Problem solve Get help with specific problems with your technologies, process and projects.

Checklist: Lock down PCs, workgroups and AD domains

Security is often an optional component of a computer implementation. Roberta Bragg explains why good security is a must and what steps to take to enforce sound policies.

Security is often an optional component of a computer implementation. Though we've made good strides in the implementation of default security, it's still not enough. To secure systems from desktops to servers, someone has to decide on what steps to take and make sure they are taken.

Unfortunately, even a sound security policy backed by management is not always applied consistently and regularly. Even worse, it can be undone by a clueless user with administrative privileges, or by administrators who know better but "temporarily" change things during troubleshooting or forget some detail of a specific configuration.

This predicament is resolvable. A modern Windows computer can be configured to automatically apply and even reapply security settings. Some of these are aptly named "Security Options." Today it's time to get the big picture -- the details and how-to information will follow in additional checklists.

To get you started, the following mini-checklists will help you take the "optional" out of security for different Windows assets.

   Required security in standalone or workgroup computers
   Required security in an Active Directory domain

You may download a printer-friendly version.

  Checklist: Required security in standalone or workgroup computers
Update each computer to the appropriate service pack and patch level
You can do this by visiting Windows Update. Open Internet Explorer and select "Windows Update" from the Tools menu. Once there follow the instructions. Do review the possible
updates. Many of them are not critical security updates but driver and application updates that may or may not be desirable for your environment at this time.
Use Automatic Updates to maintain security
For Windows XP and above, set Automatic Updates to automatically download and install new security updates as they become available. In Windows XP, go to Start/Settings/
Control Panel/Automatic Updates applet.
Add the Security Templates snap-in
Add the Security Templates snap-in to a Microsoft Management console and examine the available templates. (For instructions on doing so for Windows Server 2003 see this
Microsoft support page). Security templates, as well as a security guide for Windows Server 2003, may be downloaded at Microsoft TechNet. Using those recommendations, create a
template that provides the security desired, then use the Security Configuration and Analysis tool (another snap-in) to apply your template. (Instructions for doing so are also
available from Microsoft support.
Keep security settings in place
Periodically reapply your template to ensure that security settings remain in place.
Turn on Windows XP Firewall
Make sure Windows Firewall in XP is turned on, and periodically check to see that it remains so.
Set up defenses
Run antivirus and antispyware tools, and keep them updated.
  Checklist: Required security in an Active Directory domain
Update each computer to the appropriate service pack and patch level
Ideally the current service pack and patches are applied before each new computer is added to the network.
Put a patch management process in place
Implement a change and patch management process that includes awareness of new security updates, testing of updates for your systems and the use of Software Update
Services (soon to be Windows Update Services), Microsoft Systems Management Server or a third-party alternative product to automatically update systems with approved patches.
Implement appropriate security with GPOs
Develop Group Policy Objects (GPOs) that implement appropriate security based on computer and user roles on the network. The Windows security section of the GPO includes
the basic equivalent of the security template, and it is automatically refreshed and applied both when changes are made and at computer startup.
Use network and host-based firewalls
Use network firewalls and a host-based firewall where appropriate. Monitor firewalls and services to make sure controls are in place.
Automatically update network antivirus, antispyware and antispam
Use network-based and managed antivirus, antispyware and antispam controls in addition to host-based controls, and make sure they are automatically updated.

Windows Security Checklists offer you step-by-step advice for planning, setting up and hardening your Windows security infrastructure.
E-mail the editor
to suggest additional checklist topics.

More Checklists by Roberta Bragg

  • Set account options to limit systems access
  • Learn how to configure the audit policy
  • Lock down Joe User's administrator rights

  • ABOUT THE AUTHOR:   Go back to Checklists
    Roberta Bragg is author of "Hardening Windows systems" and a resident expert. She is an MCSE, CISSP and Microsoft MVP, and a well-known information systems security consultant, columnist and speaker.

    Click to ask Roberta a question or purchase her book here. Also, if you have specific questions or comments about any of Roberta's checklists, click to e-mail her directly. Copyright 2004

    Dig Deeper on Windows Server storage management