An effective security policy ensures that your organization has all the technical controls in place to support its security goals. It takes more than just technical controls to meet all security goals, but security administrators mainly focus on deploying and maintaining technical security controls.

This list of Windows security administration best practices will help you deploy and maintain controls to support your security policy. Change the list to suit your organization, but pay attention to the suggestions. They can help you avoid wasting time and resources:

• Clearly state security goals in your security policy.

• Include all compliance requirements for applicable legislation, regulation, and vendor standards in your security policy.

• Use the PDCA method for all security administration activities.

• Communicate with all stakeholders—share as much information as possible.

• Strive for simplicity in all controls and systems—complexity invites failures.

• Search for controls that have little impact on users. Users tend to bypass controls that they find intrusive or difficult.

• Coordinate acceptable use policies (AUPs) with technical controls.

• Automate as much as possible—use scheduled jobs whenever you can.

• Use AD GPOs for as many security settings as possible.

• Coordinate physical controls with technical controls.

• Never allow a computer or mobile device that doesn’t have current anti-malware controls in place to connect to your network. This rule applies to all computers and mobile devices—even laptops or smartphones owned by distinguished guests. Enforce the rule or be prepared to put your malware removal plan into action.

• Develop a plan to monitor system and network performance and follow it.

• Ensure the OS and all software is up to date for all computers.

• Periodically examine log files for suspicious behavior.

• Stay current on emerging attacks and trends and update your controls appropriately.

• Fully test your recovery plans at least annually (more often if possible). You’ll never really know how your recovery plan works until you actually execute each of the steps.

• Define discretionary access control lists (DACLs) when necessary and modify or remove them when user account roles change.

Hardening your Windows OS removes as many vulnerabilities as possible. The best practices to harden your Windows OS are as follows:

• Install only the Server Core option when you don’t need extra functionality.

• Select the minimum number of roles when installing Windows Server.

• For Windows Server, run the Security Configuration Wizard (SCW) immediately after installing the OS.

• Update each computer with the latest OS patches.

• Configure each computer for automatic Windows updates.

• Install and run MBSA and at least one other Windows security vulnerability scanner.

• Create one or more user accounts with administrator rights.

• Disable the Administrator and Guest user accounts.

• Disable all unneeded services.

• Close all ports not required by services or applications.

• Create GPOs for all security settings, including firewall rules.

• Use AD to distribute all configuration changes using GPOs.

• Create a backup of each GPO.

• Scan all computers for open ports.

• Limit physical access to all critical servers.

• Create an initial baseline backup.

• Change the AD Directory Service Repair Mode (DSRM) password periodically, at least every 6 months.

• Install anti-malware software on each computer.

• Ensure all anti-malware software and data are current.

• Use network access control (NAC) software or devices to control remote computer connections.

• Use remote authentication methods to authorize remote computers and users.

• Require secure VPNs to access internal network resources.

• Use Internet Protocol Security (IPSec) with digital certificates to authenticate computer-to-computer connections in the datacenter.

• Require security awareness training prior to issuing access credentials.

• Require periodic recurrent security awareness training to retain access credentials.

• Provide continuing security awareness through different means.

The process of hardening applications is just as important as hardening your OS. These best practices will help you establish a solid foundation for securing your applications:

• Harden the OS first.

• Install only necessary services.

• Use server roles when possible.

• Use Security Compliance Toolkit (SCT) to apply the least privilege principle to applications.

• Remove or disable unneeded services.

• Remove or disable unused user accounts.

• Remove extra application components.

• Open only the minimum required ports at the firewall.

• Define unique user accounts.

• Use strong authentication.

• Use encrypted connections for all communication.

• Encrypt files, folders, or volumes that contain private data.

• Develop and maintain a BCP and disaster recovery plan (DRP).

• Disable any server features you don’t need.

• Ensure every computer has up-to-date anti-malware software and data.

• Never open any content or files from untrusted sources.

• Validate all input received at the server.

• Audit failed logon and access attempts.

• Conduct penetration tests to discover vulnerabilities.