Securing Windows Server with a baseline security
In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security. That’s just the way it is but you might use this as some kind of checklist and also the links provided in this post.
Securing Windows Server with an acceptable baseline security
- 1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.
- 2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for Servers and Workstations for lots of reasons. It’s not just a pretty logo. If you need licenses or assistance, please feel free to contact me here
- 3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.
- 4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.
- 5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.
- 7. Have a good monitoring and inventory system in place such as the free SpiceWorks and I also recently discovered Sitemonitoring at Sourceforge that I liked. Unfortunately Sitemonitoring only works for HTTP responses , I’d love to also have it work for pure port monitoring.
- 8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared incas of hardware failures. If possible, also have spare parts readu for the common failures such as hard drives and PSu (Power Supply Units)
- 9. Use Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.
- 10. If your server is reachable from the Internet, use valid SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able.
Yes, think Mr. Snowden.Think NSA. There’s a few more things to consider when installing SSL on servers such as disabling weak cryptos and testing you´v done so correctly. I like using SSL Labs free test.
- 11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.
- 12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for.
If people are having trouble remembering passwords the have all over the world, maybe you could have them read this blog post I wrote about rememebering complex passwords
and on the topic of online passwords and identities, they migh also want to read this post about protecting your online identity also.
- 13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post (still on the Syspeace Blog site though ) on why
- 14. Backups! Backups! and again. BACKUPS!!
Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
You can also use the built in Windows Server backup for DR as described here
- 15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. Here’s an older blog post on why . I you don’t have the time to read the article then simply download the free Syspeace trial or contact me for licenses and consulting regarding Brute force prevention
If you’re up for it, I’ve written a few other related posts here:
There’s also a third one but to be honest , I can’t remember where I published it. This is one of the reasons I’m moving basically everyting I’ve written to my own website instead . Easier to maintain .
Keep it simple and easy is alway a good approach. 🙂