Summary: Implementing secure network administration procedures
You should know that you can use predefined security templates to implement particular levels of security or as a starting point for creating security customised policies and that you can customise a template with the Security Templates snap-in, and use the new template to customise other computers.
You should know how to configure individual computers by using the Security Configuration And Analysis snap-in and the Secedit command-line tool, or by importing a template into Local Security Policy. You should know that you can configure multiple machines by importing a template into the Security Settings extension of Group Policy and that you can also use the Security Configuration And Analysis snap-in, or Secedit /analyze, and choose a security template as a baseline for analyzing a system for potential security vulnerabilities or policy violations.
You should know about the following predefined security template types:
■ Default security (Setup security.inf)
■ Domain controller default security (DC security.inf)
■ Compatible (Compatws.inf)
■ Secure (Secure*.inf)
■ Highly secure (Hisec*.inf)
■ System root security (Rootsec.inf)
■ Auditing of Internet Explorer security (Iesacls.inf)
Templates with an asterisk can be applied to a workstation, a server or a domain controller (DC), with differing results. You may also see different results if you apply the same template, depending on whether the operating system was installed by a clean install or by an upgrade. You should not apply security templates (including predefined templates) to your production network without testing them first. You should never edit the Setup security.inf template, because it gives you the option to reapply the default security settings.
You should be familiar with the principle of least privilege, ie: no user, including the administrator, should ever be given more rights and privileges than he or she needs to do the job at hand. If you are using Word to write a report, you should be logged on with your ordinary user account, rather than your administrator account. If you need to perform a task that requires administrator rights you can use the Runas utility. If you do have to log on to a server, then you should use an administrator level account.
Next: Summary: Software Update Infrastructure