Skip to main content
    Main Menu
    Help & Info
    Company
    Back to Docs
    Getting Started
    Checklist

    Initial Security Configuration

    Essential security settings for new IT deployments. Secure your network from day one with firewall rules, MFA, endpoint protection, and patch management.

    12 min read
    Checklist

    Bottom Line: Getting security right at deployment time prevents expensive fixes later. This checklist covers essential configurations for new IT infrastructure, organized by implementation phase and priority.


    Priority Legend

    Icon Priority Timeline Impact if Skipped
    πŸ”΄ Critical Before go-live Immediate vulnerability; potential breach
    🟑 High Within first week Significant security gap
    🟒 Medium Within first month Reduced security posture

    Phase 1: Pre-Deployment Planning

    Complete these items before purchasing equipment or installing software.

    Risk Assessment & Classification

    • πŸ”΄ Conduct a full risk assessment identifying protection priorities
    • πŸ”΄ Classify critical assets by sensitivity (customer data, financial records, IP)
    • πŸ”΄ Identify applicable compliance requirements (HIPAA, SOX, PCI-DSS, CMMC)
    • 🟑 Document business impact analysis for critical systems

    Policy Documentation

    • πŸ”΄ Create acceptable use policy
    • πŸ”΄ Document password standards and requirements
    • πŸ”΄ Establish access control procedures
    • πŸ”΄ Develop incident response plan
    • 🟑 Define data classification policy
    • 🟑 Create vendor/third-party access policy

    Phase 2: Network Security

    Secure the network perimeter and internal boundaries.

    Firewall Configuration

    Task Priority Verification
    Install firewalls at network perimeter πŸ”΄ Critical Firewall operational, logs flowing
    Configure internal boundary firewalls πŸ”΄ Critical Segmentation rules active
    Block unnecessary ports and protocols πŸ”΄ Critical Port scan confirms closure
    Enable logging and monitoring πŸ”΄ Critical Logs visible in SIEM/monitoring
    Test firewall rules before deployment πŸ”΄ Critical Documented test results

    Firewall Checklist

    • πŸ”΄ Perimeter firewall installed and configured
    • πŸ”΄ Default deny rule implemented (block all, allow specific)
    • πŸ”΄ Guest network completely isolated from business systems
    • πŸ”΄ IoT devices segmented from critical infrastructure
    • 🟑 Intrusion detection/prevention enabled
    • 🟑 GeoIP blocking configured for unnecessary regions

    Network Segmentation

    • πŸ”΄ Configure VLANs for different traffic types (users, servers, guests, IoT)
    • πŸ”΄ Implement 802.1X authentication for device access
    • πŸ”΄ Deploy WPA3 wireless security with strong passwords
    • 🟑 Enable network traffic monitoring
    • 🟒 Document network topology and VLAN assignments

    VPN and Remote Access

    • πŸ”΄ Deploy VPN with AES-256 encryption minimum
    • πŸ”΄ Require multi-factor authentication for all VPN access
    • πŸ”΄ Configure access policies based on user roles
    • 🟑 Test VPN access from outside the network
    • 🟑 Implement split tunneling policy (if applicable)

    Phase 3: Server Hardening

    Secure all server infrastructure before production deployment.

    Operating System Security

    Task Priority Applies To
    Apply all security patches πŸ”΄ Critical All servers
    Disable unnecessary services πŸ”΄ Critical All servers
    Configure secure login policies πŸ”΄ Critical All servers
    Enable audit logging πŸ”΄ Critical All servers
    Install endpoint protection πŸ”΄ Critical All servers

    Server Hardening Checklist

    • πŸ”΄ All security patches applied before production deployment
    • πŸ”΄ Unnecessary services and roles disabled
    • πŸ”΄ Strong password policy enforced
    • πŸ”΄ Account lockout policy configured
    • πŸ”΄ Audit logging enabled for security events
    • πŸ”΄ Endpoint protection installed and updated
    • 🟑 Secure boot enabled (where supported)
    • 🟑 Disk encryption enabled for sensitive data

