We were told by our regulators that we need to "document baseline configurations". Our IT function is outsourced, and our consultant states that other banks have used the simple statement "All servers were installed and configured according to best practice procedures defined by Microsoft."

Can someone give me your thoughts on this (is it sufficient?) or the format that you have used for your configurations? We are a small (90M) bank with 3 servers and 30 users running in a Citrix environment - pretty simple.

I always try to be "general" yet "informative". We all know how dynamic recommended security configurations are. I'd modify what the consultant said to include "as of the install date". I'd also run the Microsoft Baseline Security Analyzer on the servers (assuming they are MS), and place the report in the server change management program. That should give you a decent starting point for change management tracking anyway...