In many startups, the developer of an application is also in charge of managing the server. Since resources are thin, this is how it has to be. Developers don’t always make the best decisions when it comes to managing security concerns on servers though. Here a few tips to you developers in charge of managing servers. Believe me, if you’re successful, you will regret not having followed security best practicies from the beginning.
Go Role Based - Having roles helps auditing, plain and simple. If each user is given their own permissions, you have to audit every user and all their permissions. It is much easier to audit roles, and then see which users are in which roles. This can be accomplished with groups in Windows.
Don’t share - I have said it before, and I’ll say it again, Sharing is for adolescents. Don’t share logins between multiple people. Each user or application should have different, well-named users. They should instead be sharing roles (see above).
Give the least - Remember the time that service wasn’t working for some reason, so you changed it to run as an administrator? Don’t ever do that again. In fact, give everything the least amount of privileges possible. Adding privileges is easy, taking them away is very scary and hard.
Duh right? Well, I bet you have violated all of these at some point. If you follow them when your small, getting big is a lot easier. With size comes auditing and compliance, which shouldn’t be hard but is for all too many organizations. Follow these simple tips, and the day you get audited will be a lot easier.