Servers

A server is the central hub of computers within a network and is often the central store for all computers. Lose it, have it hacked or have it corrupted and you have lost everything. Servers are often more forward-facing than desktops and laptops and servers in the cloud (VPS) are even more forward-facing and need more work to secure them. Out of the box, a Windows server needs quite a few tasks done to ‘security harden’ it. The information below is for a Windows server but some items may apply to other operating systems.

Backup
The server is the central hub and will often store everyone's data. Set up-automated backups via tapes or using a backup application which pushes data to a cloud server for offsite storage.

Patch it up
This is the same as a client operating system and often if you are just building one, updates can easily hit 100 or more. Let it run in stages and reboot a few times as you go along. Once done set up automated updates.

Disable the guest account
A guest account is a default low-level User Account which is intended for guests who wish to use the computer. It can also be used by hackers to exploit your operating system so it is advisable to make sure it is disabled at all times.

Remove unwanted roles / features
By default unwanted features are often installed like SQL or IIS. If you’re not interested in running a website remove all unrequired features / roles.

Run a vulnerability scanner
The amount of add-ons, services and software installed within any operating system makes it difficult to know what is secure and what could be exploited remotely. Vulnerability scanners can scan the software, registry, files, and services to see what is vulnerable and how it can be fixed.

Use the integrated firewall
Windows Server 2003, 2008 comes with a firewall inbuilt and some have advanced firewall. This is a software host firewall and should be used if you have no hardware firewall in place. Block all ports which are not needed and only allow a firewall. The allowed ports can be locked down further by authorising them for a specific programme only or an IP range.

Change the default username
Any hacker or automated method will go after ‘Administrator’. Disable it and create a new one which does not sound like ‘admin’ or ‘administrator’. Create an account which cannot be guessed and set a strong password. You can even set password lock-outs but be careful.

Run Security Configuration Wizard
This will give you a security policy in a few steps. Follow it and save it. This will cover items like: roles, features, services, network security, registry and audit policy. Auditing is more for after an attack happens but it can sometimes give you clues to a future attack or ongoing issues. For instance you may see multiple failed logins and this suggests a brute force password attack.

Install antivirus
There are even a few free ones so you have no excuse not to. Set it to auto scan at night and auto update daily. Microsoft Essentials is a freebie if you want basic security.

Secure RDP
Remote Desktop Protocol is very useful but needs a few steps to be more secure. Some of them are:
  • Port – the default port is 3389, change it to something different
  • NLA – enable Network Level Authentication
  • TLS/SSL – enable Transport Layer Security
  • FIPS – set the encryption strength to maximum and FIPS
  • Accounts – disable the standard ‘Administrator’ account and create a new one
  • Passwords – to slow down password guessing use a strong password with lower, upper case, numbers and special chars in
  • Groups – RDP can be controlled by a group. Only give it to a few users
  • Lockout – setting a lock-out policy of ten attempts is a good idea but be careful
  • Firewalls – lock down the firewall port by restricting it to a particular service and IP or IP range
  • Certificates – for real strength use certificate-based authentication