Securing a Windows network is an ongoing endeavor. Although the process never really ends, you can reach a level of assurance that your network is secure from most threats. It is important to continually monitor controls to ensure they are as effective as expected. Here are some best practices that will help you get started securing your network and provide a good set of guidelines for ensuring your network stays secure:

• Identify sensitive data.

• Protect sensitive data at rest using encryption.

• Establish unique domain user accounts for each user.

• Enforce strong passwords for all user accounts.

• Create new user accounts with limited rights and permission for services.

  • Do not allow any services to run as a domain admin user.

• Use Kerberos for secure authentication.

• Install firewalls to create a DMZ.

  • Place all Internet-facing servers—web servers and other publicly accessible servers—in the DMZ.

  • Use encrypted communication for all traffic flowing through the DMZ and the trusted network.

• Use encryption for all communication involving sensitive data.

• Establish firewall rules.

  • Deny all suspicious traffic.

  • Allow only approved traffic for servers.

  • Filter inbound and outbound traffic for servers and workstations for malicious messages.

  • If your firewall supports it, automatically terminate connections with sources generating DoS traffic to mitigate DoS attacks in process.

• Install anti-malware software on all computers and establish frequent update schedules and scans.

  • Update software and signature databases daily.

  • Perform quick scans daily.

  • Perform complete scans at least weekly.

• Use WPA or WPA2 for all secure wireless networks.

• Disable SSID broadcast for secure wireless networks.

• Do not enable wireless or mobile broadband cards while connected to your organization’s internal network. Always disable your wireless adapter before connecting a laptop to the wired network.

• Do not allow visitors to roam around your facilities using wireless LANs. Many access points can be physically reset to insecure factory default settings by pressing a reset switch on the box.

• Avoid connecting to public networks. When you connect to an open wireless network, you should have no expectation of privacy or security.

• If you have to use an open wireless connection, do not visit websites that require usernames, passwords, or account numbers, such as online banking. Use an encrypted connection or a virtual private network (VPN).

• Install a separate wireless access point connected only to the Internet for guests.

• Disable or uninstall any services that you do not need.

These best practices provide a solid foundation for establishing and maintaining a secure Windows network.