installation security best practice question