This could also be “How to confuse and confound yourself in the name of security.” I am now working on an automated security package that lets users deploy XP Pro and Server 2003 in a standardized baseline. The premise is to:
Now, this has been going on for about 18 months now, and the project was missing a strong technical person, particularly on the server portion. Well, enough people confused me for that person that I am now handling this. We have to base the security measures on things like IAVAs (patches and specific settings required by DISA, a government agency) and security templates including settings from STIGs (also by DISA). The goal is to have a very secure platform before you connect to the network.
The only problem with this, is that you break stuff. Lots of stuff. It took another contractor engineer, an MS consultant (Joe, or as I call him “Spaghetti Western”), and myself a couple of days to get enough settings adjusted to get the Management Point installed. Now, we are still having issues with clients reporting their status even though the client is installed.
We had other quirks such as:
So, my question to you is what do you guys do for security standardization? We have security templates and settings all over the place, and it has been fun shaping GPOs to fix these settings for a given role.