A Quick Checklist to Secure Your Windows Web Server

Nothing is more devastating to an online company than losing a web server to hackers. Having a VPS or dedicated server improves control over your web configurations, but it also leaves much more room for accidental security holes. If you aren’t experienced with web server security, you can make just one change to the server that leaves it open to anyone on the Internet, including those who would take advantage of it maliciously. Before you go online with your web server configuration, use this checklist to verify its security.

1. Uninstall Any Unneeded Services

The Windows operating system installs with several additional services. Unfortunately, for each unnecessary service you create possible security holes on the system. Unused services are unnecessary anyway. Theytake server resources needlessly, and most of them open ports that could be used maliciously. You can uninstall them or use the Windows Services section of the Control Panel to disable them from running each time you boot the server.

2. White List RDP IP Connections

Remote Desktop Protocol (RDP) is the standard way administrators remotely connect to a Windows server. In some cases, you can’t disable RDP because your administrators need it to configure servers from another location. If you can’t disable it altogether, the next best option is to white list IP addresses. You should have an IP address for each office. Use your office IP list to allow address for each office. Use your office IP list to allow RDP access on the server’s routers. If you have the Windows firewall enabled, then you will also need to configure access on the Windows firewall.

3. Never Allow Developers to Work on a Production Server

In a small company, it’s common for developers to have access to the production server. However, once you rely on your web presence for revenue, it’ s time to separate production from the testing environment. Developers should never be able to access production and upload code without having it thoroughly tested. As a matter of fact, only designated employees should have access to upload code to production, and you should develop a strict deployment schedule. The only time developers don’t adhere to deployment schedules is for critical fixes.

4. Partition the Web Application Volume from the Main Operating System Volume

“Directory traversal” is a type of exploit that allows the hacker to access system files through the web application. You can limit this type of attack by separating system files from the web application files. Traversal happens when the hacker uses application input to download files. For instance, if you allow a user to access files in a specific directory, the attacker can change the input directory and file name and gain access to critical files on the server. The administrator should still take precautions on the operating system partition, but partitioning these files from the main application increases security.

5. Create a Separate User for the Web Application

When you set up a web application on a Windows server, you choose the user name that runs the application. If this user has too many access rights, it can be a security issue should an attacker gain control of it. Always create a user with the minimum amount of permissions necessary to fully run the application. If an attacker should successfully gain access to the application, he’s still limited in the amount of files and data that can be accessed.

6. Keep All Patches Up-to-Date

Each month, Microsoft deploys new patches for its operating systems. You can choose to automatically download and install these patches through the Windows Update program. You can also choose to download the patches only and manually install them. These patches include any updates that defend against the latest threats on the Internet. Always install patches as soon as possible if you choose to manually install them yourself.

7. Install Monitoring Software

Windows does not have any kind of native monitoring system when you install a server OS. You need a third-party monitoring service on your server. You should do research for several different types of systems and choose the one that runs smoothly on your server, provides reports that you need each week, and doesn’t take too many resources that harm application performance. In addition to running monitoring software, you should also log in to the server periodically to ensure that no critical errors are logged in Event Viewer.

8. Disable Unused User Accounts, Especially Common Ones

Windows includes a guest account for each of its operating systems. Luckily, this account is automatically disabled by default. You should disable any accounts that aren’t used on the server. Leaving unused accounts on the server opens them up to hackers. Hackers know the common usernames installed with the Windows operating system. They always attempt to log into them when performing preliminary checks on the server. Disable administrator accounts that are no longer used to prevent them from being used maliciously as well.

9. Don’t Install Extensions and Add-Ons without Testing Them for Security

The Internet offers plenty of resources where you can download and review extensions and add-ons for Windows server operating systems. These extensions help with administrative tasks and even developer resources for a web application. The problem with randomly installing add-ons without testing them is that they sometimes open security holes on the server. Hackers often scan web servers for hints that the web server has an installed application that gives them an advantage. Always thoroughly research these extensions and add-ons and test them for any security flaws.

10. Use Microsoft’s Certified Security Tools

Microsoft publishes several server tools that can be freely downloaded by any administrator. These tools are better than installing random third-party tools, because they’ve been tested with the Windows operating system and verified as secure. Some of these tools are included with the Windows installation DVD. You can also find server tools available on Microsoft’s official website.

11. Read Security Newsletters and Briefs Each Week

Microsoft and several other online outlets provide news that warn you of the latest security breaches. They also tell you about the latest viruses, Trojans, ransomware, and other malware in the wild. It’s important to know the latest threats on the Internet, the new types of attacks, and any threats such as phishing attacks. An administrator and security experts should always stay on top of the latest security news to ensure that you recognize them should they happen to your web server.

12. Use Penetration Testing Tools on Your Server

Hackers continue to scan servers for security flaws. You can eliminate many of the common security flaws on a server by running your own penetration testing. You can write your own scripts or purchase penetration tools. You can find software that runs scans on a web server the same way a hacker would. This helps you identify security holes on the server before an attacker, so you can then fix them before they turn into a data breach.

These 12 items will get you started with server security. You can’t ensure an attacker can never access your server if you don’t continually monitor it and apply patches when they become available. You don’t have to spend hours researching the latest threats, but you should spend at least a few minutes each week keeping yourself up to date with the latest attacks and security breaches.