![How to Secure Windows Server? [Windows Server Security Checklist]](/wp-content/uploads/2020/07/cover165-main.webp)
List of content you will read in this article:
A VPS server is a great hosting option if you want more control over your server without dishing out large amounts of cash for a dedicated one. As you probably already know, there are two operating system options to pick from. You can either go with a Windows-based server or a Linux-based server. One of the most important matters which worries people while using a virtual server is security. Here we will try to present some useful tips for Secure Windows Server.
How to secure a Windows server?
In addition to the methods mentioned above, there are some useful additional measures that can ensure Windows server security even more:
Use local firewall rules
Firewalls will help you manage and filter inbound and outbound traffic. With an efficient firewall rule, only authorized ports can access the server and unwanted traffic will be prevented.
Think twice before sharing any data
Always double check the data that needs to be shared with unauthorized users. Make sure there is no sensitive data that can be used to intrude on the server.
Enforce a strong password policy
Creating strong and rather complicated passwords is another step toward ensuring windows server security. You can also implement two-factor authentication for extra safety.
Create individual administrative accounts
The monitoring process will be more efficient with each user having their own individual administrative account. It helps you analyze user’s activity patterns and identify potential threats.
SQL server instances
SQL makes it possible to create an isolated and controlled structure within the databases. Therefore, in case of any security issues, the whole database won't be affected.
Always have a backup plan
Regular backups are a necessity for any Windows server user. Backups will save you in disaster hours by providing a way back to the latest, clean state of the server.
Code it right
A well-written code means an easier maintenance process and prevents regular bugs and errors. Also, in the case of security incidents, it will be a lot faster to find a solution if the coding is done properly.
Disable the default administrator account
Disable the default administrator account and create a new user with administrator permissions. Your Windows server hosting provider installs the OS and creates a default administrator account. This is quite usual and typical. The drawback is that your account can easily be attacked. The attack is usually done by bots trying to log in with brute force. This is easy and simple to prevent: you just have to disable the default administrator account and create a new user with full administrative privileges. You should choose complex usernames to secure Windows VPS. Hence, you should create a new administrator account with random letters.
Use Strong Passwords
Many users pick easy-to-remember passwords for their windows server, and due to this negligence, they pose a real threat to the server. You must use a combination and multiples of numbers, upper and lower case letters, and special characters.
Here is an example: M@j7Wo0S3
Lockdown your Remote Desktop ports
Lockdown access to Windows Remote Desktop (RDP) to specific IPs like your home or office (Note that you will need a dedicated IP to utilize this feature) and change the default listening port from 3389 to a five-digit, long, randomly picked number. These settings can be changed through the Advanced Windows Firewall options.
Use Windows BitLocker Drive Encryption
Windows BitLocker Drive Encryption secures the operating system booting process and prevents unauthorized data mining. BitLocker Drive Encryption works even when the server is not powered on! It’s a very effective anti-hacking tool against malware.
Install antivirus on your Windows server
The importance of using an antivirus to secure your server is clear. You can start with Essentials, a free and robust option by Microsoft. It auto-updates itself with the latest definition. It also offers real-time protection to your server. Antivirus protects you from almost all online security threats that a firewall lets through. However, combining both is best for securing Windows servers.
Intrusion Detection System (IDS)
An intrusion detection system or IDS is like a burglar alarm on your Windows Server. It keeps a record of when & which files were changed and alerted you of any new alterations. This is critical because hackers usually try to replace binary applications. Apply IDS to save your server from such a threat.
Use of Microsoft Baseline Security Analyzer (MBSA)
MBSA is a free application to determine missing security updates and vulnerable security settings within Windows. It provides detailed insights on vulnerable components and settings and lists possible measures to secure the server.
Enable a Bastion Host
A bastion host is a special-purpose computer on a network specifically designed and configured to withstand attacks. The idea of a bastion host is to prevent direct access to your server from the public network and minimize the chances of penetration. The computer generally hosts a single application, for example, a proxy server, and all other services are removed or limited to reduce the threat to the computer. It usually involves access from untrusted networks or computers.
Keep Windows Updated
And finally, always keep your windows updated. This is one of the simple ways to help keep your server secure. You can either configure Windows Update to notify you when a new update is available or allow it to download and apply the update automatically.
Server Preparation
Server preparation involves several key steps that lay the foundations for a secure and safe Windows server. The most important steps that you should take are:
- Maintain a server inventory, which can be done by the Windows Server provider
- Isolate new servers before connecting them to the network
- Secure BIOS/UEFI firmware by setting strong passwords
- Disable automatic administrative logon to prevent unauthorized access
- Configure secure boot order so that only certain users can boot the server
User Account Security Hardening
User account security hardening is a set of security measures that will help you monitor and manage the users on a Windows server. We mentioned some of these measures in this article, such as setting strong passwords, enabling multi-factor authentication, and creating individual administrative accounts. Disabling unused accounts and monitoring user behavior are some of the other practices in user account security hardening.
