Logo Questions Linux Laravel Mysql Ubuntu Git Menu
 

Internet facing Windows Server 2008 -- is it secure?

I really know nothing about securing or configuring a "live" internet facing web server and that's exactly what I have been assigned to do by management. Aside from the operating system being installed (and windows update), I haven't done a thing. I have read some guides from Microsoft and on the web, but none of them seem to be very comprehensive/ up to date. Google has failed me.

We will be deploying a MVC ASP.NET site.

What is your personal check when you are getting ready to deploy a application on a new windows server?

like image 391
bdd Avatar asked Mar 17 '09 00:03

bdd


People also ask

Are Windows servers secure?

Windows Server Security provides layers of protection built into the operating system to safeguard against security breaches, help block malicious attacks, and enhance the security of your virtual machines, applications, and data.

What does Internet-facing server mean?

Internet-facing servers are a popular attack target: They are accessible to everyone on the Internet and can easily be probed for vulnerabilities. Based on exposure alone, Internet-facing servers present a higher risk of becoming compromised.

Is Windows Server 2008 still good?

What does that mean for companies still running this version? The good news is that the operating system will still run. There is no kill switch that Microsoft will trigger to shut down this operating system. The bad news, unfortunately, is that companies using Windows 2008 can no longer access security patches.

What are the advantages of Windows Server 2008?

These new features provide better file and data management, better performance monitoring and reliability tracking tools to identify system problems and proactively address issues, a new image deployment tool, and a whole new set of Group Policy Objects that help administrators better manage users, computers, and other ...


1 Answers

This is all we do:

  • Make sure Windows Firewall is enabled. It has an "off by default" policy, so the out of box rule setup is fairly safe. But it never hurts to turn additional rules off, if you know you're never going to need them. We disable almost everything except for HTTP on the public internet interface, but we like Ping (who doesn't love Ping?) so we enable it manually, like so:

    netsh firewall set icmpsetting 8

  • Disable the Administrator account. Once you're set up and going, give your own named account admin rights. Disabling the default Administrator account helps reduce the chance (however slight) of someone hacking it. (The other common default account, Guest, is already disabled by default.)

  • Avoid running services under accounts with administrator rights. Most reputable software is pretty good about this nowadays, but it never hurts to check. For example, in our original server setup the Cruise Control service had admin rights. When we rebuilt on the new servers, we used a regular account. It's a bit more work (you have to grant just the rights necessary to do the work, instead of everything at once) but much more secure.

like image 192
Jeff Atwood Avatar answered Sep 27 '22 19:09

Jeff Atwood