1 Verifying that the deployment process is functionally correct
2 Making sure that the secure deployment documentation is correct and provides best security practices.
3 Validating the permissions and rights required for the different servers and user roles, business users, visitors, editors, publishers, and administrators. This includes:
Secure ACLs on configuration files, registry keys, temporary files, named pipes, murexes and all other securable objects.
Correct configuration of database roles, stored procedures, and service/application accounts
Looking for components running by default when they shouldn’t be
Investigating network ports. Verify IDL files for correctness.
Sensitive data is not exposed in logs, event viewer, remote error messages, traces, and registry keys
Ensure failures are graceful, default system state is access denied (instead of all access) and no critical information is leaked out to client/remote caller.
4 Verify the lockdown templates/settings representing common “server roles” that the product is used in
5 Verifying that the least privilege principle is followed.
6 Verify that the separation of privilege principle is followed.
Secure deployment testing
Filed Under:
Security Testing
Liquidator