The sixth step: Require SMB signing.
Key point: SMB signing is helpful in preventing the attack from man-in-the-middle.
The seventh step: Intensify network strategy
Key point: Those setups such as “Don’t allow the anon. enum of SAM” should be activated, while those setups such as “Allow nameless SID/Name translation” shouldn’t be activated. Those might be considered as the low-grade security, but they are important component parts in strengthening the safety of Windows system.
The eighth step: Make use of Software Update Services (SUS)
Key point: It is suggested that one should always use SUS or other patch management systems to receive, distribute and follow up the latest patches.
The ninth step: Scoping, isolating and eliminating
Key point: It is the most important step. By using Network Access Quarantine Control (NAQC), the clients with specific appraisal information should be restricted or disallowed. The non-isolated clients are considered as the fixed part to check the system property, and at last provide the resource to restore the problems before they are allowed to connect.
The tenth step: Prepare for the worst
Key point: One should be prepared for the disaster by using scripting to create 80% framework, and leaving more time to create the remaining 20% framework manually.
The eleventh step: Use Group Policy Management Console
Key point: Now, it is easier to set up security policy averagely by using the Group Policy, which should be taken full advantage of.
The twelfth step: Use Microsoft Baseline Security Analyzer,MBSA
Key point: It is a very convenient instrument to scan the computer when the Windows system is updating. It is updated constantly by Microsoft, and supports some products as well.
The thirteenth step: One must be familiar with IPsec.
Key point: IP is public without password. The transmission at severs, customer channel and between any points (both are able to read IPsec) should be protected by IPsec.
The fourteenth step: Use IIS(Internet Information Services)6.0
Key point: As there are many latest security improvements, IIS now can be used at prime time eventually.
The fifteenth step: Install Windows Server 2003 SP 1
Key point: SP1 was published in mid 2005. Its improvements include security configuration wizard and remote clients isolating.