Executive management must define what security policies to put in place, the type of information to be protected, and the level of protection that is required.
Educate employees on the organizational security policies and the corresponding consequences for noncompliance on a periodic basis.
Review the Health Insurance Portability and Accountability Act (HIPAA) for health-care-related security policies at http://www.hipaa.org/.
Review the Gramm Leach Bliley Act (GLBA) for financial institutions at http://www.senate.gov/~banking/conf/.
Enforce security policies to make them effective.
Periodically perform security audits to define and strengthen security policies and practices.
Hire a security expert or firm to perform security audits on your infrastructure.
Create system-level security policies to provide baseline system specifications.
Define the primary authentication mechanism and the ways users are to be identified.
Identify which authentication mechanisms are required for performing certain tasks.
Practice defense-in-depth (DID) when constructing a security framework.
Use NTFS whenever possible.
Remove the Everyone group from permissions.
Use groups instead of individual users when configuring access controls.
Use the least privilege principle so that users can access only the information that they need.
Ensure that administrators have full control on all files, folders, and shares unless the organization specifically dictates otherwise.
Allow only administrators to manage resources.
Establish Windows Server 2003's software restriction policies. This service provides a transparent, policy-driven means to regulate unknown or untrusted applications.
Support only those applications that are approved and that are critical to the business.
Routinely update antivirus definition files to improve resilience against getting a virus.
Practice the least privilege principle to the entire organization.
Use Group Policy Objects (GPOs) to lock down the desktop so that users aren't given full access to the system. For example, disable the Run command or disallow use of the command prompt.
Thoroughly test Windows Server 2003 service packs and updates (especially those that are security-related) in a lab environment before deploying them in production.
Test and review application updates and patches to determine how they may affect application security and reliability.
Limit the number of applications a user has access to use.
Remove the username of the person who logged on last to the client machine. This keeps people from discovering other usernames and passwords.
Require users to change their passwords periodically.
Consider tightening password history, length, and strength requirements.
Mandate keeping documents on the file servers so that they are backed up every night.
Help alleviate concerns that documents aren't being backed up by using folder redirection.
Use the Security Configuration and Analysis tool to compare the current security configuration against a predetermined security requirement.
