Windows Security

About EIS » Services » Servers » Windows Security

Best Practices for securing a Windows server

Following these basic principles will help keep your Windows server secure.

0. Basics
1. Control networked services
2. Apply patches regularly
3. Use a firewall
4. Take other common-sense measures
5. Additional Tools and Resources

0. Basics

Current supported versions of Windows server:

Windows 2003 (32/64) (Support for Windows 2003 will end on July 13, 2015)
Windows 2008 (32/64)
Windows 2008 R2 (64)

Why worry:
Unsecured systems attract hackers (and their automated scans) very quickly. A system which is on the network for more than a few minutes without steps taken to secure it, is very likely to be compromised, and in addition can give malicious intruders a platform from which to attack other systems on campus and around the world.

1. Control networked services

Any "service" offers a potential for attack. Reduce your attack surface. Turn off/disable any applications or services that are not needed to support the application(s) running on that server.

Some services that should be turned off unless they are needed include web services (IIS), mail services (SMTP), directory services (Active Directory), ftp, and telnet.

2. Apply patches regularly

Microsoft releases patches/updates, at a minimum, on a monthly basis. OIT recommends that you patch as soon as possible after a patch has been released. OIT's schedule is to patch all Windows development and QA servers on the third Tuesday of the month and then patch all Windows production servers the following Thursday.

For more on Microsoft's monthly updates see: http://technet.microsoft.com/en-us/security/bulletin

3. Use a firewall

Place your server behind a hardware firewall. If you cannot do that, use the built-in software firewall. Block access to all ports and restrict access to the ports needed for the application(s) running on the server. This will protect the open ports by allowing only specific expected communications to/from those ports.

4. Take other common-sense measures

Use strong, unique passwords
Use SSH or RDP (not ftp, telnet or other insecure services)
Don't allow unsecured remote logins (use RDP)
Keep your system physically secure (screen saver/password, locks, cables...)
Install an antivirus/malware application to detect intrusions
Take regular backups, preferably on a nightly basis

OIT uses MacAfee Enterprise for malware and virus scanning on its servers. It uses TSM (Tivoli Storage Manager) to back up its servers every night.

5. Additional Tools and Resources

Microsoft Security Center: http://www.microsoft.com/security/default.aspx
Microsoft Windows Server 2008 Security Guide: http://technet.microsoft.com/en-us/library/cc264463.aspx
Princeton University Information Technology Policy: http://www.princeton.edu/itpolicy/
Princeton IT Security: http://www.princeton.edu/itsecurity/
Princeton AntiVirus information: http://helpdesk.princeton.edu/kb/display.plx?ID=3308
Princeton Windows Firewall information: http://helpdesk.princeton.edu/kb/display.plx?ID=9760
Secure password storage: http://passwordsafe.sourceforge.net/

Posted Dec. 2011
(c)2011 The Trustees of Princeton University

Enterprise Infrastructure Services