Every Windows Server or Windows Virtual Private Server (VPS) is vulnerable to attack, especially if connected to the internet. Whereas it isn’t possible to make your windows server 100 percent secure, you can reduce the likelihood of a successful attack by applying a number of simple, practical security controls.
It can be difficult to know where to begin when securing your server. But other than the basics like procuring server backup solutions, this article will provide you with a number of quick wins that should get you going in the right direction.
Table of Contents
Disable Administrator Account
Windows Server comes with a default administrator account that’s primarily meant to facilitate initial operating system installation and configuration. This account is called ‘Administrator’ and attackers will bank on this existence by default when attempting a brute force attack.
To counter this threat from the get-go, disable the default Administrator account and create a new user account with a different name that you would assign administrator privileges. Make this new account name something difficult to guess, so avoid names like admin, super admin, super administrator, and root.
Set a Secure Password
Creating a new administrator account while disabling the default one is certainly a crucial step. Nevertheless, this could be an exercise in futility if the new administrator account doesn’t have a secure password that’s difficult to crack.
To set a secure password, apply the principles of good passwords. Make sure it’s at least 10 characters but the longer it is, the better (as long as you can memorize it). Use a combination of lowercase letters, upper case letters, numbers, and symbols.
When the password expires and you are prompted to change it, never repeat a previous password. Do not have slight variations of the same password each time you change it. Under no circumstances should you write down or store in plain text the administrator password.
Change Default Remote Desktop Port
The default mechanism for accessing your VPS is using the Remote Desktop. By default, remote desktop uses port 3389. Well-known scripts and bots will attempt to breach your server through this port via brute force or a vulnerability. So changing your default port can improve your server’s security.
Choose a random port for your remote desktop and steer clear of more common choices such as 8080 or 1111. You may have to reboot your server for the changes to take effect. Also, make sure your firewall isn’t blocking this port number. Tread carefully when changing a service’s port number as a mistake may introduce conflict that requires the assistance of technical support to resolve.
Restrict Remote Desktop by IP
Changing the remote desktop’s port should be accompanied by restricting the IP addresses that can connect to it. Purchase a static IP address if you want this to be truly effective.
When restricting IPs, you have to bear in mind that if you or people who work for you are regularly on the move and may want to connect to the server from multiple locations and devices, this control could be inconvenient. Take note that you could potentially lock yourself when you restrict IP address so it’s something you should do while taking the greatest caution.
Enable Windows Firewall
Every Windows Server OS comes with the default Windows Firewall. Enable it. It may not be perfect but it’s pretty effective at getting the job done sometimes even better than more expensive third-party firewalls. It not only blocks access for malware and hackers but it also filters the information flowing into your server from the internet.
Windows Firewall is all the firewall you’ll need for a server involved in operations that require basic to intermediate level security. An advanced third-party firewall would be necessary for more critical operations such as credit card transaction processing.
Install Antimalware
Inevitably, you’ll be downloading and uploading files from the server, installing new applications and browsing the web. All of these processes could potentially introduce malware. To keep viruses, Trojans, ransomware, spyware, adware and other forms of malware at bay, install an antimalware application.
While there is plenty of free antimalware software out there, don’t make your decision solely based on cost. The cost of a malware infestation and a breach of confidential data on your server is much higher than any savings you may temporarily enjoy by going for a free or least cost antimalware tool.
The above measures aren’t the only ones you can take to protect your Windows server. Nevertheless, they’ll cover all the key bases and provide a launching pad for a more comprehensive hardening of the server.