    Administrative Access

    • πŸ”΄ Create specific administrator accounts (no default admin use)
    • πŸ”΄ Configure sudo/UAC policies properly
    • πŸ”΄ Implement role-based access with minimum required permissions
    • πŸ”΄ Enable account lockout for failed admin login attempts
    • 🟑 Implement privileged access management (PAM) solution
    • 🟑 Require MFA for all administrative access

    Logging and Monitoring

    • πŸ”΄ Configure system logging across all servers
    • πŸ”΄ Centralize logs to SIEM or log management system
    • πŸ”΄ Set up alerting for critical security events
    • 🟑 Monitor for suspicious activities (failed logins, privilege escalation)
    • 🟑 Test incident response procedures

    Phase 4: Application & Database Protection

    Secure all applications and databases before exposing to users.

    Web Application Security

    • πŸ”΄ Enable HTTPS with valid TLS certificates (TLS 1.2+ only)
    • πŸ”΄ Configure web application firewall (WAF)
    • πŸ”΄ Implement input validation on all forms
    • πŸ”΄ Enable security headers (HSTS, CSP, X-Frame-Options)
    • 🟑 Schedule regular vulnerability scanning
    • 🟒 Implement content security policy

    Database Security

    Task Priority Verification
    Change default passwords πŸ”΄ Critical No default credentials active
    Configure strict access controls πŸ”΄ Critical Role-based access verified
    Enable encryption at rest πŸ”΄ Critical Encryption status confirmed
    Set up encrypted backups πŸ”΄ Critical Backup encryption verified
    Configure audit logging 🟑 High Database audit logs flowing

    Database Checklist

    • πŸ”΄ All default passwords changed immediately
    • πŸ”΄ Database not directly accessible from internet
    • πŸ”΄ Strict access controls configured (principle of least privilege)
    • πŸ”΄ Encryption at rest enabled
    • πŸ”΄ Encrypted backups configured
    • 🟑 Database audit logging enabled
    • 🟑 Connection encryption required (TLS)

    Email Security

    • πŸ”΄ Configure spam filtering and malware scanning
    • πŸ”΄ Enable DMARC, DKIM, and SPF records
    • πŸ”΄ Set up encryption for sensitive communications
    • πŸ”΄ Implement data loss prevention (DLP) policies
    • πŸ”΄ Configure reliable email backup/archival

    Phase 5: Endpoint Security

    Protect all user devices accessing company resources.

    Workstation Security

    • πŸ”΄ Install endpoint protection (antivirus/EDR) on every workstation
    • πŸ”΄ Configure automatic security updates
    • πŸ”΄ Enable disk encryption (BitLocker/FileVault)
    • πŸ”΄ Set up automated backups
    • πŸ”΄ Configure user access controls (standard user, not admin)
    • 🟑 Implement application whitelisting
    • 🟑 Configure host-based firewall

    Mobile Device Management (MDM)

    • πŸ”΄ Deploy MDM for all devices accessing company data
    • πŸ”΄ Require device encryption
    • πŸ”΄ Require lock screen with PIN/biometric
    • πŸ”΄ Enable remote wipe capability
    • 🟑 Control application installation
    • 🟑 Monitor device compliance

    Phase 6: Identity & Access Management

    Establish secure identity management from day one.

    Authentication Configuration

    Component Requirement Priority
    Identity Provider Properly configured (AD, Azure AD, Okta) πŸ”΄ Critical
    MFA Enabled for all users πŸ”΄ Critical
    SSO Implemented where possible 🟑 High
    Password Policy Meets security standards πŸ”΄ Critical
    PAM Configured for admin accounts 🟑 High

    Identity Checklist

    • πŸ”΄ Identity provider properly configured
    • πŸ”΄ Multi-factor authentication enabled for all users
    • πŸ”΄ Strong password policy implemented
    • πŸ”΄ Account lockout policy configured
    • 🟑 Single sign-on (SSO) implemented
    • 🟑 Privileged access management for admin accounts

    User Provisioning

    • πŸ”΄ Create standard user templates for common roles
    • πŸ”΄ Implement least privilege access by default
    • πŸ”΄ Configure account lifecycle management
    • 🟑 Document all user administration processes
    • 🟑 Automate onboarding/offboarding where possible

    Phase 7: Data Protection & Backup

    Ensure data is encrypted and recoverable.

