How to secure a Windows server?
Security is the ultimate concern when you consider adding a server into your organization's environment. So, here's a checklist to make sure your server's security is not compromised in any way.
1. Use local firewall rules
Using Windows firewall is a mandatory requirement to secure your servers.The firewall, true to it's name, acts as a wall of protection between your data and the external network. So make sure you:
- Disable as many rules on the firewall as possible. Disabling firewall rules would mean that fewer ports are open. Since there are lesser ports actively listening over the public interface, the server is less exposed to malicious users and threats.
- Whitelist the IP address in the relevant rules for those ports that must be open. By limiting access, you can ensure that users who need access to the server are able to, while those who shouldn't or needn't are not able to access it. The most typical ports that need to be open in the Windows firewall for hosting web applications on a cloud server are as follows:
|80||HTTP - IIS sites or web application|
|443 HTTPS||Secure IIS sites or web applications with SSL|
2. Think twice before sharing any data:
- While using Windows file sharing, the ports that are opened on the firewall (ports 445 and 139) expose the server to unwanted connection attempts. So it is not recommended to use it.
- Additionally, be careful about the software that you allow your users to download and install on your server. Every software package installed increases the exposure of your server to attack.
3. Enforce a strong password policy
A door is only as strong as it's key is. So keep your passwords as strong as possible. And regulate this across the organization to ensure that everyone follows this password policy. Here are some suggestions for a strong password:
- Use strong passwords of at least 8 to 10 characters that include uppercase and lowercase letters, numbers, and special characters (such as !, #, $, and %).
- Make sure the password policy set an expiration date for each user’s password. This way, users would be forced to change their password frequently, thus reducing the risk of an attack.
4. Create individual administrative accounts:
Be selective about who you are granting administrative rights to. If multiple users need admin access to the server, create multiple accounts with admin access. This way, a malicious user can be traced down using the logs that fall under their name, instead of a common administrator account.
5. SQL server instances:
- For servers running Microsoft SQL Server, lock down the SQL port 1433 to listen over the internal interface only. This reduces risk of outsiders attacking the network through the SQL server.
- For a connection to the outside network, you can allow SQL port 1433 to listen over the public interface. But this rule must be limited to accomodate only the IP addresses of the computers through which the developers connect to the databases on the server.
- For servers running SQL Server Standard or SQL Server Web editions, we recommend configuring maintenance plans to dump the data from the live database files into flat files that can be backed up off the server and to clean up the backups so they do not fill your hard drive
6. Windows updates:
Always update your server to the latest version. Don't forget to make sure that your Windows OS is patched.
7. Always have a backup plan:
- Set up a disaster recovery plan. You could create cloud server images periodically write them to your Cloud Files containers with a default retention of seven days.
- Create a new server instance from the image to check if the image is valid. Try restoring a file from Cloud Backups to verify that the data being backed up can be restored. Verify the backups to ensure that they are valid.
8. Code it right:
- The last attack surface exposed to the Internet is the code. You and your developers must ensure that the code is enforcing proper authentication and authorization.
- File authorization should be carefully defined and all inputs on the application should have the best validation possible to prevent hackers from exploiting the web application and gaining control of the server.
Explore Active Directory auditing and reporting with ADAudit Plus.
- Related Products
- ADManager Plus Active Directory Management & Reporting
- ADAudit Plus Real-time Active Directory Auditing and UBA
- EventLog Analyzer Real-time Log Analysis & Reporting
- ADSelfService Plus Self-Service Password Management
- AD360 Integrated Identity & Access Management
- Log360 Comprehensive SIEM and UEBA
- AD Free Tools Active Directory FREE Tools