Portal Home > Knowledgebase > Articles Database > Hardening Windows 2003 + Secure Remote Admin
Hardening Windows 2003 + Secure Remote Admin
| Posted by Travelman, 05-03-2007, 01:06 PM |
| Hi,
I've just ordered my new Windows 2003 server with 49Pence.com and will be taking "delivery" of it once they have commissioned it.
Anyway, I would appreciate some advice on how to secure it. I have been used to the luxury of a hardware firewall, but budgetary constraints mean I will have to rely upon a software firewall (something that scares me a little). It will be running our company websites, MSSQL and MDaemon mailserver.
I am not sure exactly how the server will be delivered, but I assume it will arrive fully patched with Remote Desktop access, and Windows Firewall installed.
First question: Is Windows Firewall sufficent ? I am more used to configuring firewalls with Ports/Protocols/IP's rather than "applications". I also understand that Windows Firewall cannot restrict access to specific IP's.
I read that IPSec / TCP Filtering should also be used. I've looked at various links and have an idea how to do this, but I do not want to make a mistake and get "locked out". I saw a post saying that during testing they set up a scheduled job to reset the IPSec policies every x minutes so that they can log back in if they do make a mistake. How would this be done (in terms of IPSec) .. or is this a matter of stopping a service ?
If I go with another software firewall, is there an easy way to install remotely without getting locked out of the Remote Desktop ? KVM over IP is a charged by the hour.
It is "safe" to leave Port 3389 open and rely upon passwords (and potentially IPSEC IP policies), or should I administer by VPN ?
If so, it seems that in order to create a VPN connection on the server, it requires that the Windows Firewall is shut down (at least on my test server here). Obviously this is something I don't want to do !
Any thoughts on the above would be appreciated.
Thank you.
|
| Posted by dspkable, 05-03-2007, 01:55 PM |
| I use Remoted desktop for cost and easy of use, but VPN's aren't too hard to setup also.
-Using Windows firewall should be sufficient for basic protetion, and IPSec will expand upon that.
-Setting user permissions, password complexity, and locking out accounts after too many login attempts should help against brute force attacks.
-Running a program like Nessus which checks your server thoroughly for vulnerabilities will be a good high level diagnostic of the server.
|
| Posted by bloodsport, 05-03-2007, 03:09 PM |
| Ok, here's what i did..
Just got my server, made sure the serial console access really worked from my hosters webiste, so i could reset the damn firewall if i did something wrong (for example removing the port 3389 port rule.. really bad idea)
..And then i run secure administration wizard,
-which worked just well to get uneeded services deactivated-
After that, i opened/closed some ports in windows firewall manually (for mysql for example) , deactivated all other user accounts, except admin in user account control..
And then, finally, pressing both thumbs i just renamed the administrator account to
"NooneWillKnowMyName"..
and it just worked
|
| Posted by dkitchen, 05-03-2007, 03:35 PM |
| There's no point in renaming the account because the SID will remain the default for the administrator account, you want to keep the administrator account, remove the administrative privelidges, disable it, create a new account and make it an administrator.
Did you also disable File / Printer sharing, Netbios over TCP/IP, RPC, etc?
There is a lot more to securing a Windows server than meets the eye, just because it has a GUI it doesn't mean it's simple .
Dan
|
| Posted by Travelman, 05-04-2007, 05:48 AM |
| Hi there,
Thanks for the replys. It seems that Windows Firewallis "sufficent" but should be implemented with IPSec policies to make it more secure.
Are there any sample rulesets available that can be used as a starting point ? (I'm trying to avoid the cost of being locked out by making a simple mistake.
Also, as I mentioned in my first post, when trying to create a VPN dial in connection through RRAS on my test box, Windows wanted to disable the firewall. Am I missing something here ?
Thanks also for the other comments on user and file security.
Paul
|
| Posted by slapshotw, 05-18-2007, 05:40 AM |
| I'd like to reopen this post. I also just took delivery of a windows server and am wondering what some of the basic security issues are. Is there an equivalent service to configserver.com's one-time cPanel setup for Windows? God I miss csf/lfd...
|
Add to Favourites 
Print this Article
Also Read
