I am aware that this sort of thing has done before but i just wanted to give it a go myself and hopefully pick up on some points that may have been missed or overlooked in the past. If its "been done before" and not helpful then just ignore it :)
With all security it is important to master the basics as well as more advanced points ..
Security is a way of life!
Administrators
Before installing it is important to PLAN! One of my favourite sayings is "PLANNING, PLANNING, PLANNING!" what this means is that before you go on to install an OS onto a server or any machine for that matter you should work out:
Naming conventions (for the systems, domain, printers, users {firstname.lastname}
Software to be installed and where (do not install unnessecary software {this can cause resource and security issues})
Services that will be running (once again only the necessary ones)
Who has access to what
Partitions
Passwords
Incedence response plan ("Illegal access has been gained to my server! What do I do?")
What OS you are going to install
A written security policy that is read and signed by every user before they have access to the domain
A Plan for when the servers need to be shutdown (Do you send netsends to warn the users to save their data at 60mins then 15mins then 5mins to shutdown?)
How are you going to run backups? incrementals during the week then full backups on Friday nights?
Once you have planned everything out in writing and checked it, It makes the installation run a lot smoother and faster than if you were making it up as you go.
Once you have your network up and running
RESTRICT physical access to servers (Only those who need to be there and use them have access {limit the amount of people to a minimum})
Set bios passwords for the workstations AND servers and ensure only the HDD is in the boot path (This rules out users using programs like BLUCON to gain admin access to the local machine)
Give users non-privelaged accounts, they do not need admin accounts (Use admin accounts only when necessary)
Use a firewall so that even if users do install software they can't reach the world with it
Regularly scan for new installations/differences you do not know about
When upgrading software, test it and ensure it works 100% the way it is meant to before implementing it
Use secure passwords (Do not use "password" as your password) and do not stick your password to your monitor with a sticky note
Keep your servers up-to-date with new patches and upgrades (constantly check daily - Don't get caught out insecure).
Use a virus scanner. Virii on the network is not wanted and can cause all sorts of problems
Log EVERYTHING and more importantly MONITOR your logs
Educate your users
Encrypt sensitive data. Encrypt not so sensitive data aswell if you like
Don't let users share accounts (This should come out in your security policy that they read and acknowledge before they can use the network)
If you can don't keep sensitive data on a network connected to the outside
If you notice anything suspect, report it, don't just let it go. It could escalate further down the track (Educate users to report aswell)
Run TRUSTED software
Run tests on your own network (From the inside and the outside)
Trust No-one and Don't piss people off if you can help it
Hope this helps anyone who wants to or has ever built a network
