Kiss me, I'm secure!
This could also be "How to confuse and confound yourself in the name of security." I am now working on an automated security package that lets users deploy XP Pro and Server 2003 in a standardized baseline. The premise is to:
Patch the system (up to date of package release)
Apply local security templates (you get the option of member server or DC for WS2003 builds)
Install approved and licensed apps for machine via option menu
Now, this has been going on for about 18 months now, and the project was missing a strong technical person, particularly on the server portion. Well, enough people confused me for that person that I am now handling this. We have to base the security measures on things like IAVAs (patches and specific settings required by DISA, a government agency) and security templates including settings from STIGs (also by DISA). The goal is to have a very secure platform before you connect to the network.
The only problem with this, is that you break stuff. Lots of stuff. It took another contractor engineer, an MS consultant (Joe, or as I call him "Spaghetti Western"), and myself a couple of days to get enough settings adjusted to get the Management Point installed. Now, we are still having issues with clients reporting their status even though the client is installed.
We had other quirks such as:
NTVDM error when installing SQL server (you need to adjust your temp path to something like "C:\Temp" that doesn't exceed 8.3 naming convention)
Terminal Services connectivity (didn't realize that the hi-sec recommendation from MS was to specifically deny "Everyone" via local policy)
MP installation issues (hotfix needed from PSS)
SMS Trace is awesome
So, my question to you is what do you guys do for security standardization? We have security templates and settings all over the place, and it has been fun shaping GPOs to fix these settings for a given role.