First of all, from a global perspective, please keep in mind the 10 immutable laws in security), and also the 10 immutable laws of security administration.

Now, since security can and should be at different layers, this article aims to put all together best practices to implement IT security, at operational level. You may not want, or can, implement all of those layers of security, thus we highly recommend you to consider security management through risk assessment and management. Please refer to: to know more about our Security Risk Management guide.

In order to identify the current threat landscape, assess the corresponding risks and take appropriate actions, we suggest you to have a look at the SIR (Security Intelligence Report) ; which may also help you in defining priorities in your risk management approach.

Then, let's go into deeper details. The idea here is to list security layers that can be leveraged in a Defense in Depth view (DiD).

General security equipments and architectures


  • Update the network inventory of your park, on a regular basis. SCCM discovery features might help you to do so (see: ). Link assets to their business managers owners, being also responsible for them.
  • Implement network isolation, DMZ / LAN,  make sure there is no direct access to your internal (LAN) machines from Internet, as well as protocol filtering between DMZ and DMZ/LAN. There should always be a flow disruption between flows from untrusted network, to trusted ones. Do not forget Wireless networks, and guests networks (isolated if possible from critical/confidential networks).
  • Enforce Internet security through HTTP proxy filtering. You might want to have a look at the MAPP partners list.
  • Enhance Messaging filtering (MTA/MDA). FOPE, FPE could be examples, or you might want to have a look at the MAPP partners list:
  • Enhance network security thanks to Network Intrusion Detection Systems, and isolation. You might want to have a look at the MAPP partners list:
  • Protect web apps by reverse proxy/Web App Firewall. Forefront UAG could be an example of such a solution.



  •  Make sure antivirus running on ALL connected machines, fully up to date. SCCM could be helpful for such a task (inventory, deployment, policies enforcement...). A enterprise's grade antivirus can , one that has got a global console. Please also read the Virus scanning recommendations for enterprise computers: We also recommend you to mind the network shares: any equipment (even non Windows) that is accessible through SMB protocol (from client side), should be locally secured, ie with an antivirus engine that runs on the server side.
  • deploy a clean-up tool on a regular basis, something such as the Malicious Software Removal tool (deployable through WSUS, see: be aware that MSRT belongs to the "update rollup" classification, to be selected for WSUS sync), or any other third party equivalent tool. This kind of tools aims to clean the machines: no real-time protection, just an exefile to run as local admin. MSRT is said to be compatible with most of third party AV solutions.

Patch management

  • Implement security patch management (deploy all applicable security fixes, not only Microsoft ones) and administrative policies enforcement, on any machine connected to the LAN. SCCM/GPMC may help to lower the burden. Manage which computers can connect by VPN to your LAN. Make them follow the same security assessment. System Center might be a solution, eg with System Center Update Publisher and/or through third party custom catalogs for Configuration Manager 2007 (see:

Identity Management

  • Regarding user accounts management: prefer nominative accounts (not generic ones), try to reduce the use of built-in generic administrator accounts (like "administrator", that is quite commonly hardcoded in attack tools) so at least rename them.
  • Enforce password complexity through AD GPO (see:; CSS Sec recommends the length of password to be 15 characters long at minimum. Keep an eye on service accounts, that have high privileges, locally or on the domain: change their password on a regular basis.
  • Above all, make sure there is a process in place to disable then remove (above desired logs retention time) old/unused user accounts.
  • The best thing would be to implement an IAM solution, such as Forefront Identity Manager ( or any other third party equivalent one, to take care of an automated, codeless user provisioning and deprovisioning.
  • Lower privileges that users have locally: they should not be local admin if they don't really need to be (very dangerous because malwares will spread quite easily and may take complete control of machines)

  • Follow best practices for administration: use Kerberos authentication (type 3 network logon) and solutions like WinRM, or remote powershell, to remotely adminstrate machines, while also protecting data and credentials. Limit the use of domain administrator accounts to open RDP sessions on workstations.

    NB: using PsExec with "-u" parameter will send password in plain text over the wire, as TechNet states.

  • Secure/audit Active Directory: Please keep in mind that AD security model is at forest level, therefore AD security isolation can't only be achieved at forest level. Implement AD isolation through forests (at least, in DMZ, and even for admin workstations): 

  • Don't forget the administration delegation issues:

Device management

Data protection

  • Consider deploying 64 bits systems in priority over those 32 bits, because 64 bits Windows systems embed more security features by default compared to their 32bits equivalent. Note that for instance, ASLR is said to be more efficient on 64bits systems, and DEP is hardware assisted on those platforms (starting with Vista).
  • Encrypt (cypher) system partitions AND data partitions, using EFS or BitLocker for instance. For removable media, BitLocker To Go might be a solution.
  • Use strong authentication protocols: our recommendation is Kerberos. In all cases (not only if have business requirements for NTLMV2), please consider NTLM hardening (Extended Protections):, since Kerberos pre-auth phase may rely on NTLM.  Note that NTLMv1 and LM should be forbidden in any cases.
  • Mind CRL (Certificate Revocations Lists) checking over the wire, you might then want to open the IP addresses within your perimeter firewall rules.  Should you require further information about CRL prerequisites and mechanisms, please refer to the following article: Last but not least, this is about Microsoft's CRL, but third party vendors may also have got URL for CRL checking!

Monitoring & Audit

 Incident response

Appendix and references

Microsoft Security

Availability and integrity

Have a look at the following documents:

Antivirus exclusions policies,

Please have a look at the following articles:


Remote admin:

Security and 64bits versions of Windows systems, and differences of implementations :

Security monitoring:

Should you require further information about security hardening, you should read this article: