Posted by: Eric Hansen
Then: #16: Use A Centralized Authentication Service
A “centralized authentication service” is only useful if it’s not a single point of failure. It’s an issue I think most people overlook, too.
It’s nice having LDAP installed and being able to authenticate against it, but if you only have one instance of it running, what happens when the server goes down? No one can authenticate.
Safest bet would be to prioritize authentication: LDAP server (for example) and then allow system login if that doesn’t work.
Then: #17: Logging and Auditing
There’s so many tools out there now to help with this. OSSEC is a good log and filesystem monitoring service, Nagios is de-facto system monitoring and alerting, and auditing is becoming such a huge field as well. This, inline with tighter security practices, will most likely be your move viable answer to staying secure.
Then: #18: Secure OpenSSH Server
The use of PAM, firewall configuration and protocol 2 will make this a piece of cake to accomplish.
Of course, adding in SSH keys is nice, too.
Then: #19: Install And Use Intrusion Detection System
I love IDS and IPS solutions, but not every instance needs one.
If you have a firewall placed before the Intranet, you already cut out a lot of the job. Continue that with proper auditing solutions and you have a pretty robust solution. Also, until something like OpenVAS for IDS/IPS comes along, I’m not sure how beneficial a free solution will be (its not always easy talking your CFO into buying a license for something they don’t understand).
Then: #20: Protecting Files, Directories and Email
Goes in line with the auditing and securing this and that, but again, addressing points.
Proper audit solutions and system management will make this a piece of cake.