Best Practices for securing a Windows server
Following these basic principles will help keep your Windows server secure.
- 0. Basics
- 1. Control networked services
- 2. Apply patches regularly
- 3. Use a firewall
- 4. Take other common-sense measures
- 5. Additional Tools and Resources
Current supported versions of Windows server:
- Windows Server 2003 (32/64) (Support for Windows 2003 will end on July 13, 2015)
- Windows Server 2008 (32/64)
- Windows Server 2008 R2 (64)
- Windows Server 2012 (64)
Unsecured systems attract hackers (and their automated scans) very quickly. A system which is on the network for more than a few minutes without steps taken to secure it, is very likely to be compromised, and in addition can give malicious intruders a platform from which to attack other systems on campus and around the world.
Any "service" offers a potential for attack. Reduce your attack surface. Turn off/disable any applications or services that are not needed to support the application(s) running on that server.
Some services that should be turned off unless they are needed include web services (IIS), mail services (SMTP), directory services (Active Directory), ftp, and telnet.
Microsoft releases patches/updates, at a minimum, on a monthly basis. OIT recommends that you patch as soon as possible after a patch has been released. OIT's schedule is to patch all Windows development and QA servers on the third Tuesday of the month and then patch all Windows production servers the following Thursday.
For more on Microsoft's monthly updates see: http://technet.microsoft.com/en-us/security/bulletin
Place your server behind a hardware firewall. If you cannot do that, use the built-in software firewall. Block access to all ports and restrict access to the ports needed for the application(s) running on the server. This will protect the open ports by allowing only specific expected communications to/from those ports.
- Use strong, unique passwords
- Use SSH or RDP (not ftp, telnet or other insecure services)
- Don't allow unsecured remote logins (use RDP)
- Keep your system physically secure (screen saver/password, locks, cables...)
- Install an antivirus/malware application to detect intrusions
- Take regular backups, preferably on a nightly basis
OIT uses MacAfee Enterprise for malware and virus scanning on its servers. It uses TSM (Tivoli Storage Manager) to back up its servers every night.
- Microsoft Security Center: http://www.microsoft.com/security/default.aspx
- Microsoft Windows Server 2008 Security Guide: http://technet.microsoft.com/en-us/library/cc264463.aspx
- Windows Server 2012 Security Guide: http://technet.microsoft.com/en-us/library/jj898542.aspx
- Princeton University Information Technology Policy: http://www.princeton.edu/itpolicy/
- Princeton IT Security: http://www.princeton.edu/itsecurity/
- Princeton AntiVirus information: http://helpdesk.princeton.edu/kb/display.plx?ID=3308
- Princeton Windows Firewall information: http://helpdesk.princeton.edu/kb/display.plx?ID=9760
- Secure password storage: http://passwordsafe.sourceforge.net/
Posted Dec. 2013
(c)2013 The Trustees of Princeton University