Disable floppy disk booting.

Stipulate that users cannot share logons and passwords.

Follow proper password creation guidelines.

Rename the Administrator account and use the account lockout feature.

Keep the Guest account disabled.

Review user permission levels.

Implement a logon screen with a notice prohibiting unauthorized access and use.

You always need to explain to your users that they have security responsibilities. Users must have passwords and renew them at a set interval. You must make it known that users are not permitted to share user IDs and passwords. At the same time, you must also state that your network is meant for your company to conduct its business, and that any other use of its software and hardware is discouraged. Users should then acknowledge their responsibilities, either in a written or an electronic form. By doing this, you clearly demonstrate that your company is protecting its information assets. This acknowledgment helps you protect your company's right to legal recourse against anyone who causes malicious damage to its data resources. Legal notices on logon screens are a way that you can gain this important acknowledgment from external users. You should also post legal notices for Internet users on your Web page.

For more information on displaying legal notices for a user of Windows NT, see the section "Displaying a Legal Notice Before Logon" in Chapter 6, "Windows NT Security," in the Windows NT Workstation Resource Kit: Windows NT Workstation Resource Guide.

1. Is the administrator password secure? The easiest account to break into is Administrator, because you already know the user name. (NOTE: Please be careful if you rename this account or change the password, since many NT services use the admin account and must be manually updated before they can run.)

2. Who has administrator-level privileges? Do they need it full-time, or would separate ID's for administration cover it? Multiple people multiply the problems of accidental damage and security gaps. Above all, avoid sharing the Administrator password if you have multiple admins.

3. Are your user passwords secret? The only way to identify a user is by the login, so 'borrowing' an identity can hide the trail. You can also lessen the chance of guessing a password with longer passwords, expiring passwords, and/or locking out users through User Manager for Domains. With dial-in users, it becomes even more critical.

4. Are your user accounts current? Should any be disabled or deleted? Are any IDs shared? Again, the purpose of ID's is to manage security by identifying the user at the PC. If invalid or unclear ID's are active, you open that many more holes.

5. Do users protect their PCs while away from their desk? It's easy to send a prank or hostile e-mail message under another user's ID without leaving much of a trail.

6. How accessible is your file server? If it's in the work area, does the admin log out when done? Is a password-protected screen saver running? Obviously, if the server is already running with an administrator logged in, there are no other safeguards when unauthorized people sit down at your server. (Remember, strange things can happen after hours, too!)

7. Have you reviewed your shares and permissions? Do you have shares inside of shares? In NT, once a user connects to a share on a server, all the contents of a share have the same access rights, unless YOU add NTFS file permissions. (Example: a folder called DATA is shared to Everyone with Full Control. A subfolder in DATA called PAYROLL is shared to only one user. If a generic user looks in the DATA share, they can still have full access to PAYROLL, unless you applied NTFS restrictions.)

8. Do you have at least one backup offsite? Have you tested retrieving a file from a backup tape? What if you couldn't ever re-enter the building? Physical damage to the server (fire, water, smoke, vandalism, etc.) can happen. It's critical to get the backup offsite in case the damage also affects the backup.

9. Do your users store critical data on their PCs? If so, is there any backup plan for their data? Picture the company president's hard drive going south, and there are no backups.

10. Do you have a written company policy regarding outside software, downloads, emails, and general PC usage? First, you need to be sure of what's running and affecting the network. Second, you need to protect your company from a legal perspective, since you may have illegal software copies or other HR workplace issues.

11. Do you have an inventory of equipment with serial and model numbers and associated users? After a theft or casualty loss, you first have to identify the equipment. If you don't have a list, it's difficult to reconstruct, especially in the heat of the moment.