Friday, January 14, 2011

Process to secure windows server directly connected on the internet without a hardware firewall.

Hi Everyone,

I'm wondering what check list other people would use for securing a windows server directly connected to the internet.

Aside from this, anyone's opinions on doing this would be appreciated as well.

Thanks

From serverfault optician

  • To kick things off, here is my current list.

    1. Disable administrator account, and all non secure accounts

    2. Disable ftp

    3. Secure the server blocking all unneeded ports and services, using Security Configuration Wizard, I currently leave port 22,80,443

    4. Install WinSSHD for file transfer to the server on port 22 (could be higher random port), also did try win open shh, but it got a bit messed up when trying to install keys.

    Anyone else got more steps to add?

    sleske : What do you mean by "Disable administrator account"? How will you perform tasks which require admin rights?
    optician : windows comes with an account called administrator, like linux root
    From optician

  • By "without a firewall", I'm assuming you mean "without an external firewall" - the firewall on the server should be very definitely on, and set up only to expose the services that you need to be exposed to the Internet - you didn't mention what these are, but from the tags, I'm guessing that SFTP is involved.

    Make sure the server's patched as fully as you can get it, and remains so for as long as it's connected to the Internet.

    If you absolutely have to have (ordinary) FTP, you should look at securing that further as well - limit IP addresses that can connect to your FTP service, do it over SSL, or use SFTP instead. OpenSSH )as optician mentioned) comes with an SFTP service.

    optician : you are absolutely right, will change title to hardware firewall, thanks.
    From RainyRat

  • If you're connected directly to the internet without a firewall, you have got to assume that at some stage you will come under attack, and work from there.

    As well as security I would also recommend putting some good monitoring in place. At the very least you should be monitoring process activity, CPU and memory usage, and network activity (I'm sure others would add more to the list).

    From mh

  • I have firewalls in front of my servers, but I still do all of the following:

    • Disable IIS if you're not using it
    • Remove FTP if it's not required (if it is then restrict access to your authorised IP addresses only)
    • Apply latest service packs and hotfixes
    • Disable incoming ports that aren't required
    • Disable unnecessary services, e.g. Server (if it's not used as file & print server) and RRAS

    If using IIS

    • Move the inetpub\wwwroot folder
    • Change the user account used for anonymous access & set up with appropriate permissions
    • Remove any example folders such as IIS Admin, web-based printing etc.
    • Remove ISAPI filters you're not using
    • Create a dedicated account for FTP transfers - give that account only sufficient permission to do ftp (i.e. read/write the files it puts up, nothing else)

    Logins

    • Rename the Administrator account
    • Create a new account called Administrator, remove all its access and privileges and disable the account (while a hacker will work hard to find out the name of an administrator account many scripts aren't so sophisticated)
    • If you have physical access to the server then set "Deny Access to this computer from the network" on the Administrator account
    • Check the guest account is disabled (and check all other accounts)

    Personally, I wouldn't do it. If you have ever run a PC with ZoneAlarm (I'm thinking back to 2002 on a Windows 2000 box with an ADSL modem) and watched the alerts as all and sundry knocks on your PC's door then you'll understand why. Cisco and Juniper firewalls start from about £300 / $500 new, or you could get a low spec box and install smoothwall or similar. If you are putting the server up at a colo you should be able to get another 1U rack space for the firewall (and a power socket) for a fraction of the 1st U of rackspace.

    optician : I do remember the days of directly connected computers to the internet and zone alarm, a pity it got so bloated, I liked its fine grain control. I have heared great things about smoothwall. I did hear that black ice was very good, and also would install without any security turned on so you could remotely install/config it. But I think this is now expensive. Do you have any suggestions for a firewall that can fullfill this goal?
    Dan : We used smoothwall 2003 until 2006 - briefly described here: http://serverfault.com/questions/12535/open-source-firewall-or-commercial-firewall/12627#12627 . Sounds like you're looking for a software firewall to install on the server itself?
    From Dan

  • The first I would do, if possible, is unplug the network cable, do all the secure steps, especially apply all hotfix/server packs, turn on software firewalls, and then plug the network cable back. un-secured boxes only last about half an hour in the wild, especially windows boxes.

    From Ford Prefect
Posted by Mu Cat at 12:45 AM

0 comments:

Post a Comment

Subscribe to: Post Comments (Atom)