeded user accounts, use a random password generator for new user accounts and force new password creation when the user first logs in.
For optimal hardening, don't stop with passwords. Review privileged group memberships, such as enterprise, domain, domain name server and other administrators. Group assessment should also be performed regularly for application groups, such as SQL, SharePoint and Exchange, or other custom groups working with vital business applications and data.
Always apply least privilege to all groups, and regularly verify group members. Integrate security procedures with the human resources exit interview process, for example, to ensure that the IT team immediately removes an administrator's account and credentials when he leaves the company.
Many security breaches happen thanks to weak passwords and password policies, as well as careless group administration. Don't let these small account management steps give way to big problems.