---

How to Secure a Computer: Windows 2003

Introduction

Note: These procedures are designed for system administrators.

As Windows 2003 is a brand new system, we have not yet developed specific guidelines for it. For now, please follow the guidelines applicable to XP and 2000.

Specifics

1. Assign secure password to all accounts.
Passwords are your first, best, line of defense in protecting any computer system. Select a secure password on all accounts, especially the Administrator and administrator-class accounts. Memorize these passwords. Do not write them down.

2. Install Symantec Endpoint Protection.
Temple University provides a site-license for Symantec Endpoint Protection software which allows all students, faculty and staff to use it free on computers connected to Temple's network. The software must be set to auto-update in order to keep the virus definition files current.

3. Consider disabling the new Remote Assistance feature.
This allows someone else to see and control your computer system.

4. Enable the Microsoft Critical Update tool to automatically download AND install new critical patches as they are released.
This will help you keep up with Microsoft security patches. As new vulnerabilities are discovered, Microsoft may release patches that must be applied to protect your systems.

5. Disable any unnecessary services.
This might include IIS (web server), FTP and others.

6. Disable the Guest account.

7. Set account lock out policy.
An account lock out policy will prevent a malicious user from repeatedly trying to guess passwords for your accounts.

8. Disable the Windows Default Shares.
By default, Windows 2003 creates shares that are hidden, but still exist. One way to disable these is to stop the "Server" service. If you do go this route, please note that Network Neighborhood functionality will cease.