Skip over navigation

Windows Security

 
Best Practices for securing a Windows server

Following these basic principles will help keep your Windows server secure.

Contents

0. Basics

Current supported versions of Windows server:

  • Windows Server 2003 (32/64) (Support for Windows 2003 will end on July 13, 2015)
  • Windows Server 2008 (32/64)
  • Windows Server 2008 R2 (64)
  • Windows Server 2012 (64)

Why worry: 
Unsecured systems attract hackers (and their automated scans) very quickly. A system which is on the network for more than a few minutes without steps taken to secure it, is very likely to be compromised, and in addition can give malicious intruders a platform from which to attack other systems on campus and around the world.

1. Control networked services

Any "service" offers a potential for attack. Reduce your attack surface. Turn off/disable any applications or services that are not needed to support the application(s) running on that server.

Some services that should be turned off unless they are needed include web services (IIS), mail services (SMTP), directory services (Active Directory), ftp, and telnet.

2. Apply patches regularly

Microsoft releases patches/updates, at a minimum, on a monthly basis. OIT recommends that you patch as soon as possible after a patch has been released. OIT's schedule is to patch all Windows development and QA servers on the third Tuesday of the month and then patch all Windows production servers the following Thursday.

For more on Microsoft's monthly updates see: http://technet.microsoft.com/en-us/security/bulletin

3. Use a firewall

Place your server behind a hardware firewall. If you cannot do that, use the built-in software firewall. Block access to all ports and restrict access to the ports needed for the application(s) running on the server. This will protect the open ports by allowing only specific expected communications to/from those ports.

4. Take other common-sense measures

  • Use strong, unique passwords
  • Use SSH or RDP (not ftp, telnet or other insecure services)
  • Don't allow unsecured remote logins (use RDP)
  • Keep your system physically secure (screen saver/password, locks, cables...)
  • Install an antivirus/malware application to detect intrusions
  • Take regular backups, preferably on a nightly basis
  • OIT uses MacAfee Enterprise for malware and virus scanning on its servers. It uses TSM (Tivoli Storage Manager) to back up its servers every night.

5. Additional Tools and Resources



Posted Dec. 2013
(c)2013 The Trustees of Princeton University