Security checklist

Checklists from

Server configuration checklist

Mark result with ✓ or ✗

#Certified Secure Server Configuration ChecklistResultRef
1.1Always adhere to the principle of least privilege
2.0Version Management
2.1Install security updates for all software
2.2Never install unsupported or end-of-life software
2.3Install software from a trusted and secure repository
2.4Verify the integrity of software before installation
2.5Configure an automatic update policy for security updates
3.0Network Security
3.1Disable all extraneous services
3.2Disable all extraneous ICMP functionality
3.3Disable all extraneous network protocols
3.4Install a firewall with a default deny policy
3.5Firewall both incoming and outgoing connections
3.6Disable IP forwarding and routing unless explicitly required
3.7Separate servers with public services from the internal network
3.8Remove all dangling DNS records
3.9Enable DNS record signing
4.0Authentication and Authorization
4.1Configure authentication for access to single user mode
4.2Configure mandatory authentication for all non-public services
4.3Configure mandatory authorization for all non-public services
4.4Configure mandatory authentication for all users
4.5Enforce the usage of strong passwords
4.6Remove all default, test, guest and obsolete accounts
4.7Configure rate limiting for all authentication functionality
4.8Disable remote login for administrator accounts
4.9Never implement authorization based solely on IP address
5.0Privacy and Confidentiality
5.1Configure services to disclose a minimal amount of information
5.2Transmit sensitive information via secure connections
5.3Deny access to sensitive information via insecure connections
5.4Store sensitive information on encrypted storage
5.5Never use untrusted or expired SSL certificates
5.6Configure SSL/TLS to accept only strong keys, ciphers and protocols
5.7Configure an accurate and restrictive CAA DNS record
5.8Use only widely accepted and proven cryptographic primitives
5.9Use existing, well-tested implementations of cryptographic primitives
5.10Separate test, development, acceptance and production systems
5.11Never allow public access to test, development and acceptance systems
5.12Never store production data on non-production systems
5.13Configure a secure default for file permissions
5.14Configure file permissions as restrictive as possible
5.15Disable the indexing of files with sensitive information
5.16Configure automated removal of temporary files
6.0Logging Facilities
6.1Restrict access to logging information
6.2Configure logging for all relevant services
6.3Configure logging for all authentication and authorization failures
6.4Configure remote logging for all security related events
6.5Routinely monitor and view the logs
6.6Never log sensitive information, passwords or authorization tokens
7.0Service Specific
7.1Complete the Secure Development Checklist for Web Applications
7.2Disable open relaying for mail services
7.3Disable email address enumeration for mail services
7.4Disable anonymous uploading for FTP services
7.5Disable unauthorized AXFR transfers in the DNS
8.1Configure rate limiting for all resource-intensive functionality
8.2Prevent unintended denial of service when configuring rate limiting
8.3Check configuration of all services for service-specific issues
8.4Check for and mitigate server- or setup-specific problems