Jeremiah Grossman has made a good point that your public-facing web servers shouldn’t be secured using the ‘low hanging fruit’ technique. In this technique, you scan your network and remedy all the obvious vulnerabilities like old patches not installed, unnecessary services listening on the network, etc.

While this works great as a starting point in your network lock-down it isn’t a good approach to securing a web server.

Any public-facing server should always (always) be hardened after the build team has it ready for production, meaning they already have 100% expected functionality. This way you know and they know that everything works before you start securing the box. Hardening a box typically breaks functionality, therefore you’ll have to work closely with them to fix what you break after the hardening.

The hardening process I typically follow is this:

1. If its a Windows server, start with Microsoft’s Security Configuration Manager. The great thing about this tool is it queries the server, gets a list of what is already running and listening and then allows you to permit those functions post-hardening.
2. Then I follow Microsoft’s hardening guide for the given OS and use. There are suggestions in these guides that aren’t covered by the SCM so its good to follow up with some hands-on, manual securing.
3. Install and tune our standard HIPS software. This is where I typically have to work the most with the build team to ensure that they still have 100% functionality. Our HIPS software is mainly behavior based and usually web apps do a lot of things that HIPS doesn’t like. By walking through a pristine build I feel fairly confident that any actions taken are benign and thus can be permitted (there is some risk that must be accepted to allow functionality, that’s the art of security)
4. Get sign-off from the build team that the server functions 100% and then place it into production

Following the same process every time ensures that I have consistency in my work and that I don’t miss something critical that results in a vulnerable situation.