Effective Windows security administration ensures your organization has all the technical controls in place to support its security goals. It takes more than just technical controls to meet all security goals, but security administrators mainly focus on deploying and maintaining technical security controls.

Here is a list of Windows security administration best practices that will help you deploy and maintain the controls to support your security policy. Change the list to suit your organization, but pay attention to the suggestions—they can help you avoid wasting time and resources:

• Clearly state security goals in your security policy.

• Include all compliance requirements for applicable legislation, regulation, and vendor standards in your security policy.

• Use the PDCA method for all security administration activities.

• Communicate with all stakeholders—share as much information as possible.

• Strive for simplicity in all controls and systems—complexity invites failures.

• Search for controls that have little impact on users. Users tend to bypass controls that they find intrusive or difficult.

• Coordinate AUPs with technical controls.

• Automate as much as possible—use scheduled jobs whenever possible.

• Use AD GPOs for as many security settings as possible.

• Coordinate physical controls with technical controls.

• Never allow a computer that doesn’t have current anti-malware controls in place to connect to your network. This rule applies to all computers—even laptops owned by distinguished guests. Enforce the rule or be prepared to put your malware removal plan into action.

• Develop a plan to monitor system and network performance and follow it.

• Ensure the operating system and all software is up to date for all computers.

• Periodically examine log files for suspicious behavior.

• Stay current on emerging attacks and trends and update your controls appropriately.

• Fully test your recovery plans at least annually, or more often, if possible. You’ll never really know how your recovery plan works until you actually execute each of the steps.

• Define DACLs when necessary and modify or remove them when user account roles change.