Security Configuration Guidance

Been meaning to blog the following, from my colleague Aaron Margosis...the KB article was actually published in the fall, but if you've considered following the named organizations' recommendations for security configuration, and want to know about potential impacts, you'll want to take a look:

A new KB article, 885409, was published this week pertaining to security configuration guidance published by third parties such as NSA, NIST, CIS, and DISA, as well as by Microsoft.  A number of our customers, especially in the US government and military, have applied or are considering configuration settings recommended by these third parties. 

KB 885409 identifies specific problems that can be caused by applying third-party recommended settings.  Perhaps the biggest problems come from broad file system and registry ACL modifications, which once applied cannot be undone except by reformatting and reinstalling the OS.  These modifications can cause the Recycle Bin not to work, expose user data to unauthorized users, and cause performance and compatibility problems.

The KB article also refers customers to Microsoft’s own security guides for Windows 2000, Windows XP, and Windows Server 2003 as the “highly recommended” starting point for customers who require additional security settings beyond the defaults.  “We fully support our guides because of the extensive testing that we have conducted in our application compatibility laboratories on those guides.” 

The URL is:  https://support.microsoft.com/?kbid=885409