Skip to content. | Skip to navigation

Personal tools

How to Secure a Windows Computer

The following are additional minimum steps you should take to secure your sensitive data on a computer (client or server) running Windows 2000/XP if the computer is connected to the Internet or a company or departmental network:
  1. Do NOT install IIS or MS SQL server on the Windows computer that will house sensitive data.
  2. Turn off all unneeded services. (The following list is provided as an example, and may not be a complete list for your environment.)
    • Server Service (on client workstations)
    • IIS
    • Peer Web Services
    • RAS
    • Gopher
    • FTP
    • IP Forwarding
    • Simple TCP/IP Services
    • SNMP
    • Disable unneeded network protocols (e.g., IPX or NetBEUI)
  3. Do not install Windows File and Printer Sharing (client workstations).
  4. Do not enable file sharing on local Windows machines.
  5. Replace the Everyone group with the Authenticated Users group for the Access this Computer from the Network user right. (User Manager-->Policies-->User Rights)
  6. Disable the Guest account.
  7. Replace group Everyone with the appropriate group(s) on critical system folders, files, and registry keys.
  8. Restrict/prevent anonymous access and enumeration of accounts and shares.
  9. Create a new userid for administrative purposes and remove original administrator userid's administrative privileges. ("Dumb it down.")
  10. Install all OS and application (e.g., Internet Explorer) security patches.
  11. Install antivirus software and keep the virus definition files updated.
  12. Secure performance data.
  13. Enable auditing.
    • Audit Login success and failure.
    • Audit failed attempts at exercising user privileges.
    • Audit system events such as shutdowns.
    • Move log files out of the default location and secure with NTFS permissions (%system-root%\system32\config\*.evt).
    • Restrict access to the log files to administrator only.
    • Check your logs often!
  14. Disable or remove Windows Scripting Host.
  15. Use a corporate, hardware, or personal (software) firewall: