When we deploy a new server currently we do a Nessus scan on the sever from inside the firewall and we do a firewall audit to verify that only the desired ports are open on the firewall (since we do occasionally recycle IP addresses).
What are you doing in your organization? Do you think it is enough? What would you be doing if you could?
Nessus is a pretty good start, since it can do vulnerability assessments which are a little more in-depth than just port scanning and banner grabbing.
One thing I would recommend is to not leave it as "we did the scan, it was ok, nothing else to do" and to perhaps schedule rescans to check for configuration changes.
While this is a great start, nothing can beat manual enumeration of vulnerabilities / misconfigurations. But this obviously requires time, energy and money they just may not be worthwhile.
Do you feel like you're the time, money and energy you put into securing these servers is balanced by the costs of loss of operation, loss of data, legal action if your data is taken outside of your control?
Never, ever rely on one tool. Nessus is a good start, but follow it up with additional scanners and audit tools -- the more the better.
GFI Languard, eEye Retina, Lumension Scan (formerly Harris STAT), are all nice to have, though you do have to spend money on getting them. They will have some overlap, but each conducts unique checks as well, so they can only complement each other in assessing how vulnerable a machine is. Of course, you must cross-check each finding with common sense to rule out false positives -- multiple tools assist with this.
In addition to OS scanners, if you're planning on hosting any databases, you might want to consider picking up AppDetectivePro. For websites, check out HP WebInspect or Paros. For network password checks, Cain & Abel is great -- but be sure you have permission to use it, particularly some of the more advanced features.
I recommend checking out some of the open source tool offerings -- nmap is an excellent way to check out what ports are open on a machine, along with netcat to send arbitrary data. Use Wireshark to sniff the network traffic coming from the host, either via a span port or a network tap, and analyze the results -- this often helps identify unnecessary and insecure (like telnet, FTP, and any version of SNMP below v3) network protocols. SNMP read/write strings are basically passwords -- and SNMP v1 and v2 (or 2c) are completely cleartext. Don't use them, and phase them out if you are.
Lastly, but probably most importantly, take a look at the NSA configuration guides for the relevant OS (if they publish one), the DISA Security Technical Implementation Guides from DoD, as well as the Microsoft Security Guides for Microsoft operating systems. These can help you build some validated hardened machines, and should be a starting point for any secure system build. Knowing what your original configuration is goes a long way in determining whether a system has been compromised, or even just whether a particular vulnerability affects your environment.
And just a note -- always, always back up the system before making security-related changes -- particularly if you use the NSA or DISA guides -- they focus on security, not necessarily operations, if you get my drift.
You can also use nessus to run an audit by logging into a box and running an audit script on windows and unix. Tenable provide a number of them for PCI DSS, CIS Benchmark and the NSA Rhel5 guide.
We have a baseline that all machines are installed to, with additions for any applications that are installed. This covers a huge range of things to check, from open ports to setuig/gid executables through to strict access control checks. Any changes that are made need to be recorded and linked to our ticketing system, with all changes being approved by change management. Periodically we run scans to make sure that everything is as it should be. If not we can go and find out who made the changes from the audit trail we have in place across the systems.
So at anytime we have in a config DB exactly how the machine should look, both from outside using nessus and other tools to check it and from inside using nessus and the compliance plugin. So when any auditors make surprise visits and make us demonstrate that we know the state of any random server we can do so and also provide an audit trail to satisfy compliance.
None of this is easy, or fun to set up. But in the market we're in we have to meet compliance requirements, so some one has to get this up and running.