In depth security has become a requirement for every company. Your network boundaries, firewalls, VPNs, mobile computers, desktops, servers, domain controllers, etc., all need to be considered when you are designing for a secure environment. It is important to know what you get out of the box, as well as what options you have at your disposal to secure these environments. When you consider a new installation of a Windows server, 2000 or Server 2003, you might not be getting the security settings that you anticipate. Both of these operating systems' security will not be configured to meet your expectations or company security requirements.

There are many reasons for the security of these servers to be set for weaker security. First, with so many other operating systems that might need to communicate with them, they need to be set for the “lowest common denominator” of security to ensure compatibility. The security options that come with Windows Server 2003 are not available on your Windows NT 4.0 Workstations, for example. Second, the servers might be running applications or services that can’t run with the heightened security. Your financial servers might be running a third-party accounting application that can’t handle encrypted network communication, for example. Third, it is my opinion that many network administrators and companies have been trained to use servers in this state and any form of heightened security at initial installation could render the server useless. I have seen more than my fair share of network administrators become confused when some computers have elevated security settings established, which stops communications with older operating systems.