Checkout the CIS security benchmarks – this is a very extensive list of suggested hardening criteria for many platforms. Per the CIS website:

The Security Configuration Benchmarks are distributed free of charge to propagate their worldwide use and adoption as user-originated, de facto standards.

The CIS Benchmarks are the only consensus-based, best-practice security configuration guides both developed and accepted by government, business, industry, and academia.

The Benchmarks are:

•Recommended technical control rules/values for hardening operating systems, middleware and software applications, and network devices;
•Unique, because the recommendations are defined via consensus among hundreds of security professionals worldwide;
•Downloaded several hundred thousand times per year;
•Distributed free of charge by CIS in .PDF format (many benchmarks are also available to CIS Members in XCCDF, a machine-readable XML format for use with benchmark audit tools and Members' custom scripts);
•Used by thousands of enterprises as the basis for security configuration policies and the de facto standard for IT configuration best practices.

These are some basic actions that should be taken independently of the platform:

-Don’t connect the server to an unsecure network until it has been properly hardened
-Install the latest service pack for the OS and all applicable updates to the applications running on it.
-Lock/disable/delete any unnecessary user accounts
-Stop and disable any unnecessary services/daemons
-Change all default passwords and default configurations (OS and applications)
-Use the principle of least privilege regarding user accounts.
-Set a password complexity policy
-Configure the OS to lock the session after certain inactivity period.
-Install and configure a software firewall
-Install antivirus/antispyware software
-Consider enabling auditing of some events
-Consider setting a policy to review event logs periodically

—————–

Melanie, can you share with us what ITKE did to harden the new servers ?

Forgot to post this link:

Microsoft Security Compliance Manager:

“Brief Description

The Microsoft Security Compliance Manager provides centralized security baseline management features, a baseline portfolio, customization capabilities, and security baseline export flexibility to accelerate your organization’s ability to efficiently manage the security and compliance process for the most widely used Microsoft technologies”.

From my point of view….
Preparing the Infrastructure: A server should never be installed without a purpose. Usually, the purpose is to provide one or more network services to a group of users. The server and the services it provides must be placed in a proper environment.
Customize / Minimize Server installation: Like most distros, they provide a minimal installation option. At the time of installation, can select this options during the initial installation process and it will install a minimal build on the system.
Selection the Services: After installation, be aware that most distros initialize a lot of unnecessary services. To overcome this, use the built-in configuration management tool to reconfigure services. Remember, the CMT varies from one distro to another.
Remote Management: Be extra careful, when configuring remote service. : This i s an important service will to retain is the secure shell (SSH), which allows secure remote management of hosts.
Firewall: This is very crucial stage, and do restrict the services, that can provide more safe zone for the server.
Password Policy: one of the best defense against compromise of a user account is a solid password policy. Ensure that users understand that simple passwords are easily guessable and should not be used.
Keep Packages up-to-date: Proactive policy is the best choice line of defense; it is always better to anticipate a disaster than to have to recover from one which could have been prevented (A very popular proverb is there, “Prevention is better than cure”). One of the best things can do to protect host from attack is keep them up-to-date.

Thanks !

The US DoD Information Assurance Support group offers

The US DoD Information Assurance Support group offers Security Technical Information Guides that provide the checklists for computer security from the US Government.