Twelve Commandments of Web Server Management

I recently had occasion to configure my first Windows 2003 server, so I decided to write down some guidelines to aid the configuration and keep it secure. Before long, I had a lengthy list of boring rules, so I decided to make a list of commandments for managing web servers. Here is the result – the Twelve Commandments of Web Server Management. If I left out anything, thou shalt leave me a comment!

1. Thou shalt bless all accounts with only the privileges necessary to carry out their function. Thou shalt never run thy web applications or databases under the administrator account.
2. Thou shalt never transmit administrative account information plain-text, (unencrypted) be it by web, FTP, email, or pen and paper, nor any other account, if thee desires to keep thy server virgin and pure.
3. Thou shalt not share passwords between accounts. If thou art a slothful ass and must share, do not share passwords between accounts with different levels of permissions.

4. Thou shalt not use a dictionary word or any name for a password or script kiddies shall hacketh thee shortly.
5. Thou shalt not defile thy server by ever running anything thee do not trust entirely. If thy users run scripts, they shalt run them under limited privileges.
6. Thou shalt not rely on security by obscurity and allow any management function to be accessible without authentication.
7. Thou shalt keep thy systems patched, especially if its seed doth cometh from Redmond, but be taken in not by the latest service pack without testing it first, for it may wreak havoc upon thy configuration.
8. Thou shalt maketh regular off-site backups and keep them holy! Since thee art a dunce, thou shalt automate the backup process.
9. Thou shalt document thy configuration religiously, for the gods, thy consultants, thy boss, or thy memory might smite thee anytime.
10. Thou shalt trust, but audit thy users. Rely not on their good intentions, for ignorance and stupidity does far more harm than maliciousness.
11. Thou shalt test all thy changes on a development server before making them live to smite thy bugs and avoid looking like a fool.
12. Thou shalt disable or remove all unused services.