I have seen advice that I need to close all unused ports, and disable any unused services in order to secure my servers. How can I prove, beyond any doubt, to my client that I have done this?
I need to accomplish this in a realistic amount of time, using realistic resources, so please also let me know if there is no such method and why. Please also assume I am using both Linux and Windows servers, and that these are kept up-to-date with the latest patches.
Do a full scan of the target machine's IP address with Nmap from LAN or Internet:
nmap -p- 12.34.56.78
If you've closed all the unused ports, then you'll see that in the scan result.
Edit: It would look like this:
Starting Nmap 6.40 ( http://nmap.org ) at 2014-03-29 11:26 CET
Nmap scan report for abc.com (12.34.56.78)
Host is up (0.030s latency).
Not shown: 65531 filtered ports
PORT STATE SERVICE
25/tcp open smtp
80/tcp open http
443/tcp open https
21235/tcp open unknown
Nmap done: 1 IP address (1 host up) scanned in 277.06 seconds
The only way that I'm aware of for you to prove this "beyond any doubt" would be to have your client audit the servers themselves, or to have them audited by a 3rd party (e.g. consultant) that you both trust to do the work.
Network scanning isn't likely to be sufficient on it's own as that wouldn't cover disabling services or the possibility that a firewall is preventing the scanner from seeing open ports.
In terms of tools to do the job something like Nessus can do credentialed scanning against a policy which could give you this kind of information
