secure deployment -last phase where system administrator will get involved for

1. secure deployment
2. -last phase where system administrator will get involved for the first time
3. -configuration mistakes can lead to vulnerabilities and attacks
4. -compare checksum before delivery and after delivery of the package to avoid tampering
5.  
6. host level security practices
7. -physical security of the server, ensure it is protected from unauthorized physical access
8. -harden the server with general things in mind such as
9. -verified patches and updates
10. -remove the unused services
11. -remove unused or insecure protocols
12. -dedicated accounts, remove unused accounts, enforce strong password policy
13. -apply NTFS file system
14. -verify shared directories
15. -verify opened ports and monitor them
16. -secure registry by applying windows ACL
17.  
18. network level security practices (router)
19. -router firmware is updated
20. -unused protocols are removed
21. -ingress and egress filterning applied-filtering on incoming packets and outgoing packets for
22. -disable unused management interface in the router
23. -web facing administration is disabled on the router
24. -unused services are disabled
25. -all logging is enabled,centralized and secured
26. -IDS is in place
27.  
28. network level security practices (firewall)
29. -firewall and OS is patched
30. -filter only allows required traffics in both direction
31. -all permitted and denied traffics are logged
32.  
33. network level security practices (switch)
34. -security pathces are tested and installed
35. -VLAN should not be over used or over trusted
36. -remove all the insecure defaults such as passwords, GUIS
37. -disable unused services
38. -switched traffics are encrypted
39.  
40. application level security practices
41. -Web Application Firewall (WAF) is needed as traditional firewall will not be able to secure web servers
42. -is a rule base filter that analyzed traffics before it reaches web application
43. -firewall protecs network and os, IDS protects OS and web server, WAF proctecs web applications
44. -waf should not replace application security such as authentication and user input filtering
45. -should be monitored and maintained always
46. -if WAF manages the session by itself, then it can prevent session fixation and anti-automation
47.  
48. web contrainer(tomcat) security practices
49. -install what you need only
50. -configure proper passwords
51. -remove server banner, check slides for configuration, will appear in exam
52. -start tomcat with security manager-prevents untrusted applets to execute
53. -configure default servlet not to serve index pages
54. -replace default error pages
55. -replace server.xml with server-minimal.xml
56. -protect shutdown port by disabling the port
57. -setting the port attribute to -1 make sure that only the process owner can shutdown the tomcat
58. -restrict access to tomcat manager applications
59. -verify maxpostsize, 0 or negative value will disable the limit
60.  
61. oracle database level security practices
62. -enforce password policy
63. -set case sensitivity if needed
64. -lock the expired accounts
65. -implement least privilege principle
66. -user password profiles
67. -disable remote administration
68. -enable data dictionary protection
69. -configure encryption on the client and the server
70. -use VPD if needed
71. -database vault-prevent attack from insiders
72. -disable recycle bin
73. -use audit as needed, also FGA