Custom network security policy checklist

To perform a security audit:
1. From the start menu, select "run". Type "mmc", then click "ok".
2. Select "file", then "add/remove snap-in".
3. Click "add".
4. Select "security configuration and analysis", then click "add".
5. Click "close", then "ok".
6. Right click on "security configuration and analysis" in the left window.
7. Select "open database".
8. Type the name that you would like the database to be called. The name has no effect on the analysis.
9. Select the template that you would like to compare the system against. This may be a custom template or one of the default Windows templates. The default templates are:

Compatws.inf – This should only be used if older applications need weaker security settings to access the registry and file system.

DC security.inf – This is used to configure security of a computer that was upgraded from Windows NT to Windows 2000/2003.

Hisecdc.inf – This is used to increase security and communications with the domain controllers.

Hisecws.inf – This is used to increase security and communications for the client computers and member servers.

Notssid.inf – Similar to Compatws.inf , this is used to weaken security to allow older applications to run on Windows Terminal Services.

Ocfiless.inf – This is for optional components that are installed after the main operating system is installed. This will support services such as Terminal Services and Certificate Services.

Securedc.inf – Similar to DC security.inf, but is less restrictive and less secure.

Securews.inf – This is used to increase security and communications for the client computers and member servers.

Setup security.inf – This resets the security policy to defaults. Can be used to restore the security policy if a change causes problems.

To create a custom security template:
1. From the start menu, select "run". Type "mmc" and click "ok".
2. Select "file", then "add/remove snap-in".
3. Select "add".
4. Select "security configuration and analysis", click "add".
5. Click "close".
6. Click "ok" to close the add/remove snap-in window.
7. Right-click on "security configuration and analysis" in the left window.
8. Select "open database" and type the name that you would like the database to be called. The name has no effect on the policy. Click "open".
9. Select any template to modify.
10. Right-click on "security configuration and analysis" in the left window.
11. Select "analyze computer now".
12. Specify the location of the log, click "ok". This may take a few minutes.
13. The left window will display the category, and the right window will display the specific settings. You can modify the settings for the template here.
14. After all the desired settings have been modified, right-click on "security configuration and analysis", then select "save".
15. Right-click on "security configuration and analysis", then select "export template".
16. Name the template as desired, then click "save".
17. Now you may close the console. You do not need to save the console when prompted.
18. The new template will be located in the Windows directory under Security/Templates.

A security policy is only a portion of an effective security solution, but it should still be carefully considered and aggressively implemented. Following these steps will help you, the administrator, to enforce policies on client machines with no cost and minimal effort.

Chris Cox is a network administrator for the United States Army, based in Fort Irwin, California.

Rate this Tip To rate tips, you must be a member of SearchNetworking.com. Register now to start rating these tips. Log in if you are already a member. Digg This!     StumbleUpon     Del.icio.us    RELATED CONTENT Network Security Securing the new network architecture: Security for distributed, dynamic networks How to configure Windows Server 2008 advanced firewall MMC snap-in Security across network boundaries with Secure Mobile Architecture USB storage devices: Two ways to stop the threat to network security Network security: Using unified threat management (UTM) Network security: Empower users without endangering IT Network analysis -- Enhancing security assessments VPN security: Hiding in plain sight, using network encryption OSI: Securing the Stack, Layer 8 -- Social engineering and security policy Anti-spam protocols help reduce spam Network Security Products Securing the new network architecture: Security for distributed, dynamic networks What is data loss prevention? -- An introduction to DLP To simulate voice over IPSec VPNs which simulators work? Is my firewall setting preventing wireless network guest access? How to configure Windows Server 2008 advanced firewall MMC snap-in How to retrieve passwords from locked laptops How to interpret test scan results to assess network vulnerability What commands allow network traffic to pass through PIX firewalls? For an SMB firewall, what features should I look at? Creating Remote Access and Site-to-Site VPNs with ISA Firewalls: from 'The Best Damn Firewall Book Period, Second Edition' Network Security Monitoring Network forensics appliance gets storage boost and 10 GbE support Tracking NetFlow over MPLS helps airline with compliance Securing the new network architecture: Security for distributed, dynamic networks When it comes to data loss prevention, networking should be part of the conversation What is data loss prevention? -- An introduction to DLP What are the best methods for handling rogue access points? Internet monitoring vendor adds throttling, filtering, to its appliance How to interpret test scan results to assess network vulnerability Endpoint security locks down law firm's network Can a broadband network installer compromise your network security? RELATED GLOSSARY TERMS Terms from Whatis.com − the technology online dictionary Nessus  (SearchNetworking.com) network analyzer  (SearchNetworking.com) RELATED RESOURCES 2020software.com, trial software downloads for accounting software, ERP software, CRM software and business software systems Search Bitpipe.com for the latest white papers and business webcasts Whatis.com, the online computer dictionary DISCLAIMER: Our Tips Exchange is a forum for you to share technical advice and expertise with your peers and to learn from other enterprise IT professionals. TechTarget provides the infrastructure to facilitate this sharing of information. However, we cannot guarantee the accuracy or validity of the material submitted. You agree that your use of the Ask The Expert services and your reliance on any questions, answers, information or other materials received through this Web site is at your own risk.