New domain setup checklist

Setting up a new domain can be fun and exciting but poor security can shatter hopes and dreams pretty quickly. I’ve created a checklist when setting up a new domain to ensure that security of the domain itself is baked in before any content creation starts. It is much easier to do all of this from the very beginning than attempting to implement after the fact.

You can download a PDF version of this checklist, without commentary, from this link: https://www.johndball.com/wp-content/uploads/2019/11/Domain-setup-checklist.pdf  (Virus Total scan here: https://www.virustotal.com/gui/file/4941b1e8d0c85a3b58ec91e392bb9e9e0053df0f513b485346588391666c26e0/detection)

1. Domain name registrar strong password and two-factor authentication enabled
   1. Reduces likelihood of registrar account compromise
2. Domain WHOIS privacy enabled or proxied
   1. Reduces spam calls, emails, creepy stalkers
3. Domain transfer lock enabled
   1. Prevents the domain from being transferred to a malicious or unintended host
4. Domain expiration renewal reminders enabled
   1. Doesn’t do any good if you lapse on your payment
5. Remove bunk DNS entries usually provided from new registrations (like FTP, SFTP, SSH, “web drive”, etc.)
   1. On new domain purchases the registrar usually provides convenient, albeit insecure or risky, methods of administering your website. These come in the form of FTP, SSH, SFTP, web drives for uploading/downloading content on the back end, and others. These are bad and can expose admin portals via DNS digs. Make note of admin access methods and remove these entries from your publicly facing DNS.
6. Domain protected by WAF or web proxy
   1. Cloudflare is my preferred choice
   2. Takes the brunt of spam/noise, DDoS, and malicious junk hitting the domain
   3. On your firewall/gateway/edge, only allow inbound traffic to your server from Cloudflare IPs for sites/servers protected by Cloudflare. This reduces traffic hitting your services by bypassing Cloudflare. Cloudflare IPs can be found here: https://www.cloudflare.com/ips and here: https://support.cloudflare.com/hc/en-us/articles/201897700-Whitelisting-Cloudflare-IP-addresses
7. HTTPS enabled using strong, publicly trusted certificate
   1. No HTTP unless absolutely necessary. If using a back end CMS like WordPress, will protect your login for the admin portal if WordPress is set correctly.
8. Certification Authority Authorization (CAA) set using the cert provider from #7 above
   1. Reduces likelihood of malicious certificates being issued for your domain. Usually an issue for corporations, popular domains for celebrities, revenue generating websites, when your threat is nation-states, etc.
9. Mail Exchanger (MX) records set using mail provider
   1. Only if you use email for your domain
10. MTA-STS to increase mail transport security
    1. My setup guide is here: https://www.johndball.com/adding-smtp-tls-downgrade-prevention-using-mta-sts/
11. TLS-RPT to report on TLS issues with your email
    1. Additional details can be found here: https://www.johndball.com/multi-part-series-on-securing-our-internet-presence-email-security/
12. Domain-based Authentication, Reporting, And Conformance (DMARC) works with SPF and DKIM to provide email security
    1. Additional details can be found here: https://www.johndball.com/multi-part-series-on-securing-our-internet-presence-email-security/
    2. I like to use DMARC Analyzer free for my small domains and paid for bigger domains.
13. Sender Policy Framework (SPF) works with DMARC and DKIM to provide email security because nobody likes spoofed email
    1. Additional details can be found here: https://www.johndball.com/multi-part-series-on-securing-our-internet-presence-email-security/
14. DomainKeys Identified Mail (DKIM)
    1. Additional details can be found here: https://www.johndball.com/multi-part-series-on-securing-our-internet-presence-email-security/
    2. Per email host setting and usually pretty easy. Google Apps for Business is a copy/paste of a DNS TXT record and entry.
15. “HSTS for email” using STARTTLS
    1. Have you noticed there are quite a few security options around email?
    2. More details and my setup guide can be found here: https://www.johndball.com/starttls-everywhere-hsts-preload-for-email-whaaaat/
16. Have I Been Pwned will notify you if your email domain shows up in data breaches that they are made aware of
    1. Use the domain search option and add a DNS TXT entry for continuous monitoring: https://haveibeenpwned.com/DomainSearch
17. HSTS for your website ensures that security remains intact in the event of a misconfiguration or compromise
    1. More details and my setup guide can be found here: https://www.johndball.com/multi-part-series-on-securing-our-internet-presence-preloading-hsts/
18. DNSSEC authenticates your DNS entries to reduce the likelihood of spoofing or maliciously manipulated entries
    1. More details about DNSSEC “gotchas” can be found here: https://www.johndball.com/validating-dnssec-records-with-dnsviz/
    2. DNSSEC setup is per-host specific. Look for a DNSSEC option in your registrar. If using Cloudflare as your registrar it literally is as easy as clicking a button.

1. Lock down any CMS logins like WordPress admin, CPANEL, etc.
2. Ensure directory browsing is disabled.
3. Run the domain though SecurityHeaders.com, Hardenize.com, SSL Labs and other sites (see the “Cyber Security” menu drop down on this website for other resources)
4. Monitor your logs on a regular basis
5. Begin adding content to your website