Hardening the Windows operating system administration involves protecting the Administrator user accounts and ensuring computers are up to date. You’ve already learned that disabling the built-in Windows Administrator account is a recommended step. After you create other user accounts with Administrator privileges, disable the default Administrator account and use the new accounts for all administrative tasks. Enable strong passwords and set Administrator passwords to expire on a regular basis. These settings will help keep your Administrator user accounts secure.
Since a common administrative activity is to evaluate and change security settings, it is very helpful to create and maintain baselines. Baselines are copies of files and settings you can use for comparison or to restore if necessary. Create a full backup of each system both before and after hardening. The post-hardening backup will be your initial secure baseline. You can use that backup to compare with future backups to identify changes. Although full backups contain all files and folders, it may be beneficial to create individual backups of policies each time you change them. The Group Policy Management Console (GPMC) gives you the ability to back up and restore GPOs. The GPMC also allows you to manage backups of all GPOs. FIGURE 11-8 shows the Backup GPO option in the GPMC.
Another critical component of hardening operating system administration is ensuring all Windows systems are updated to the latest patch. Ensure that Windows Update is configured to automatically download and install the latest updates from Microsoft.
FIGURE 11-9 shows the Windows Update window.
FIGURE 11-10 shows the Windows Update Advanced options.