diff --git a/puppet/zulip/manifests/app_frontend_base.pp b/puppet/zulip/manifests/app_frontend_base.pp
index 760efb2a53..acc0a274cc 100644
--- a/puppet/zulip/manifests/app_frontend_base.pp
+++ b/puppet/zulip/manifests/app_frontend_base.pp
@@ -199,7 +199,7 @@ class zulip::app_frontend_base {
     ensure => directory,
     owner  => 'zulip',
     group  => 'zulip',
-    mode   => '0640',
+    mode   => '0750',
   }
 
   file { "${zulip::common::nagios_plugins_dir}/zulip_app_frontend":
diff --git a/puppet/zulip/manifests/nginx.pp b/puppet/zulip/manifests/nginx.pp
index 5895bfd6be..84d6d9caa0 100644
--- a/puppet/zulip/manifests/nginx.pp
+++ b/puppet/zulip/manifests/nginx.pp
@@ -73,7 +73,7 @@ class zulip::nginx {
     ensure => directory,
     owner  => 'zulip',
     group  => 'adm',
-    mode   => '0650',
+    mode   => '0750',
   }
   file { '/etc/logrotate.d/nginx':
     ensure  => file,
@@ -90,7 +90,7 @@ class zulip::nginx {
     ensure => directory,
     owner  => 'zulip',
     group  => 'adm',
-    mode   => '0660',
+    mode   => '0770',
   }
 
   service { 'nginx':
diff --git a/puppet/zulip/manifests/postgresql_common.pp b/puppet/zulip/manifests/postgresql_common.pp
index 7a529e71d2..b056fbda27 100644
--- a/puppet/zulip/manifests/postgresql_common.pp
+++ b/puppet/zulip/manifests/postgresql_common.pp
@@ -44,7 +44,7 @@ class zulip::postgresql_common {
       # allows ssl-cert group to read /etc/pki/tls/private
       file { '/etc/pki/tls/private':
         ensure => directory,
-        mode   => '0640',
+        mode   => '0750',
         owner  => 'root',
         group  => 'ssl-cert',
       }
diff --git a/puppet/zulip/manifests/profile/base.pp b/puppet/zulip/manifests/profile/base.pp
index 694736d0e8..5ba3a2171c 100644
--- a/puppet/zulip/manifests/profile/base.pp
+++ b/puppet/zulip/manifests/profile/base.pp
@@ -79,7 +79,7 @@ class zulip::profile::base {
 
   file { '/etc/zulip':
     ensure => directory,
-    mode   => '0644',
+    mode   => '0755',
     owner  => 'zulip',
     group  => 'zulip',
     links  => follow,
@@ -117,14 +117,14 @@ class zulip::profile::base {
   file { '/var/lib/nagios_state/':
     ensure => directory,
     group  => 'zulip',
-    mode   => '0774',
+    mode   => '0775',
   }
 
   file { '/var/log/zulip':
     ensure => directory,
     owner  => 'zulip',
     group  => 'zulip',
-    mode   => '0640',
+    mode   => '0750',
   }
 
   file { "${zulip::common::nagios_plugins_dir}/zulip_base":
diff --git a/puppet/zulip_ops/manifests/apache.pp b/puppet/zulip_ops/manifests/apache.pp
index 8c2ee62343..038b1c30fd 100644
--- a/puppet/zulip_ops/manifests/apache.pp
+++ b/puppet/zulip_ops/manifests/apache.pp
@@ -19,7 +19,7 @@ class zulip_ops::apache {
     require => Package['apache2'],
     owner   => 'root',
     group   => 'root',
-    mode    => '0644',
+    mode    => '0755',
   }
 
   file { '/etc/apache2/ports.conf':
@@ -37,6 +37,6 @@ class zulip_ops::apache {
     require => Package[apache2],
     owner   => 'root',
     group   => 'root',
-    mode    => '0640',
+    mode    => '0750',
   }
 }
diff --git a/puppet/zulip_ops/manifests/profile/base.pp b/puppet/zulip_ops/manifests/profile/base.pp
index 9f841a5393..906843f894 100644
--- a/puppet/zulip_ops/manifests/profile/base.pp
+++ b/puppet/zulip_ops/manifests/profile/base.pp
@@ -64,7 +64,7 @@ class zulip_ops::profile::base {
     require => User['zulip'],
     owner   => 'zulip',
     group   => 'zulip',
-    mode    => '0600',
+    mode    => '0700',
   }
 
   # Clear /etc/update-motd.d, to fix load problems with Nagios
@@ -170,14 +170,14 @@ class zulip_ops::profile::base {
     require => User['nagios'],
     owner   => 'nagios',
     group   => 'nagios',
-    mode    => '0600',
+    mode    => '0700',
   }
   file { '/var/lib/nagios/.ssh':
     ensure  => directory,
     require => File['/var/lib/nagios/'],
     owner   => 'nagios',
     group   => 'nagios',
-    mode    => '0600',
+    mode    => '0700',
   }
   file { '/home/nagios':
     ensure  => absent,
diff --git a/puppet/zulip_ops/manifests/profile/grafana.pp b/puppet/zulip_ops/manifests/profile/grafana.pp
index 5621db1455..2df94c234e 100644
--- a/puppet/zulip_ops/manifests/profile/grafana.pp
+++ b/puppet/zulip_ops/manifests/profile/grafana.pp
@@ -60,7 +60,7 @@ class zulip_ops::profile::grafana {
     ensure => directory,
     owner  => 'root',
     group  => 'root',
-    mode   => '0644',
+    mode   => '0755',
   }
   file { '/etc/grafana/grafana.ini':
     ensure => file,
diff --git a/puppet/zulip_ops/manifests/profile/prometheus_server.pp b/puppet/zulip_ops/manifests/profile/prometheus_server.pp
index e3672205a5..16cf3ba0cc 100644
--- a/puppet/zulip_ops/manifests/profile/prometheus_server.pp
+++ b/puppet/zulip_ops/manifests/profile/prometheus_server.pp
@@ -32,7 +32,7 @@ class zulip_ops::profile::prometheus_server {
     ensure => directory,
     owner  => 'root',
     group  => 'root',
-    mode   => '0644',
+    mode   => '0755',
   }
   file { '/etc/prometheus/prometheus.yaml':
     ensure => file,
diff --git a/puppet/zulip_ops/manifests/profile/zmirror_personals.pp b/puppet/zulip_ops/manifests/profile/zmirror_personals.pp
index 01f8a88854..a89b16a336 100644
--- a/puppet/zulip_ops/manifests/profile/zmirror_personals.pp
+++ b/puppet/zulip_ops/manifests/profile/zmirror_personals.pp
@@ -30,7 +30,7 @@ class zulip_ops::profile::zmirror_personals {
   file { ['/home/zulip/api-keys', '/home/zulip/zephyr_sessions', '/home/zulip/ccache',
           '/home/zulip/mirror_status']:
     ensure => directory,
-    mode   => '0644',
+    mode   => '0755',
     owner  => 'zulip',
     group  => 'zulip',
   }