Minimal access
run nothing you don't need
- understand everything you run
run servers with least possible privilege
- unprivileged accounts
- reduced options
do services need to be bi-directional?
- only need outbound sendmail on workstations
restrict access using wrappers and/or routers