    Backup Configuration

    Requirement Minimum Standard Optimal
    Backup Frequency Daily Hourly for critical data
    Backup Verification Weekly test Daily automated verification
    Backup Encryption AES-256 AES-256 with separate key management
    Offsite Storage Weekly rotation Real-time replication
    Restore Testing Quarterly Monthly

    Backup Checklist

    • πŸ”΄ Automated backup solution deployed
    • πŸ”΄ Backups running daily (minimum)
    • πŸ”΄ Backup verification configured
    • πŸ”΄ Backup encryption enabled
    • πŸ”΄ Offsite/cloud backup storage configured
    • πŸ”΄ Restore procedures documented and tested

    Encryption

    • πŸ”΄ Encryption enabled for sensitive data at rest
    • πŸ”΄ Encryption enabled for data in transit (TLS 1.2+)
    • 🟑 Key management procedures documented
    • 🟑 Encryption policy documented with data locations

    Phase 8: Ongoing Management

    Security is not a projectβ€”it's a continuous process.

    Maintenance Schedule

    Activity Frequency Responsible Party
    Vulnerability scans Weekly IT Security
    Security reviews Monthly IT Management
    Access audits Quarterly IT + HR
    Penetration testing Annually External vendor
    Backup restore testing Quarterly IT Operations
    Policy review Annually IT + Legal
    Security training Annually All staff

    Ongoing Checklist

    • πŸ”΄ Weekly vulnerability scans scheduled
    • πŸ”΄ Monthly security review process established
    • πŸ”΄ Quarterly access audit process defined
    • 🟑 Annual penetration testing contracted
    • 🟑 Regular backup testing scheduled
    • 🟑 Security documentation update process defined

    Quick Reference: Implementation Timeline

    Week Focus Area Critical Items
    Pre-deployment Planning Risk assessment, policies, compliance requirements
    Week 1 Core infrastructure Firewall, network segmentation, server hardening
    Week 2 Applications Web apps, databases, email security
    Week 3 Endpoints Workstations, mobile devices, encryption
    Week 4 Identity Authentication, MFA, user provisioning
    Ongoing Maintenance Scanning, audits, testing, documentation

    Compliance Quick Reference

    Regulation Key Security Requirements
    HIPAA Encryption, access controls, audit logs, risk assessment
    SOX Access controls, change management, audit trails
    PCI-DSS Network segmentation, encryption, vulnerability management
    CMMC Access control, identification, incident response
    NIST CSF Identify, Protect, Detect, Respond, Recover

    Key Takeaways

    Getting security right from the start costs a fraction of what retrofitting after a breach does.

    Principle Action
    Defense in Depth Multiple security layers; no single point of failure
    Least Privilege Minimum access required for each role
    Document Everything Configuration, changes, and procedures
    Test and Verify Validate controls work before production
    Continuous Improvement Security is ongoing, not a one-time project
    Was this helpful?
    Get Help

    Related Documentation

    Guide

    IT Infrastructure Setup Guide

    Step-by-step IT infrastructure setup for California businesses: network design, hardware selection, compliance planning, and scalable architecture.

    15 min read
    Tutorial

    Network Configuration Basics

    Business network fundamentals for California SMBs. Learn routing, switching, VLANs, Wi-Fi best practices, and how to design a reliable, secure office network.

    10 min read
    Guide

    User Account Management

    Best practices for managing user accounts, permissions, and access control in business IT. Covers Active Directory, role-based access, and secure offboarding.

    8 min read

    Need Help Implementing This?

    Our technical experts can help you implement these solutions in your environment.