The default installation of Windows Server 2003 has 39 user rights settings and 70 security options. These settings and options allow broad, sweeping, and powerful changes to how the host will behave under many different situations.
Note | Be very careful here. It is possible to lock yourself out, disable critical internal processes, and limit necessary functionality. It's strongly recommended that you thoroughly test any changes you make here in a test environment with any applications that may even possibly depend on the settings running on the system. |
you'll find the security policies as they affect your system by typing rsop.msc or secpol.msc at the command line. After the GUI opens, select Computer Configuration | Windows Settings | Local Policies. Remember that you can export these settings by right clicking the folder icon and selecting "Export."
Evaluate the settings you have here with the policies you have for your organization. There are several guides suggesting recommended settings, including Microsoft's website, the built-in security templates, the Center for Information Security guides (http://www.cisecurity.org), and of course, SANS (http://www.sans.org). The bottom line here is that you need to decide what your organization is looking to accomplish and audit against these settings. If your organization isn't using these settings at all, then you should take the initiative to spearhead a project to look into these settings. Here are some common settings for both.
Common security options include
Renaming guest and administrator accounts
Disabling the guest account
Choosing not to display the last logged on user
Prompting the user to change the password before expiration
Refusing enumeration of SAM accounts and shares by anonymous
Refusing to store network credentials (Be careful with this!)
Changing local-area network (LAN) manager responses (Be careful with this!)
Common user rights assignments include
Changing who can access the computer across the network
Defining who can log on locally
Denying access to the computer from the network
Denying logon through terminal services
Defining who can take ownership of file or other objects