Server Build and Hardening Checklist

Operational runbook a sysadmin or MSP engineer follows to bring a new physical server from rack-and-stack through firmware, OS install, network and identity integration, hardening, and sign-off. Designed for repeatable builds in a multi-server environment.

6 sections 27 steps Collects data
1

Pre-Rack Preparation

  1. Confirm rack location and U-allocation

    • Reserve contiguous Us in the rack diagram, confirm power budget on the PDU, and verify the cabinet has cooling headroom. A 2U server slotted into an already-thermally-loaded rack is a frequent cause of post-install thermal alarms.

  2. Verify shipment against the BOM

    • Match the packing list against the purchase order: chassis, drives, RAID controller, NICs, rail kit, bezel, power cables. Missing rails and incorrect SFP transceivers are the two items most often shorted at delivery.

  3. Confirm the server role

    • Server role drives partitioning, RAID layout, OS edition, and network segment. Confirm with the requester before imaging — re-imaging because the role was wrong is the single most common rebuild reason.

    Collects list
  4. Reserve hostname, IP, and DNS records

    • Allocate from IPAM, follow the hostname convention, and pre-create A and PTR records on the internal DNS. Pre-staging DNS prevents the chicken-and-egg problem when joining identity systems later.

2

Physical Install and Firmware

  1. Rack the chassis and dress cables

    • Install the rail kit, slide the chassis, and seat the cable management arm. Label both ends of every cable with the patch ID — unlabeled cables are the slowest part of any future move/add/change.

  2. Connect dual power feeds and network uplinks

    • Split PSUs across A and B PDUs so a single feed failure does not drop the host. Connect production NICs to redundant ToR switches and the OOB NIC to the management VLAN.

  3. Configure iLO, iDRAC, or IPMI access

    • Set a static IP on the management interface, rotate the default admin password, disable IPMI-over-LAN if not required, and confirm the BMC is on the isolated management VLAN — not on the production network.

  4. Update BIOS, BMC, and RAID firmware

    • Apply the vendor-recommended baseline (Dell Lifecycle Controller, HPE SUM, Lenovo XClarity). Updating after the OS is in place is supported but riskier — do it now while the host has nothing to lose.

  5. Build RAID volumes per the role spec

    • Hypervisors typically want RAID 1 for boot and RAID 10 for VM datastores; databases want separate volumes for data, logs, and tempdb. Confirm the controller cache battery is healthy before enabling write-back.

3

Operating System Install

  1. Confirm OS family for the build

    • OS family drives directory integration path (AD vs SSSD), patching tooling, and EDR agent build. Lock this in before kicking off the install.

    Collects list
  2. Provision the OS via PXE or vendor image

    • Use the standard golden image from MDT, SCCM, Foreman, or vCenter Auto Deploy. Avoid one-off installs from vendor media — they skip the org's baseline kickstart/unattend file.

  3. Apply the role-specific partitioning scheme

    • Linux: separate /var, /var/log, /tmp, /home with appropriate mount options (nodev, nosuid, noexec). Windows: keep system, page file, and data on separate volumes when the role calls for it.

  4. Install OS patches and reboot

    • Catch up to the current patch baseline before the host is in production — first-time patch runs on a fresh build can require multiple reboots and are easier now than during a maintenance window.

  5. Install vendor drivers and management agents

    • OpenManage, iSM, HPE Agentless Management Service, or equivalent. These surface hardware health into the OS so a failed disk or fan shows up in monitoring rather than only on the front-bezel LED.

4

Network and Identity Integration

  1. Configure static IP and VLAN tagging

    • Apply the IP reserved during pre-rack, set NIC teaming (LACP or active/standby per the switch config), and confirm the switchport trunk allows the right VLANs. Mismatched VLAN tags between host and switch are the #1 cause of an intermittently-reachable new server.

  2. Join the server to Active Directory

    • Place the computer object in the correct OU so the right GPOs apply, and confirm time sync against the PDC emulator within 5 minutes — Kerberos rejects clock skew over the threshold.

  3. Verify DNS resolution and outbound reachability

    • Forward and reverse lookups should resolve. Test ping, traceroute, and TCP connectivity on the ports the role needs (443 to vendor update endpoints, 88/389/636 to DCs, etc.). A working ping but failing TLS handshake usually points at egress firewall or proxy config.

  4. Enroll the host in monitoring

    • Add to PRTG, Auvik, Datadog, LogicMonitor, or whichever tool the team runs. Confirm CPU, memory, disk, NIC, and hardware-health sensors are reporting before declaring the host monitored.

5

Security Hardening

  1. Apply the CIS benchmark baseline

    • Run the CIS Build Kit GPOs for Windows or the Ansible/Chef hardening role for Linux. Document any deviations from the benchmark in the exception register so auditors can trace the decision.

  2. Disable legacy protocols and unused services

    • Disable SMBv1, NTLMv1, TLS 1.0/1.1, and any role-specific services not required (Print Spooler on non-print servers, IIS on database hosts). Legacy basic-auth left enabled is a common MFA-bypass path.

  3. Configure the host firewall ruleset

    • Default-deny inbound; explicitly allow only the ports the role requires. Windows Firewall via GPO or firewalld/nftables on Linux. Document each open port with a justification — auditors will ask.

  4. Enroll in EDR and forward logs to the SIEM

    • Install CrowdStrike Falcon, SentinelOne, or Defender for Endpoint, and confirm the agent is reporting in the console. Configure Windows Event Forwarding or syslog to ship logs to Splunk/Sentinel/QRadar.

  5. Run a vulnerability scan against the host

    • Authenticated scan from Tenable, Qualys, or Rapid7 against the new host. Capture the report and check for criticals — these block production handoff.

    Collects list
  6. Remediate critical findings and rescan

    • Patch, configure, or apply the vendor mitigation, then rerun the authenticated scan. Do not hand off to production with open critical CVEs — log an exception with mitigation and approver only when patching is genuinely blocked.

6

Validation and Handoff

  1. Run a test backup and verify restore

    • Install the Veeam, Datto, or Commvault agent, run a full backup, and restore a sample file or VM into an isolated location. A backup that has never been restored is an unverified backup.

    Collects list
  2. Document the build in IT Glue or Hudu

    • Capture hostname, asset tag, serial, IP, OOB IP, OS, role, owner, RAID layout, vault entries for local admin and BMC, and links to the runbook. Future you will thank present you when the host alerts at 2am.

  3. Capture system-owner sign-off

    • Walk the system owner through the build, confirm acceptance, and attach the documentation export. The host moves to production ownership after this step.

    Collects list Collects paragraph Collects file

Use this template

Copy it to your account, customize the steps, and run it with your team in minutes.

Use this workflow Start free trial
Sections 6
Steps 27
Category Systems Administration
Price Free to start
Need a different process

Browse hundreds of free templates across every team and industry.

Back to template library

Related templates

More workflows your team can run.

Systems Administration

Cloud Outage Response

View
Systems Administration

Network Troubleshooting Checklist

View
Systems Administration

User Offboarding Checklist

View
Systems Administration

IT Resource Allocation Checklist

View

Run Server Build and Hardening Checklist with your team

Customize the steps, assign roles, set a schedule, and keep a complete record for every run.

Use this workflow Start free trial