Nothing is more devastating to an online company than losing a web server to hackers. Having a VPS or dedicated server improves control over your web configurations, but it also leaves much more room for accidental security holes. If you aren’t experienced with web server security, you can make just one change to the server that leaves it open to anyone on the Internet, including those who would take advantage of it maliciously. Before you go online with your web server configuration, use this checklist to verify its security.
1. Uninstall Any Unneeded Services
The Windows operating system installs with several additional services. Unfortunately, for each unnecessary service you create possible security holes on the system. Unused services are unnecessary anyway. Theytake server resources needlessly, and most of them open ports that could be used maliciously. You can uninstall them or use the Windows Services section of the Control Panel to disable them from running each time you boot the server.
2. White List RDP IP Connections
Remote Desktop Protocol (RDP) is the standard way administrators remotely connect to a Windows server. In some cases, you can’t disable RDP because your administrators need it to configure servers from another location. If you can’t disable it altogether, the next best option is to white list IP addresses. You should have an IP address for each office. Use your office IP list to
3. Never Allow Developers to Work on a Production Server
In a small company, it’s common for developers to have access to the production server. However, once you rely
4. Partition the Web Application Volume from the Main Operating System Volume
“Directory traversal” is a type of exploit that allows the hacker to access system files through the web application. You can limit this type of attack by separating system files from the web application files. Traversal happens when the hacker uses application input to download files. For instance, if you allow a user to access files in a specific directory, the attacker can change the input directory and file name and gain access to critical files on the server. The administrator should still take precautions on the operating system partition, but partitioning these files from the main application increases security.
5. Create a Separate User for the Web Application
When you set up a web application on a Windows server, you choose the user name that runs the application. If this user has too many access rights, it can be a security issue should an attacker gain control of it. Always create a user with the minimum amount of permissions necessary to fully run the application. If an attacker should successfully gain access to the application, he’s still limited in
6. Keep All Patches Up-to-Date
Each month, Microsoft deploys new patches for its operating systems. You can choose to automatically download and install these patches through the Windows Update program. You can also choose to download the patches only and manually install them. These patches include any updates that defend against the latest threats on the Internet. Always install patches as soon as possible if you choose to manually install them yourself.
7. Install Monitoring Software
Windows does not have any kind of native monitoring system when you install a server OS. You need a third-party monitoring service on your server. You should do research for several different types of systems and choose the one that runs smoothly on your server, provides reports that you need each week, and doesn’t take too many resources that harm application performance. In addition to running monitoring software, you should also log in to the server periodically to ensure that no critical errors are logged in Event Viewer.
8. Disable Unused User Accounts, Especially Common Ones
Windows includes a guest account for each of its operating systems. Luckily, this account is automatically disabled by default. You should disable any accounts that aren’t used on the server. Leaving unused accounts on the server opens them up to hackers. Hackers know the common usernames installed with the Windows operating system. They always attempt to log into them when performing preliminary checks on the server. Disable administrator accounts that are
9. Don’t Install Extensions and Add-Ons without Testing Them for Security
The Internet offers plenty of resources where you can download and review extensions and add-ons for Windows server operating systems. These extensions help with administrative tasks and even developer resources for a web application. The problem with randomly installing add-ons without testing them is that they sometimes open security holes on the server. Hackers often scan web servers for hints that the web server has an installed application that gives them an advantage. Always thoroughly research
10. Use Microsoft’s Certified Security Tools
Microsoft publishes several server tools that can be freely downloaded by any administrator. These tools are
11. Read Security Newsletters and Briefs Each Week
Microsoft and several other online outlets provide news that
12. Use Penetration Testing Tools on Your Server
Hackers continue to scan servers for security flaws. You can eliminate many of the common security flaws on a server by running your own penetration testing. You can write your own scripts or purchase penetration tools. You can find software that runs scans on a web server the same way a hacker would. This helps you identify security holes on the server before an attacker, so you can then fix them
These 12 items will get you started with server security. You can’t ensure an attacker can never access your server if you don’t continually monitor it and apply patches when they become available. You don’t have to spend hours researching the latest threats, but you should spend at least a few minutes each week keeping yourself up to date with the latest attacks and security breaches.