Secure defaults checklist

Topic: Security basics

Use this checklist when deploying a new system or reviewing an existing one: strong auth, least privilege, encryption, logging, and no unnecessary exposure. Covers auth, secrets, permissions, network, and backup security in one pass.

Intent: Checklist

Quick answer

  • Auth: MFA for admin and sensitive access; keys or tokens for automation (no passwords in scripts). No default or shared passwords; revoke access when people leave.
  • Secrets and encryption: no secrets in code or config in repo; use a vault or env. TLS for all sensitive traffic; encrypt data at rest; keys in KMS or vault, not with data.
  • Least privilege and logging: minimum permissions per role; deny by default. Log auth and admin actions; centralize and protect logs; alert on failures and privilege changes.

Prerequisites

Steps

  1. Authentication and access

    MFA for admin and sensitive systems; keys or tokens for machines. No default credentials; revoke on offboard. Check that every account has a purpose and the minimum access needed.

  2. Secrets and encryption

    No secrets in git or plain config; use vault or env. TLS for HTTP, API, DB; encrypt data at rest. Keys in KMS or vault; backup encryption and key separation.

  3. Permissions and network

    Least privilege per role; deny by default. Firewall or network policy: only required ports and services exposed; no unnecessary admin exposure to the internet.

  4. Logging and response

    Log auth (success and failure) and admin actions; centralize and protect logs; retain per policy. Alert on high-risk events; document and test incident response and revocation.

Summary

Checklist for secure defaults: strong auth and MFA, secrets in vault and encryption in place, least privilege and minimal exposure, logging and alerting with a response plan. Use this for new deployments and periodic review.

Prerequisites

Steps

Step 1: Authentication and access

MFA for admin; keys/tokens for automation. No default creds; revoke on offboard. Verify minimum access per account.

Step 2: Secrets and encryption

No secrets in repo; use vault or env. TLS and at-rest encryption; keys in KMS/vault.

Step 3: Permissions and network

Least privilege; deny by default. Expose only required ports and services.

Step 4: Logging and response

Log auth and admin; centralize and protect; retain and alert. Document and test incident response and revocation.

Verification

All items on the checklist are confirmed for the system; gaps are documented and remediated.

Troubleshooting

Legacy system without MFA — Add MFA to the IdP or gateway; plan migration. Secrets in config — Move to vault; rotate and remove from config.

Next steps

Continue to