Select Category
Sitemap Help Contact
print article

Windows Server Security Tips

Security is a compromise between usability and peace of mind. Some customers may prefer usability and only employ light security for a small gaming server, allowing quick access from any location. For peace of mind and greater security, others may lock the server down completely, refusing any access to the server and enabling Remote Desktop connections via the Serial Console only when needed.

Security measures may vary greatly dependent on the use of the server. The security of the server can only be managed by the administrator of the machine (not by 1&1) and should be one of the first priorities when configuring a server. It is much easier and more beneficial to lock down the server almost completely before setup, and alter the security settings as more services are installed and configured. This way, you can ensure the server is secure from the beginning and allow security exceptions for specific services, applications or ports that require network transmission.

Below are some common and suggested security measures to employ which will increase the security of the server significantly while offering almost the same usability of the server.

Change the Administrator Password
It is highly suggested that you Change the Windows Administrator Password of the machine upon first logging into the server via Remote Desktop. The initial password for the server may be located in the 1&1 Control Panel as well as in the e-mail to confirm the server's setup being completed. If either your e-mail or 1&1 Control Panel were accessed by an unknown party, this could lead to the server becoming compromised.

Set the Password and Account Lockout Policies

The Password Policy can be set to define rules on passwords for Windows users, while the Account Lockout Policy defines rules on locking an account after multiple failed passwords entered. This is great for ensuring that all users choose strong password and/or choose new passwords after a specified length of time and also to prevent against brute-force login attempts through Remote Desktop.

Click Start > Administrative Tools > Local Security Policy

Select Local Security Policy
Select Local Security Policy

Double-click Account Policies

Double-click Account Policies
Double-click Account Policies

Choose either the Password Policy or Account Lockout Policy to start configuring security settings.Please reference the following links for more information regarding these policy settings: Creating a Strong Password Policy
Establishing an Account Lockout Policy

Configure the Password and Account Lockout Policies
Configure the Password and Account Lockout Policies

Since the Administrator user can not be locked from failed login attempts, it is suggested that the Administrator user be renamed.

Rename the Administrator User
The administrator user is the default user for all Windows Server operating systems and almost all brute-force password attacks will attempt to gain access as this user. While you may be able to set Account Lockout Policies for all other users, the Administrator user is exempt from these settings and can never be locked out. It is therefore suggested to Rename the Windows Administrator User.

Make Use of Firewalls
All dedicated servers come with an external firewall configurable through the 1&1 Control Panel in addition to the Windows software firewall and the IPSec service, both configurable through the operating system.

Keep the Server Up-to-Date
Keeping both the operating system and software up to date with the latest versions/hotfixes/patches/updates ensures that any known vulnerabilities are not exploited on your server.

Configure Windows Updates to Check for updates but let me choose when to download and install them.

It is imperative to keep in mind that updates may possibly affect the functionality of the server, its services and or software and therefore it it highly recommended to back up the server before applying any hotfixes, patches, updates, etc.

Backup the Server
Preventing malicious actions to, on, or via your server are the main priority however don't forget to plan for recovery of the server if something were to happen (no matter how secure the server may be). Even if the server were not compromised, data loss can still occur via user error or hardware failure. Every dedicated server comes with FTP backup space accessible from only within the 1&1 network and stored on a separate server in the datacenter, make use of it!

For additional information, you may want to reference: