Windows Security Basics
Content Leader: Jess Garcia - Last Updated: December 24, 2006
The best and easiest way to harden a system is to follow the industry best practices. The following references provide guidelines that allow you to easily apply those best practices to your system.
One of the most efficient ways to secure your Windows systems is through the use of Windows Security Templates.
These Security Templates can be applied to the system with the Security Configuration and Analysis MMC Snap-In Tool (included in the stock installation of Windows) or through Group Policy (if the system belongs to a Windows Domain). Check this article, Understanding Windows Security Templates for a quick overview.
It is important to tailor the Security Templates to your particular environment. You can do that with the "Security Templates" MMC Snap-In Tool (included in the stock installation of Windows). Check this article, Customizing Windows Security Templates
for a quick overview on how to do it.
These are some sources of Security Templates:
The NIST is probably the best option. They are providing Security Templates for Windows 2000 Professional and Windows XP at the time of writing (more will surely come).
The Center for Internet Security publish Security Templates along with their Benchmarks. They are quite good but be sure to test them first, as they can break some things.
The C:\Windows\security\templates directory of your Windows system. To be honest, these ones are not very good (the NIST does not recommend its use).
Security Evaluation & Auditing
Right after you have hardened a system, and periodically thereafter, you will want to verify how secure it is. You can use the following free tools for that purpose:
The Security Configuration & Analysis tool (mentioned above) can be used to check the compliance status against a particular Security Template.
The Center for Internet Security provides free tools to check the security of many Windows variants.
The Microsoft Baseline Security Analyzer some basic but complementary checks to the above tools.