Securing your Windows Server and MS Exchange with baseline security
In short, to have an acceptable baseline security for any Windows server you need to think all of the things below in this list.
Sadly enough, even if you follow all of these steps, you’re still not secured forever and ever. There’s no such thing as absolute security.
Checklist for Securing Windows Servers
1. Make sure all of your software is updated with all security patches. This includes the Windows operating system but also Adobe, Java,Office and any software really. This reduces the risk for so called 0day attacks or your server being compromised by software bugs.
2. Make sure you have a good and not too resource intensive antivirus running on everything. Personally I’m a fan of F Secure PSB for servers and workstations for lots of reasons. It’s not just a pretty logo.
3. Verify you have thought your file and directory access structure and that users and groups are only allowed to use and see what they’re supposed to. Setting file permissions is a very powerful tool to secure your server and crucial.
4. Always make sure to read best practices for securing applications and servers and Google for other ideas also. No manual is the entire gospel.
5. Enable logging. If you don’t know what’s happeing, you can’t really react to it can you ? It also makes any troubleshooting hopeless in restrospect.
7. Have a good monitoring and inventory system in place such as the free SpiceWorks.
8. If your server has any monitoring agents from the manufacturer such as HP Server Agents, then install them and set them up with notifications for any hardware events to be prepared.
9. User Group Policies. It’s an extermely powerful tool once you start using it and it will make you day to day operations much easier.
10. If your server is reachable from the Internet, use valifd SSL certificates. They’re not that expensive and any communications should be encrypted and secured as fa as we’re able. Yes, think Mr. Snowden.Think NSA.
11. Disable any unused services and network protocols. They can be a point of entry and for the unused network protocols, you bascially fill your local network with useless chatter that comsume bandwidth. This also goes for workstations and printers and so on.
12. Enforce complex password policies! You won’t be well-liked but that’s not what you get paid for. If people are having trouble remembering passwords the have all over the world, maybe you could have time to read about how to remember complex passwords
and learn a little bit about the protection of your online identity.
13. Use a good naming standard for user logins. Not just their first name as login or something too obvious. Here’s an old blog post on why.
14. Backups! Backups! and again. BACKUPS!!
Make sure you have good backups (and test them at least once a year for a complete disaster revovery scenario) and make sure you have multiple generations of them in case any of them is corrupted, preferrably stored offsite in some manner in case of a fire, theft or anything really.
For day to day operations and generation management I highly recommend using the builtin VSS snapshot method but never ever have it instead of backups.
You can also use the built in Windows Server backup for DR as described here
15. You need to have an automatic intrusion protection against brute force and dictionary attacks with Syspeace since the “classic” methods do not get the job done. (Here’s an older blog post on why.) I you don’t have the time to read the article then simply download the free Syspeace trial, install it and you’ve set up a pwerful and easy to use bruteforce protection for your server in minutes.