The Takoma Group

Our Clients | Contact | Home

Web Development Services

Marketing Communication

Freelance Writer

Payments Technology

Financial Glossary
Ecommerce Glossary

Marketing Communication
Directory

Clio Website
Award Winner

Top Ten Secure Server Checklist

First: Before you do anything, go into your Services applet in Control Panel. Make sure you know what EVERYTHING does. I mean it. Go through, type in the name of every service into Google, and figure it out. I believe there is no way in sam-hell that you can administer a server properly without knowing the function and perils of everything that is running, ESPECIALLY on automatic startup. Linux users, reading this too? GO DO IT NOW.

Second: Take that knowledge from above, and turn everything you don't need off. "Everything you don't need" is defined as programs that do not need to be running or accessed in the normal, day-to-day operations of a server. Then, uninstall everything you don't need. Browsers, mail clients, everything.

Third: Use HfNetChk twice a day. Put it on an automated script, and have it email results to someone who can and will read and interpet those results. HfNetChk will ALWAYS pick up patches and bugfixes quicker than Windows Update and it's Automatic counterpart.

Fourth: Subscribe to lists.netsys.com/mailman/ listinfo/full-disclosure Read the posts. Daily at the worst. More frequently at best.

Fifth: Subscribe to NANOG. Most of it is offtopic for what you do, but network operators are the first people to notice widespread virus/worm attacks.

Sixth: Get a good (read: Hardware) firewall. Software firewalls are stupid marketing ploys. Start by allowing only HTTP connections to the webserver, and drop on the floor (not reject) everything else. Open up ports one by one, as necessary. Never open up NetBIOS or SQL Server ports unless absolutely necessary.

Seventh: Run the Baseline Security Analyzer and IIS Lockdown Tool. Use caution while running this - its defaults are very strict, and can knock out some custom configs.

Eighth: Lock down user accounts. Got an FTP server? Lock it down. No administrative level access by FTP. Valid user accounts should only be allowed access to their directory - lock them into a jail. No execute access allowed by FTP.

Ninth: Get a test server. Don't do any development or run any under-development applications on the live server. Only transfer fully tested (and audited!) applications on the live server. Don't run anything you didn't write without testing it on a test server first. Don't let people put code on your server that you haven't audited. I call this the human anti-virus. If you do this, you don't even need anti-virus on the server (which is terrible for performance), because you aren't running anything that you personally haven't executed before.

Tenth: Your server is your baby! I'd never think of having kids and then ignoring them for more than minutes at a time. Your server is your baby. Get an external monitoring service. Check her once an hour for problems, or better yet, write a script that checks her for you and alerts you to any unknown variance from normal operation. Take care of her!

This is not a canonical list. This is meant to be a guide, but it is by no means a complete list of everything you'll need to do to be 100% secure.

Web Development

Web Designer

Search Engine Marketing

Internet Marketing