Feature and Role Configuration
By identifying what capabilities an organization needs, you can select certain roles and features to be implemented on the Windows server. Limiting roles and features to only the necessary ones, will reduce the vulnerability of the server.
Application and Service Configuration
Unauthorized services and applications can harm the Windows server in many ways. Restricting which apps and services can be run on the server will prevent malware and unwanted apps from interfering with the Windows server.
Registry Configuration
Registry configuration refers to modifying specific settings within the Windows Registry to enhance system security. The registry is a hierarchical database that stores critical system configurations and settings. By carefully adjusting these settings, you can strengthen your server's defenses against potential security vulnerabilities.
Encryption
Encryption is a key piece in creating a secure Windows server. When sensitive data is encrypted, it will prevent unauthorized access, even if it is compromised.
Access Management
Access management refers to creating, configuring, and controlling user accounts and their level of access to resources on the server. It helps you to make sure that each group of users has enough access to what is needed for their designated tasks and not more. This will prevent data breaches and help create a secure server environment.
General Windows Server Security Hardening Practices
Now let's take a step back and review the general security hardening practices. These are a wide range of security measures that reduce the vulnerability of a windows server:
1. User Configuration
Monitoring and controlling how users interact with a windows server plays a vital role in maintaining system’s security. User configuration involves:
- Limiting user permissions: Giving each user only the necessary permissions will reduce the risk of data breaches in the event of any potential security attack.
- Disabling inactive accounts: Unnecessary accounts or those which have not been used for a long time should not remain active on the server. Disabling them will lead to a safer environment.
- Strong password policy: Utilizing strong passwords in addition to multi-factor authentication will make it harder for hackers to interfere with the server.
2. Network Configuration
As the name suggests, network configuration refers to security measures that protect the network. We discussed some of them in this article, such as setting up a firewall and SQL server instances.
Managing IP addresses is another useful step toward securing the network. To do that, every device will connect to the server via its particular IP and no unauthorized device can login to the network. Using strong encryption protocols (WPA2 or WPA3) for wireless connections and keeping the network updated with the latest security patches will also help considerably.
3. Windows Features and Roles Configuration
A system congested with several software programs, most of which are not necessary for the organization, is highly vulnerable to malware and security incidents. Windows features and role configuration make sure that only necessary apps and services are allowed to run on the system.
This approach not only improves the security level of Windows servers but also frees up a significant amount of resources that help the system run smoothly. So you will witness a rise in performance as well.
4. Update Installation
Software updates are not to be neglected since they will upgrade your service with the latest security patches. Cyber threats evolve and change throughout time; update installation ensures that you are ready to confront these threats effectively and protect your network environment.
5. NTP Configuration
NTP stands for Network Time Protocol and it is one of the most important details in a network. The NTP configuration means that all devices connected to the network are using a synchroized clock. This is crucial when it comes to tracking sequence of events and solving a potential security problem.
Also, if you have time-based control processes such as failed logins in a certain timeframe, you must have a reliable NTP configuration to make it work efficiently.
6. Remote Access Configuration
Since remote working has taken over in recent years, companies should have strict security measures for users who are going to login to the system from off-site locations. Solutions that we mentioned in user configuration could also become handy in this department.
Also, utilizing secure remote access software programs, implementing two-way authentication, and monitoring user activities can help create extra layers of security within the system.
7. Service Configuration
Imagine each service on your network as a tool in your toolbox. Each tool has a specific purpose and helps you get the job done. But a broken or misused tool can hurt you. That's what happens with misconfigured services - they create vulnerabilities that attackers can exploit.
To keep your network safe, it's vital to configure all running services securely. This means ensuring only essential features are enabled, using strong security settings, and keeping the services updated with the latest security patches. By following these steps, you can turn those service "tools" into reliable assets and minimize security risks.
8. Further Hardening
For maximum security, protecting your server physically is crucial. This prevents unauthorized access and potential sabotage of your network. Reliable server hosting providers understand this and keep their servers in secure, access-controlled environments to minimize these risks. By combining strong physical security with robust digital safeguards, you can create a truly secure server environment.
9. Logging and Monitoring
One of the best ways to identify security incidents before they cause damage to the network is through an effective logging and monitoring system. These systems will warn you whenever an abnormal activity happens and you can act to identify and solve the issue before it’s too late.
Conclusion
If you follow these tips, they should be no problems with your Windows server security. If you run into some problems, remember that Windows, unlike Linux distributions, is not an open-source software and requires a license purchased from Microsoft. Because of that, you can always contact Microsoft support and get help from them on solving the issue.
Also, here is a good article about Linux VPS security too.
My name is Linda, I have Master degree in Information Technology Engineering. I have some experiences in working with Windows and Linux VPS and I have been working for 2 years on Virtualization and Hosting.