Keep configurations consistent
The most secure organizations have consistent configurations with little deviation between computers of the same role. Most hackers are more persistent than smart. They simply probe and probe, looking for that one hole in thousands of servers that you forgot to fix.
Here, consistency is your friend. Do the same thing, the same way, every time. Make sure the installed software is the same. Don't have 10 ways to connect to the server. If an app or a program is installed, make sure the same version and configuration is installed on every other server of the same class. You want the comparison inspections of your computers to bore the reviewer.
None of this is possible without configuration baselines and rigorous change and configuration control. Admins and users should be taught that nothing gets installed or reconfigured without prior documented approval. But beware frustrating your colleagues with full change committees that meet only once a month. That's corporate paralysis. Find the right mix of control and flexibility, but make sure any change, once ratified, is consistent across computers. And punish those who don't respect consistency.
Remember, we're talking baselines, not comprehensive configurations. In fact, you'll probably get 99 percent of the value out of a dozen or two recommendations. Figure out the settings you really need and forget the rest. But be consistent.
Practice least-privilege access control religiously
"Least privilege" is a security maxim. Yet you'll be hard-pressed to find companies that implement it everywhere they can.
Least privilege involves giving the bare minimum permissions to those who need them to do an essential task. Most security domains and access control lists are full of overly open permissions and very little auditing. The access control lists grow to the point of being meaningless, and no one wants to talk about it because it's become part of the company culture.
Take Active Directory forest trusts. Most companies have them, and they can be set either to selective authentication or full authentication trust. Almost every trust I've audited in the past 10 years (thousands) have been full authentication. And when I recommend selective authentication for all trusts, all I hear back is whining about how hard they are to implement: "But then I have to touch each object and tell the system explicitly who can access it!" Yes, that's the point. That's least privilege.
Access controls, firewalls, trusts -- the most secure companies always deploy least-privilege permissions everywhere. The best have automated processes that ask the resource's owner to reverify permissions and access on a periodic basis. The owner gets an email stating the resource's name and who has what access, then is asked to confirm current settings. If the owner fails to respond to follow-up emails, the resource is deleted or moved elsewhere with its previous permissions and access control lists removed.
Sign up for CIO Asia eNewsletters.