Windows Server Hardening

Enable Windows Firewall and close unused ports: We enable the firewall which is built-in inside the Windows server and open only the ports that are required. This helps to prevent the server from attacks through the unused ports. Some ports are not required to be opened and they provide easy backdoor to intruders. Windows Firewall enables to keep such intruders away from the server.

Disable Guest Account: Guest account allows anonymous access to the services in the server which might be inadvertently left open. Disabling guest account in the server ensures that unauthorised users don’t get anonymous access to the server and cause damage.

Secure Administrator Account: We secure the Administrator account by renaming the Administrator account. The default user is Administrator and attackers always try to guess the password of the Administrator user to gain access to the server. Renaming the Administrator user to some other name means the attacker cannot access the server using the user name as Administrator.

Secure RDP: RDP is the default protocol for accessing any Windows server. We secure the RDP protocol to ensure attackers don’t get unauthorised access to the server due to weak RDP settings.

Configure Audit Policies: Establishing audit policy is an important facet of security. Monitoring the creation or modification of objects gives you a way to track potential security problems, helps to ensure user accountability, and provides evidence in the event of a security breach. We configure the Audit policy which records the events in the Security log, which you can find in Event Viewer.

Disable unnecessary services: We disable the following services in the Windows servers which are absolutely unnecessary.

  • Print Spooler
  • DHCP Client
  • DNS Client
  • Distributed Link Tracking Client
  • IP Helper
  • Remote Registry

Disable Anonymous FTP: Whenever we setup the FTP server, we ensure that the Anonymous FTP is disabled. If the Anonymous user is kept enabled, an attacker can login to the FTP without knowing the login credentials and upload malicious files.

Optimize TCP/IP stack: The TCP/IP stack is optimized to improve the networking performance of the server.

Install all available security updates: Before putting any server for production use, we ensure that all the important and optional Microsoft and Windows security updates are installed on the server and the server is rebooted post installation of all the patches and updates.

Run MBSA tool and implement all suggested fixes: We install the Microsoft Baseline Security Analyzer (MBSA) tool to check the security status of the server and implement all the suggest security fixes for the server to ensure the server is secured to the maximum extent.

Enable Strong Password policy: A weak password means easy access to system by an attacker who can then wreak havoc in the server. We enable strong password policy which makes it difficult for attackers to guess passwords and gain access to the server.

IP restriction to server access: The best way to keep a server secure is by limiting the server access to a specific IP address or subnet. If the customer has a static IP, we restrict the server access to the static IP provided by the customer.

This entry was posted in Managed Services. Bookmark the permalink.