Securing your windows server
Windows servers are a target for malware and hackers as they are often badly set up exactly because setting up a basic Windows server is as easy as installing it. The default installation security has improved by leaps and bounds. Server 2012 is far more secure than Server 2008 and Server 2016 improved it even further.
No matter how good we are, there’s never enough time to keep up with everything in security, and securing windows at a basic level is not too hard.
Keep up with what is happening in security
The best way to understand what’s happening in the world of security is to read the latest reports. Have a look at the Verizon Data Breach Investigations Report or the Trustwave Global Security Report. Then there is also the Mandiant APT1 report. These reports show us that cybercriminals utilise the latest tech and knowledge of all the latest security bugs and flaws in operating systems. If we do not know about these, we become vulnerable.
Information Security is NOT an IT Issue!
Security is not your IT department or your hosting provider’s issue. It is a business issue. It is essential to have an IT security committee that includes management from Operational, HR, Legal, and IT as well as any other departments that have a stake in informational security. This committee has to classify your business data. They then assess the risk and do a proper risk-benefit analysis as well. The ability of your business to continue if the data is lost is discussed. This then forms part of your Business Continuity Plan and Disaster Recovery Plan. An effective backup strategy is a part of this plan as a mitigating factor. It is essential to have a multi-layered backup strategy as no single backup is ever foolproof. A proper data audit is also essential so that you can make sure that ALL data is accounted for.
Keep your system updated
While windows updates may be a pain and cause server downtime. They are, however, an essential part of securing windows. Many exploits take advantage of known flaws in Windows. Microsoft usually releases a patch as soon as they are made aware of the flaw. Keep your system simple and run only applications that you really need. Running Office software on a server is just inviting trouble.
Use Windows built-in security tools
Windows has built-in controls, from enforcing a minimum password strength to the Windows firewall. Only allow approved applications access to the network. You can set lockouts after a certain number of failed password attempts (strongly advised). Encrypt sensitive data so that only you can read it. You can also limit access to your server to only your network. If you are on a dynamic connection, set up a VPN to your server so that you can lock it down to only VPN access. Safe connectivity is an essential part of securing windows.
Use common sense
Don’t run Outlook on a server. Outlook receives data and files, any of which could contain malware or phishing code. Keep your passwords as long as you can. Google the most commonly used passwords and avoid them. Passwords such as ‘123’ or ‘password’ are dangerously useless and easy to guess. How important is your data or the functions of your server to your business? Use this as a measure of the effort you need to put into securing your server.
Here is a checklist for securing Windows
- Service Packs and Hotfixes:
- Install the latest service packs and hotfixes from Microsoft
- Enable automatic notification of patch availability
- User Account Policies:
- Set minimum password length
- Enable password complexity requirements
- Configure account lockout policy
- User Rights Assignment:
- Restrict the ability to access the server from the network to Administrators and Authenticated Users
- Restrict local logon access to Administrators
- Deny guest accounts the ability to login as a service, a batch job, locally, or via RDP
- Security Settings:
- Disallow users from creating and logging in with Microsoft accounts
- Network Access Controls:
- Do not allow any shares to be accessed anonymously
- Additional Security Protection:
- Disable or uninstall unused services
- Disable or delete unused users
- Configure User Rights to be as secure as possible
- Ensure all volumes are using the NTFS file system
- Configure file system permissions
- Configure registry permissions
- Disallow remote registry access if not required
- Additional Steps:
- Set the system date/time and configure it to synchronise against known time servers
- Install and enable anti-virus software.
- Install and enable anti-spyware software.
- Configure anti-virus software to update daily.
- Configure anti-spyware software to update daily.
- Provide secure storage for data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption, access controls, and file-system audits. Off-server file-based backups are an option provided by us that can protect your data against malware and ransomware.
- Install software to check the integrity of critical operating system files.
- If RDP is utilized, set the RDP connection encryption level to high.
- Configure a screen-saver to lock the console’s screen automatically if the host is left unattended.
Security is not just a buzzword – it is as real as the lock on your business door when you leave the office at night.