Virtually everything that is part of the System Design and many things that are part of System Administration need to be tested before being put into production use. Testing of the basic hardware and operating system, of patches and hotfixes to the same, and of all the various 3rd party applications and services involved.

• Basic functioning
  • Networking: LAN, WAN, and Internet routing
  • Process creation: system and user-based processes
  • Local account / console access
  • Access Controls: file system, 3rd party services, login/account access
• Services
  
  • Automatic instantiation at startup (where appropriate)
  • Proper logging in place (either to central logging facility or added to monitoring system)
  • Access control in place: administrative access is restricted and logged
  • Correct functioning determined where feasible ... this could be as simple as looking for a success code (eg HTTP Status 200) or something more complicated that parses an output looking for specific text
• Security
  • Previous testing only was functional, this testing is specific and prescribed
  • ACLs in place and set correctly for all files; in Unix this means listing and understanding all setuid/setgid applications and processes and ensuring system directories are properly protected from unauthorized modifications; in Windows this is more about the latter then the former, replacing files in Unix can catch the administrator unawares but only an administrator can make a setuid/setgid file but in most Windows implementations just being in a specific directory is enough to be run with the highest of privileges.
  • All logging is enabled and (where appropriate) made tamper proof so that a forensic analysis can be conducted and the results trusted
  • All known security vulnerabilities are plugged (done by trying all of them)