13 steps to create baseline security for any Windows Server
- Make sure all your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java, Office, and any software really. This reduces the risk for 0day attacks, or your server being compromised by software bugs.
- Use an outstanding antivirus solution. On everything. And make sure it is not too resource intensive.
- Thought trough file permission. Verify you have an adequate file and directory access structure, and that users only can see what they are supposed to. File permissions is a crucial and powerful tool to secure any server.
- Stay informed. Read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.
- Enable logging. If you do not know what is happening, you cannot really react to it, can you? It also makes any troubleshooting hopeless in retrospect.
- Use a monitoring and inventory system. Have a good monitoring and inventory system in place such as the free SpiceWorks.
- User Group Policies. It is an extremely powerful tool once you start using it and it will make you day to day operations much easier.
- Valid SSL certificates. If your server is reachable from the Internet, use valid SSL certificates. They are not that expensive, and any communications should be encrypted and secured as fa as we are able. Yes, think Mr. Snowden. Think NSA.
- Disable unused services and network protocols. They can be a point of entry and for the unused network protocols, you basically fill your local network with useless chatter that consume bandwidth. This also goes for workstations and printers and so on.
- Enforce complex password policies. Don’t forget to give people practical tips for creating and remembering complex passwords.
- Use a good naming standard for user logins. Not just their first name as login or something too obvious.
- Backups! Backups! Backups! Make sure you have good backups and test them at least once a year for a complete disaster recovery scenario. You should also have multiple generations of them in case any of them is corrupted, preferably stored offsite in case of a fire, theft, or something similar.
- Use intrusion protection software against brute force and dictionary attacks.
Sadly enough, even if you follow all these steps, you are not secured forever and ever – there is no such thing as absolute security – but it will surely mitigate the risk!