Hippa Windows XP lockdown policy through Windows 2003

I am currently involve in a large production project that involves about 300 computers in an Medical Environment that I need to strictly follow HIPPA Regulations.  I am currently running windows 2003 Server Enterprise and I need a good group policy or find one that will lockdown the computers according to HIPPA regulations.

If any assistance would be greatly appreciate it.
Who is Participating?
Jason WatkinsConnect With a Mentor IT Project LeaderCommented:
I would go with what these folks advise; http://www.nsa.gov/ia/guidance/security_configuration_guides/operating_systems/microsoft_windows.shtml

They do not play around when it comes to security. It would be great to know exactly what the HIPPA standards expect from your efforts.
Isn't it HIPAA (The Health Insurance Portability and Accountability Act) ?

I think it would be well worth getting some end point protection software for this, Symantec End Point Protection is what we use to lock machines down and it gives much greater control, monitoring and reporting than using group policies.

Other software will help you achieve the same but I have not used them personally but heard good things, McAfee ePO and Sophos Endpoint Security and Control.

To be honest I doubt group policy on 2003/XP machines will be up to the job.
Jason WatkinsIT Project LeaderCommented:
A/V software on Windows XP is a given at this point.  Any IT admin/manager that does not put A/V software on his/her Windows machines, should be relieved of their duties.  Group policy is incredibly effective in implementing a secure computing environment.  Example, IPSec for clients and servers, which is done through GPO.
Not sure if the AV point was aimed at what I suggested or just thrown in, but endpoint protection software is not only AV, we use it to control which removable storage devices can be used, where and to log the use of them.  (cannot be done via group policy in a 2003 domain)

It controls which software is installed and allowed to run on which machines, again logging the running of the software (including parts of the OS). (This can be done using group policy but it is PITA to set up and manage)

Has location based firewall rules which are very handy for laptops (cannot be done via group policy in a 2003 domain).

It also has host based IDS, and fantasic reporting and compliance monitoring.

HIPAA obviously requires you to ensure accountability for data, which means controlling which removable media can be used on specific machines and logging the use of it. I do not know of a way you can achieve this using group policy.

Group policy is fantastic for certain things but I do not believe that you will achieve what you want to accomplish with GPOs.
Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.

All Courses

From novice to tech pro — start learning today.