Network Security Configuration  Enable the Windows firewall in all profiles (domain, private, public) and configure it to block inbound traffic by default.  Perform port blocking at the network setting level. Perform an analysis to determine which ports need to be open and restrict access to all other ports.  Restrict the ability to access each computer from the network to Authenticated Users only.  Do not grant any users the 'act as part of the operating system' right.  Deny guest accounts the ability to log on as a service, a batch job, locally or via RDP.  If RDP is utilized, set the RDP connection encryption level to high.  Remove Enable LMhosts lookup.  Disable NetBIOS over TCP/IP.  Remove ncacn_ip_tcp.  Configure both the Microsoft Network Client and the Microsoft Network Server to always digitally sign communications.  Disable the sending of unencrypted passwords to third-party SMB servers.  Do not allow any shares to be accessed anonymously.  Allow Local System to use computer identity for NTLM.  Disable Local System NULL session fallback.  Configure allowable encryption types for Kerberos.  Do not store LAN Manager hash values.  Set the LAN Manager authentication level to allow only NTLMv2 and refuse LM and NTLM.  Remove file and print sharing from network settings. File and print sharing could allow anyone to connect to a server and access critical data without requiring a user ID or password. 5