As a result of another recent thread regarding security of default installs, I opted to spawn multiple threads focused on narrow topics, rather than have one thread with a broad topic. In the spirit of this, this is the first in what I hope to be a series of threads designed to generate debate/discussion amongst everyone.

To start it off, I'd thought it would be more of a challenge to take the tack of putting the desktop before the servers -- mainly because desktops are by design less secure on a local basis than a server.

For the purposes of this discussion, assume the following:
Setup A: Small mixed network of 10 Windows 2000 Pro desktops + Linux box w/Samba as a dc/file/print server.
- Desktops run Windows 2000 Professional SP4, with Norton AntiVirus Corporate Edition configured to update defs every wednesday night at 6 PM, and to scan for viruses every day at 6 AM. Standard software includes Office 2000. The mail client is Outlook Express.
- Mail services are provided by their ISP.
- The Linux box also serves out an Apache webserver for staffers situated at The webserver only handles Basic auth over HTTPS, and is there only so staff can retrieve documents in their personal folders remotely. It has only the httpd and mod_ssl installed, no extra packages. Apache is 1.3.29
- A firewall exists between the network and the internet (which is piped in via Business DSL). This is configured so that it only forwards port 443 (HTTPS) to the web server, and everything incoming connection is blocked. Desktops are permitted to surf and FTP and so forth.
- There are three printers on the network: A LexMark Optra S series with NIC installed, and two HP LaserJet IIIs hooked up to two of the desktops.
- Never been targeted for attack by a cracker/hacker.

Setup B: Mid-sized contract developer's network of mixed operating systems. 10 Desktop developer boxes, and 14 servers.
- 5 of the Developer boxes run Slackware 9.1, the other 5 run Windows XP Pro SP1a.
- 4 of the servers are linux boxes dedicated to tasks other than development:
- - One box is running OpenBSD 3.3 serving DHCP, DNS (internal), and acting as the firewall.
- - - Firewall is configured to allow external access only via the web to the Slackware box housing webmail, and the two Windows servers dedicated to client app. testing, both on TCP/80 and TCP/443. Surfing is allowed similarly to the network above.
- - Another is running Slackware 8.1 serves mail services only for a webmail client on the same box via Apache and PHP. This is the mail server, as well as doubling as the unix based production test site, where clients having web development done can login to their accounts and see notes from the developers about progress, as well as test the latest copy of the application.
- - The third box is running Windows 2003 Server, serving out all ASP.NET web applications for clients in similar fashion to the second box.
- - The fourth box is a Windows 2000 Server box, serving out domain services and file/print sharing.
- The other 10 servers are
- - 2 Windows 2003 Servers
- - 3 Windows 2000 SP3 Servers
- - 2 Linux Slackware 8.1 Servers
- - 1 Linux RedHat 6.2 Server
- - 2 Linux Debian 3.0 Servers
- All servers are running on a mix of Pentium III/Pentium 4 servers from Dell, with the exception of the 2 Debian servers, which are running on completely new PowerPC 970 servers from IBM.
- CVS is handled by one of the debian servers, which is still also a nix dev box.
- There are two printers on the network: an Epson EPL6200 connected directly to the lan and shared by the Windows 2000 print sharing server, and a Lexmark Z22 Inkjet printer, which is hooked up to the print sharing server via USB.
- Has been the target of a hack once before.
- Note: The client app testing logins are handled via custom-designed software, which for the purposes of this excercise is impenetrable.

Now that the gritty details are out of the way, what changes would you encourage (if any) to the two above setups to protect the DESKTOPS. While it may seem redundant to protect desktops at all to some, keep in mind that recently a very high profile game development house got broken into from their desktops.
This is designed to be an open discussion, so feel free to ask any questions you may have, or offer up suggestions. Please, when you do offer the advice, I want it well researched and looked into. If you like, provide an "at first glance" type post, and then follow up with a real assessment and evaluation of what needs to be done. Break it down step by step if you must. Be very clear and concise about which case you are talking about.

Keep in mind, this is the DESKTOP we are trying to secure here. You will have an opportunity to comment on the same setups later on for the servers.