Best Practices
By defining baseline security settings in security templates, you ensure that the required security settings can be reproduced on additional computers. Security templates also document the required security settings.
For example, a Microsoft SQL Server security template will contain security settings specific to instances of SQL Server deployed on the network.
By importing the security template settings into a GPO, you ensure that the security settings are consistently applied to the target computers and you prevent modification of the settings in the local security policy of a target computer.
Periodically, you should use tools such the Security Configuration and Analysis console or the Secedit.exe utility to ensure that the security settings defined at a target computer do not differ from the security template defined for that computer configuration.
Security assessments identify common security misconfigurations and security patches or updates that must be applied to the target computer. You can choose from Microsoft-specific tools such as the MBSA tool or third-party tools such as the eEye Retina Network Security Scanner and the ISS Internet Scanner.
An attacker will typically scan an Internet-exposed computer to identify which ports are open and exposed to the Internet. By performing port scans from both the Internet and the local computer, you can ensure that only desired ports are exposed to the Internet. For example, a Web server should expose only TCP port 80 and TCP port 443 to the Internet. All other ports should not be accessible to the Internet.