Services run under their own account with minimal necessary privileges .
Only necessary services run on production servers, and are only accessible to necessary interfaces using Host-based Firewalls.
All services are maintained and kept up-to-date.
For each running service on servers, hardening guides are followed and deviations from hardening guides due to business requirements are documented.
Local Firewall rules limit service traffic to ports filtered as restrictive as possible.
Specification
For non-Windows servers, applications are running within a jail/chroot environment. When impossible, running Linux applications are secured by SELinux or AppArmor.
ISO 27001 & 27002:2022
A5.8,
A5.36,
A5.37
SURF toetsingskader informatiebeveiliging (NBA-volwassenheidsmodel)
SM.01 Security Baselines