Summary

The important thing to realize with the Windows, IIS, and .NET platform is that the system can be made secure, but it’s not secure after the default installation. The reason it’s not secure is because it installs with features enabled, and securing Windows essentially means turning off features.

Should you run these security steps on every computer? The answer depends on the circumstances—the fundamental lockdown principles should be run on every computer in the domain. These are primary best practices: implementing physical security; using Windows NT; installing antivirus software; using service packs, least privilege, strong passwords, and backups; and performing ongoing maintenance. In addition, every server should be locked down using the complete set of steps presented in this chapter, because servers are the most common target for intruders to attack and represent the biggest threat if an attack succeeds. For workstations and notebooks, you have some flexibility of choosing the level of security you implement. Workstations can afford to be less secure than servers because the effect of a successful attack is often isolated to the workstation. How you choose to secure workstations and notebooks will depend on the security requirements of the organization, including the nature of the work, the physical security of the machines, the size of the company, and how much the company is willing to invest in security infrastructure.