Microsoft Windows Security Resource Kit
Best Practices
- Protect administrative accounts.
Avoid using administrative accounts for routine computing needs, minimize the number of administrators, and avoid giving users administrative access.
- Use multiple factor authentication.
Using multiple factor authentication such as smart cards for administrative accounts and Remote Access assists in validating that the user is who she claims to be when security requirements are high or physical identity cannot be established.
- Physically secure computers with sensitive information.
Always physically secure domain controllers and servers with sensitive information, and consider using System Key Level 2 or Level 3 to protect account information and LSA secrets stored on computers.
- Use security groups.
By using security groups correctly (A-G-G-U-DL-P), you can implement a role-based security model for granting permissions.
- Apply least privilege.
Assign users and administrators the least privilege they need to complete their job tasks.
- Create password policies that reflect organizational culture.
Create policies to enforce the use of passwords that balance complexity, randomness, and length.
- Educate users and other administrators on how to create strong passwords.
Despite enabling password policies that enforce the use of technically strong passwords, users make many common mistakes when creating passwords, mistakes that can undermine a well-planned policy.
- Remove LM hashes.
If LAN Manager authentication is not used on your network, remove the LM password hashes from all domain controllers and local computers.
- Configure LM compatibility.
Set the LM compatibility to the highest level that applications on your network will support.