Servers should be designed with necessity in mind and stripped lean to make the necessary parts function as smoothly and quickly as possible. This is equally true for default applications installed on the server that won’t be used. Extraneous packages unnecessarily extend the attack surface of the server and should be removed whenever possible. NET framework version or IIS, but without the right pieces your applications won’t work. Two equally important things to do are 1) make sure everything you need is installed. Roles are basically a collection of features designed for a specific purpose, so generally roles can be chosen if the server fits one, and then the features can be customized from there. Microsoft uses roles and features to manage OS packages. This depends on your environment and any changes here should be well-tested before going into production. Finally, disable any network services the server won’t be using, such as IPv6. Note that it may take several hours for DNS changes to propagate across the internet, so production addresses should be established well before a go live window. Ensure the server has a valid A record in DNS with the name you want, as well as a PTR record for reverse lookups. Configure at least two DNS servers for redundancy and double check name resolution using nslookup from the command prompt. This IP should be in a protected segment, behind a firewall. Production servers should have a static IP so clients can reliably find them. Old passwords account for many successful hacks, so be sure to protect against these by requiring regular password changes. Account lockout - how many failed password attempts before the account is suspended.Password history - how long until previous passwords can be reused.Password expiration - how long the password is valid.Complexity and length requirements - how strong the password must be.Either way, a good password policy will at least establish the following: Stand alone servers can be set in the local policy editor. ![]() If your server is a member of AD, the password policy will be set at the domain level in the Default Domain Policy. Use a strong password policy to make sure accounts on the server can’t be compromised. Double check your security groups to make sure everyone is where they are supposed to be (adding domain accounts to the remote desktop users group, for example.)ĭon't forget to protect your passwords. None of the built-in accounts are secure, guest perhaps least of all, so just close that door. Verify that the local guest account is disabled where applicable. Either way, you may want to consider using a non-administrator account to handle your business whenever possible, requesting elevation using Windows sudo equivalent, “Run As” and entering the password for the administrator account when prompted. You can either add an appropriate domain account, if your server is a member of an Active Directory (AD), or create a new local account and put it in the administrators group. With that account out of the way, you need to set up an admin account to use. There are very few scenarios where this account is required and because it’s a popular target for attack, it should be disabled altogether to prevent it from being exploited. Furthermore, disable the local administrator whenever possible. Modern Windows Server editions force you to do this, but make sure the password for the local Administrator account is reset to something secure. ![]() Details on hardening Linux servers can be found in our article 10 Essential Steps to Configuring a New Server. Many of these are standard recommendations that apply to servers of any flavor, while some are Windows specific, delving into some of the ways you can tighten up the Microsoft server platform. Specific best practices differ depending on need, but addressing these ten areas before subjecting a server to the internet will protect against the most common exploits. ![]() UpGuard presents this ten step checklist to ensure that your Windows servers have been sufficiently hardened against most cyber attacks. Whether you’re deploying hundreds of Windows servers into the cloud, or handbuilding physical servers for a small business, having a proper method to ensure a secure, reliable environment is crucial to keeping your ecosystem safe from data breaches.Įveryone knows that an out-of-the-box Windows server may not have all the necessary security measures in place to go right into production, although Microsoft has been improving the default configuration in every server version.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |