I was asked to cross-post this from the mailing lists to the General Forum in hopes of sparking discussion at this week's MS MUG conference. In order to reduce the attack surface of any system, the number of services present must be reduced to as few as necessary to run the designated applications and security policies must exist limit the actions operators can perform. Presently Microsoft has available for use the SSLF (Specialized Security - Limited Functionality) templates which contains policies which affect password complexity requirements, logging and auditing functionality, network settings, device settings, and default user configurations. Information on SSLF and Windows 2003 Security in general can be found here: http://www.microsoft.com/technet/security/prodtech/windowsserver2003/W2003HG/SGCH00.mspx In addition to the work by Microsoft, NIST has also made available an extensive document which covers services, file permission settings, network settings, password requirements, and built-in application settings. The document can be found here: http://iase.disa.mil/stigs/checklist/index.html (Windows 2003 Security Checklist Version 6, Release 1.5) While both of these documents provide great starting points, we need to work with them to find out what settings and configurations need to be relaxed or changed to allow HMIs and other manufacturing applications to run correctly. I am looking for folks who have a test environment to assist in the testing and evaluation of these standards. Thanks, Alan Raveling MCSE 2003: Security, Security+ Interstates Control Systems, Inc. alan.raveling@interstates.com