Server Build and Hardening Checklist

Reserve contiguous Us in the rack diagram, confirm power budget on the PDU, and verify the cabinet has cooling headroom. A 2U server slotted into an already-thermally-loaded rack is a frequent cause of post-install thermal alarms.

Match the packing list against the purchase order: chassis, drives, RAID controller, NICs, rail kit, bezel, power cables. Missing rails and incorrect SFP transceivers are the two items most often shorted at delivery.

Server role drives partitioning, RAID layout, OS edition, and network segment. Confirm with the requester before imaging — re-imaging because the role was wrong is the single most common rebuild reason.

Allocate from IPAM, follow the hostname convention, and pre-create A and PTR records on the internal DNS. Pre-staging DNS prevents the chicken-and-egg problem when joining identity systems later.

Install the rail kit, slide the chassis, and seat the cable management arm. Label both ends of every cable with the patch ID — unlabeled cables are the slowest part of any future move/add/change.

Split PSUs across A and B PDUs so a single feed failure does not drop the host. Connect production NICs to redundant ToR switches and the OOB NIC to the management VLAN.

Set a static IP on the management interface, rotate the default admin password, disable IPMI-over-LAN if not required, and confirm the BMC is on the isolated management VLAN — not on the production network.

Apply the vendor-recommended baseline (Dell Lifecycle Controller, HPE SUM, Lenovo XClarity). Updating after the OS is in place is supported but riskier — do it now while the host has nothing to lose.

Hypervisors typically want RAID 1 for boot and RAID 10 for VM datastores; databases want separate volumes for data, logs, and tempdb. Confirm the controller cache battery is healthy before enabling write-back.

OS family drives directory integration path (AD vs SSSD), patching tooling, and EDR agent build. Lock this in before kicking off the install.

Use the standard golden image from MDT, SCCM, Foreman, or vCenter Auto Deploy. Avoid one-off installs from vendor media — they skip the org's baseline kickstart/unattend file.

Linux: separate /var, /var/log, /tmp, /home with appropriate mount options (nodev, nosuid, noexec). Windows: keep system, page file, and data on separate volumes when the role calls for it.

Catch up to the current patch baseline before the host is in production — first-time patch runs on a fresh build can require multiple reboots and are easier now than during a maintenance window.

OpenManage, iSM, HPE Agentless Management Service, or equivalent. These surface hardware health into the OS so a failed disk or fan shows up in monitoring rather than only on the front-bezel LED.

Apply the IP reserved during pre-rack, set NIC teaming (LACP or active/standby per the switch config), and confirm the switchport trunk allows the right VLANs. Mismatched VLAN tags between host and switch are the #1 cause of an intermittently-reachable new server.

Place the computer object in the correct OU so the right GPOs apply, and confirm time sync against the PDC emulator within 5 minutes — Kerberos rejects clock skew over the threshold.

Forward and reverse lookups should resolve. Test ping, traceroute, and TCP connectivity on the ports the role needs (443 to vendor update endpoints, 88/389/636 to DCs, etc.). A working ping but failing TLS handshake usually points at egress firewall or proxy config.

Add to PRTG, Auvik, Datadog, LogicMonitor, or whichever tool the team runs. Confirm CPU, memory, disk, NIC, and hardware-health sensors are reporting before declaring the host monitored.

Run the CIS Build Kit GPOs for Windows or the Ansible/Chef hardening role for Linux. Document any deviations from the benchmark in the exception register so auditors can trace the decision.

Disable SMBv1, NTLMv1, TLS 1.0/1.1, and any role-specific services not required (Print Spooler on non-print servers, IIS on database hosts). Legacy basic-auth left enabled is a common MFA-bypass path.

Default-deny inbound; explicitly allow only the ports the role requires. Windows Firewall via GPO or firewalld/nftables on Linux. Document each open port with a justification — auditors will ask.

Install CrowdStrike Falcon, SentinelOne, or Defender for Endpoint, and confirm the agent is reporting in the console. Configure Windows Event Forwarding or syslog to ship logs to Splunk/Sentinel/QRadar.

Authenticated scan from Tenable, Qualys, or Rapid7 against the new host. Capture the report and check for criticals — these block production handoff.

Patch, configure, or apply the vendor mitigation, then rerun the authenticated scan. Do not hand off to production with open critical CVEs — log an exception with mitigation and approver only when patching is genuinely blocked.

Install the Veeam, Datto, or Commvault agent, run a full backup, and restore a sample file or VM into an isolated location. A backup that has never been restored is an unverified backup.

Capture hostname, asset tag, serial, IP, OOB IP, OS, role, owner, RAID layout, vault entries for local admin and BMC, and links to the runbook. Future you will thank present you when the host alerts at 2am.

Walk the system owner through the build, confirm acceptance, and attach the documentation export. The host moves to production ownership after this step.