Security

How to secure a Windows server

No one wants to receive news that there has been an attack on their hosted server. Here are some suggestions to protect your server and prevent vulnerability.

Please note! These suggestions are a guide only and will not completely prevent all instances of ransomware and other attacks, however, it will go a long way to mitigating most of them.

USE A SECURE PASSWORD OR PASSPHRASE

Use strong and unique passwords for all of your logins. Windows allows you to force these requirements using the Local Security Policy manager accessible in the Windows Administrator Tools directory or by searching for Local Security Policy in the Start Menu.

In addition to enforcing password complexity requirements, the Local Security Policy manager can also enforce lockouts for incorrectly entered passwords after a definable number of failed login attempts. This can be effective in stopping Brute Force attacks on your login password.

Remembering many complex passwords is impractical for many people, it is recommended that a secure password manager is used for this purpose. There are many available options such as LastPass, 1Password and KeePass to name a few.

Another security option is a passphrase

A passphrase is a sequence of random words that people often find easier to remember. A passphrase is usually 4 - 6 words making the sequence longer and more complex to crack for added security. Try UseAPhrase to help generate a random passphrase.

How to create a strong password. It is important to create a strong and secure password. A password should be a minimum of 10 characters. Include uppercase, lowercase, numbers and use at least one special character. (e.g.: =~_ {} @^&>*) Do not include a username or your name in the password and do not write it down.

ENABLE THE FIREWALL

Enable the built-in Windows firewall and use it to limit access to public internet services that could be used to log in to the server itself.

Limit access of the RDP (Remote Desktop Protocol) service to only trusted IP addresses or IP ranges and lockout large parts of botnets trying to brute force a login.

If the internet connection from which the server is accessed uses Dynamically Assigned IPs then you can contact your ISP to find out what IP ranges, they use so that they can be allowed on the server’s firewall.

Please be sure to test any firewall changes either in a test environment or on a local machine before applying them to the server to avoid locking out remote access.

If a third-party firewall solution used it is recommended that it is tested first, before deploying it on a hosted server.

Need to make edits to your Windows Firewall? If you require assistance, please read How to make changes to your Windows Firewall here.

ENABLE REGULAR UPDATES

Be sure to enable regular Windows updates. Microsoft does roll out regular security fixes for all supported Operating Systems that address newly discovered remote exploits. It is quite common to see newly disclosed exploits used by botnets in an attempt to use them to gain access before fixes are applied to affected systems.

You can review and change the update frequency from the Control Panel on the server.

How to turn on Automatic Windows Updates.

  • Click the search magnifying glass next to Start.
  • Type ‘Control Panel.’
  • Select ‘System & Security’
  • Select ‘Security and Maintenance’
  • Click ‘Automatic Updates’.
  • The following options are available:

Automatic (recommended)
This lets you select the time and day that the updates are automatically downloaded and installed.

Download updates for me but let me choose when to install them.
This automatically downloads the updates but requires the user to install them.

Notify me but don’t automatically download or install them
This notifies you that there are updates available. It requires you to download and install them.

Turn off Automatic Updates
This disables the Automatic Updates option.

  • Select ‘Automatic’.

Please Note. Depending on the version of Windows you are using the steps may differ slightly.

INSTALL ANTI-MALWARE

It is strongly recommended that you install an anti-malware program to scan the server’s file system for any files that may contain malicious code. Microsoft includes the Windows Defender antivirus with Windows Server 2016 for free and is recommended. If you have an earlier version of a Windows Server, then please choose an equivalent anti-malware program.

Ensure that daily scans are set to search for malicious files and that the virus definitions are kept up to date.

Windows Defender can be enabled and managed from the Control Panel in Windows 2016.

How to turn on Windows Defender (Windows 2016)

  • Click the search magnifying glass next to Start.
  • Type ‘Control Panel.’
  • Select ‘System & Security’
  • Open ‘Administrative Tools’.
  • Select ‘Edit group policy’.
  • Open ‘Computer Configuration’.
  • Select ‘Administrative Templates’.
  • Select ‘Windows Components’.
  • Select ‘Windows Defender Antivirus’.
  • Turn on Windows Defender Antivirus.

IMPORTANT! Remember that these are only the basic best practices for securing a Windows Server and does not cover every available option doing so. The best recommendation we can give would be to remain vigilant in researching the security of any applications that are installed on the hosted server and how access is granted to users of that server.

Still have questions? Contact us on any of the platforms below