The key to deploying the best Windows access controls is to first develop a clear idea of what you are attempting to control. In general, minimize the number of user accounts on all computers and carefully control access to accounts with Administrator rights. Access to data and resources is based on identity. You have to implement secure identity management before you can trust your access controls. As you’ve already learned, having fewer user accounts and using strong passwords make your systems more secure. But just limiting user account access is only part of the solution.

Once you identify the data and resources you need to control, use Windows Group Policy to establish access control lists (ACLs) that limit access to specifically defined users and groups. The easiest way to implement access control in a large environment is to use AD and global groups for as many ACLs as possible. Avoid allowing anonymous or guest user accounts to access any sensitive data.

To protect data at rest, either use Windows Encrypting File System (EFS) for folders that contain sensitive data or Windows BitLocker to encrypt entire volumes. Regardless of the option you choose, ensure any backups encrypt your data as well.