Custom network security policy checklist

To perform a security audit:
1. From the start menu, select "run". Type "mmc", then click "ok".
2. Select "file", then "add/remove snap-in".
3. Click "add".
4. Select "security configuration and analysis", then click "add".
5. Click "close", then "ok".
6. Right click on "security configuration and analysis" in the left window.
7. Select "open database".
8. Type the name that you would like the database to be called. The name has no effect on the analysis.
9. Select the template that you would like to compare the system against. This may be a custom template or one of the default Windows templates. The default templates are:

Compatws.inf – This should only be used if older applications need weaker security settings to access the registry and file system.

DC security.inf – This is used to configure security of a computer that was upgraded from Windows NT to Windows 2000/2003.

Hisecdc.inf – This is used to increase security and communications with the domain controllers.

Hisecws.inf – This is used to increase security and communications for the client computers and member servers.

Notssid.inf – Similar to Compatws.inf , this is used to weaken security to allow older applications to run on Windows Terminal Services.

Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.

Securedc.inf – Similar to DC security.inf, but is less restrictive and less secure.

Securews.inf – This is used to increase security and communications for the client computers and member servers.

Setup security.inf – This resets the security policy to defaults. Can be used to restore the security policy if a change causes problems.

To create a custom security template:
1. From the start menu, select "run". Type "mmc" and click "ok".
2. Select "file", then "add/remove snap-in".
3. Select "add".
4. Select "security configuration and analysis", click "add".
5. Click "close".
6. Click "ok" to close the add/remove snap-in window.
7. Right-click on "security configuration and analysis" in the left window.
8. Select "open database" and type the name that you would like the database to be called. The name has no effect on the policy. Click "open".
9. Select any template to modify.
10. Right-click on "security configuration and analysis" in the left window.
11. Select "analyze computer now".
12. Specify the location of the log, click "ok". This may take a few minutes.
13. The left window will display the category, and the right window will display the specific settings. You can modify the settings for the template here.
14. After all the desired settings have been modified, right-click on "security configuration and analysis", then select "save".
15. Right-click on "security configuration and analysis", then select "export template".
16. Name the template as desired, then click "save".
17. Now you may close the console. You do not need to save the console when prompted.
18. The new template will be located in the Windows directory under Security/Templates.

A security policy is only a portion of an effective security solution, but it should still be carefully considered and aggressively implemented. Following these steps will help you, the administrator, to enforce policies on client machines with no cost and minimal effort.

Chris Cox is a network administrator for the United States Army, based in Fort Irwin, California.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation Preventing hacker attacks with network behavior analysis IPS Rogue access points: Preventing, detecting and handling best practices The TPM chip: An unexploited resource for network security Shifting defenses and dynamic perimeters challenge network security Compliance in a virtualized world: Server virtualization and NAC security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in USB storage devices: Two ways to stop the threat to network security Network Security Monitoring and Analysis Application-specific network intrusion detection systems emerge Anomaly-based intrusion protection configuration and installation How can I calculate perimeter firewall throughput? How do I find the application on my network that's dropping packets? Integrating NAC with network security tools Where can I find a sample security audit report? How can I run my own? The firewall remains the network traffic cop, but its role is changing Troubleshooting VLANs: How to monitor 802.1q tagged traffic Poor data-loss prevention practices almost cost Intel a billion How can I block my competitor's IP address range from my website? Network Security Best Practices and Products Enterprises demand next-generation firewalls with IPS, app visibility Preventing hacker attacks with network behavior analysis IPS Is there a way to trace my stolen laptop computer? Integrating NAC with network security tools Should organizations separate technical from administrative security? What network equipment is needed to secure a small business LAN? Ethical hacking and countermeasures: Network penetration testing intro Are you on a domain name system (DNS) blacklist database? Rogue access points: Preventing, detecting and handling best practices Network security threats solved by risk management: John Pironti explains RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary deep packet inspection (DPI)  (SearchNetworking.com) FCAPS  (SearchNetworking.com) Nessus  (SearchNetworking.com) netstat  (SearchNetworking.com) port mirroring  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.