I thought Id post this here. Its something I started on while a little tipsy and quite a bit sleep deprived. I havent worked on it in a while (and Ive forgotten a lot of what I wanted to add change :Q) so I figured the comments here may inspire me to get off my lazy butt 😉
1. Choose good software:
Research the software you plan to use before deploying it. If it has a bad history, consider alternatives. ie apache instead of IIS.
2. Patch:
Keep your software up to date. Have a procedure for testing and deploying patches. The sooner you deploy the patch the better your chances are of keeping any problems at bay. Software websites and mailing lists are a great place to find out about recent patches.
3. Keep up to date on information regarding your software:
Monitoring mailing lists and websites will also help with this step. Keeping tabs on the top 10/20 vulnerabilities (according to SANS) will also help. That list is a great place to start looking for information on what to look for.
4. Understand the software you deploy:
Understanding the software you use is important. Many services can be setup very insecurely and without an understanding of the software and how to properly set it up you will run a greater risk of misconfiguring it. This also applies to the network. Without understanding the network you are deploying your software on, you run the risk of wierd things happening.
5. Disable unneeded services:
If you dont need it, dont use it. Extra services that are unneeded only give attackers an extra avenue of attack. Close as many doors as you can.
6. Firewall:
Restrict access to services as much as you can. Block everything and open what you need. Other utilities like tcp wrappers can help restrict services.
7. Use anti-virus software and keep the definitions up to date:
Unfortunately viruses are a problem for some operating environments. Running a Windows operating system without anti-virus is like trying to be a hockey goalie without wearing a cup. Yes, you can do it, but it wont be pretty. Common sense helps out quite a bit when dealing with viruses, but unfortunately, viruses are getting more complex and their methods of transmission grow with the complexity of operating environments. Nimda used several methods of transmission, including email, web browsing, and file sharing.
8. Monitor logs:
This is probably the worst part of system and network administration. It is time consuming and often boring. Unfortunately, its a necessary part of the job. Watching your logs closely provides you with the added benefit of sometimes predicting future problems and how to avoid them.
9. DMZ:
A DMZ can help you minimize risk. Any machine offering services to the internet should be placed in a DMZ. From within this DMZ services should be limited. Very few services should require a machine to make connections. All connections should be opened from machines outside of the DMZ.
EDIT: They arent in any particular order really...
1. Choose good software:
Research the software you plan to use before deploying it. If it has a bad history, consider alternatives. ie apache instead of IIS.
2. Patch:
Keep your software up to date. Have a procedure for testing and deploying patches. The sooner you deploy the patch the better your chances are of keeping any problems at bay. Software websites and mailing lists are a great place to find out about recent patches.
3. Keep up to date on information regarding your software:
Monitoring mailing lists and websites will also help with this step. Keeping tabs on the top 10/20 vulnerabilities (according to SANS) will also help. That list is a great place to start looking for information on what to look for.
4. Understand the software you deploy:
Understanding the software you use is important. Many services can be setup very insecurely and without an understanding of the software and how to properly set it up you will run a greater risk of misconfiguring it. This also applies to the network. Without understanding the network you are deploying your software on, you run the risk of wierd things happening.
5. Disable unneeded services:
If you dont need it, dont use it. Extra services that are unneeded only give attackers an extra avenue of attack. Close as many doors as you can.
6. Firewall:
Restrict access to services as much as you can. Block everything and open what you need. Other utilities like tcp wrappers can help restrict services.
7. Use anti-virus software and keep the definitions up to date:
Unfortunately viruses are a problem for some operating environments. Running a Windows operating system without anti-virus is like trying to be a hockey goalie without wearing a cup. Yes, you can do it, but it wont be pretty. Common sense helps out quite a bit when dealing with viruses, but unfortunately, viruses are getting more complex and their methods of transmission grow with the complexity of operating environments. Nimda used several methods of transmission, including email, web browsing, and file sharing.
8. Monitor logs:
This is probably the worst part of system and network administration. It is time consuming and often boring. Unfortunately, its a necessary part of the job. Watching your logs closely provides you with the added benefit of sometimes predicting future problems and how to avoid them.
9. DMZ:
A DMZ can help you minimize risk. Any machine offering services to the internet should be placed in a DMZ. From within this DMZ services should be limited. Very few services should require a machine to make connections. All connections should be opened from machines outside of the DMZ.
EDIT: They arent in any particular order really...
