Basic Security reinforcement for Windows Servers

Basic Security reinforcement for Windows Servers
Meituan cloud (MOS) provides cloud host servers for Windows Server 2008 R2 and Windows Server 2012 R2 data centers. Due to the high market share of Windows servers, there are a large number of malware such as viruses and Trojans targeting Windows servers, which are easy to obtain and have a low technical threshold. Therefore, you need to pay special attention to the security issues of Windows servers. To securely use Windows cloud hosts, we recommend that you apply the following simple security reinforcement measures. Although simple, it is sufficient to defend against most common security risks.
1. After a strong password is set, the Administrator account is automatically assigned a 12-digit random password after the Windows Server is created. We recommend that you change the password immediately after logging on to the Windows server for the first time. The password should be as random as possible. It must contain numbers, uppercase and lowercase letters, and special characters with at least 12 characters in length. You can use some tools such as https://identitysafe.norton.com/password-generatorto generate stronger random passwords. The password will be changed at least once every three months.
The password change method is as follows: after the Administrator successfully logs on to the host, press "Ctrl-Alt-Delete" and select "Change Password" (Note: you can log on through the Meituan cloud Web terminal, click "Ctrl-Al-Delete" in the upper right corner to enter the key combination)
2. Enable automatic system update. The Windows Server of Meituan has been authorized by the original manufacturer. You can enable the Windows Update Service and automatically update and fix system vulnerabilities to prevent malicious attackers from intruding into the server. Use the following process to check whether automatic update is enabled. If it is not enabled, we recommend that you enable it.
Windows Server 2008
Click the "Server Manager" icon in the taskbar. In the right-side pane, click "configuration Update". In the displayed dialog box, select "auto Install update"

Windows Server 2012

Click the "Server Manager" icon in the taskbar to open the Server Manager dashboard. Click "Configure local server" and click the link after "Windows Update". If Automatic update is not enabled, an alarm is displayed. Click "enable Auto Update ". 3. Enable Firewall

Meituan cloud provides firewall services. If you are using the Meituan cloud host, you can use the Firewall service provided by Meituan cloud on the Meituan cloud Control Panel to set the firewall. The firewall provided by Meituan cloud platform provides the network port firewall function on the cloud platform outside the virtual machine, which is relatively simple to use. If its functions meet your needs, we recommend that you disable the firewall built in Windows. Otherwise, you can refer to the following content to set up the Windows built-in firewall.

(Tip: to avoid conflicts between Windows built-in firewall and cloud platform firewall, set the cloud platform firewall to "open" After enabling Windows built-in firewall ".)

If a Windows Server purchases public bandwidth, a NIC with a public IP address is connected to the Internet. You can access the services deployed on the host by using this IP address. However, at the same time, malicious attackers may also exploit the system vulnerability to intrude into your server through this public IP address. In this case, in addition to enabling automatic updates to fix system vulnerabilities in a timely manner, we recommend that you enable the Windows server firewall to reduce the number of ports directly exposed to the public network and reduce the risk of exposed dangerous ports to the public network. In addition, for Remote Desktop (TCP 3389) and other service ports used for management purposes, it is best to set a whitelist of allowed IP addresses to minimize the risk of malicious scanning.

(Note: We recommend that you use the Web terminal of the Meituan cloud console to configure the firewall to prevent misoperation during configuration and Disable Remote Desktop Connection .)

To enable Windows Firewall, follow these steps:

Windows server 2008

Click the "Server Manager" icon in the taskbar and click "go to Windows Firewall" in the tree list on the left, right-click "Advanced Security Windows Firewall". In the displayed dialog box, select the "Public configuration file" tab, click "Enable Firewall Status", and click "OK" to close the dialog box.
After the firewall is enabled, to avoid affecting Remote Desktop Access, make sure that remote desktop access is allowed:

In the tree list on the left, expand "Advanced Security Windows Firewall" and click "inbound Rules". In the rule list In the middle, View "Remote Desktop (TCP-In) "Whether to enable. If the rule is not enabled, select the rule and click "enable rule" on the right to enable it.

Windows server 2012

Click "Server Manager" in the taskbar to open the Server Manager dashboard. Click "Configure local server" and click "Windows Firewall" in the displayed window, click "enable or disable Windows Firewall" on the left. In the displayed dialog box, make sure that "Enable Windows Firewall" is selected under "Public Network Settings". Do not select the following two check boxes. Click OK to close the dialog box.

Similarly, after enabling the firewall, make sure that remote desktop access is allowed:

On the "Windows Firewall" page, click "Advanced Settings". In the "Advanced Security Windows Firewall" window, select "inbound rules" on the Left bar. In the intermediate Rules list, find the rule that "Remote Desktop-user mode (TCP-In)" and "configuration file" is "public. If the rule is not enabled, select the rule and click "enable rule" on the right to enable it.

If the IIS service is installed, the system automatically installs and enables inbound rules that allow 80 (HTTP) and 443 (HTTPS) services without special configuration. However, if a third-party Web server, such as LAMP, is installed, you must manually install inbound rules that allow access to 80 and 443. The configuration method for Windows 2008/2012 is the same, as follows:

On the "inbound rules" page of the firewall, click "new rule..." on the right. In the displayed dialog box, select "Port" and click "Next". Does this rule apply to TCP or UDP? ", Select" TCP ";" apply this rule to all local ports or specific ports ": Select" specific local ports ", enter" 80,443 "in the input box ", click "Next", select "allow connections", click "Next", select all check boxes, and click "Next", and enter "Web Service" in the name ", click "finish". 4. Enable IE Security Enhancement configuration.

After the Enhanced Security Configuration of IE is enabled, the server IE browser can only access websites in the whitelist. This effectively prevents the administrator from accidentally accessing a malicious site on the server and causing the server to be infected with viruses or Trojans. This configuration is enabled by default. If it is not enabled, we recommend that you enable it. To enable this function, follow these steps:

Windows server 2008

Click the "Server Manager" icon in the taskbar. In the right pane of the displayed window, click "Configure ie esc". In the displayed dialog box, enable/disable this function.

Windows server 2012

Click the "Server Manager" icon in the taskbar to open the Server Manager dashboard. Click the link after "Configure local server" and click "Internet Explorer Enhanced Security Configuration, enable/disable this function in the pop-up dialog box. 5. Install and enable anti-virus software.

In addition, you can install and enable real-time anti-virus software to further improve the server security. Once malware breaks through the defense lines built in the previous four steps and enters the cloud host, real-time anti-virus software can prevent malware from running on the cloud host and ensure the security of the cloud host.

Windows Security Essentials is a free anti-virus software developed by Microsoft for Windows 7/Vista. It can be used to protect Windows Server 2008 R2 data center edition.

Windows Security Essentials installation is relatively simple. You only need to download and run the installation file from the above link to complete the wizard step by step.

Windows Server 2012 data center Edition does not have many (free) antivirus software available. Currently, you can apply for a trial of System Center 2012 R2 Configuration Manager and install the System Center Endpoint Protection Client that comes with it.

Installation Method:

Decompress the downloaded software package (currently sc2012_r2_sccm_scep.exe) to enter the SMSSETUP/CLIENT directory.

Double-click scepinstall and install System Center Endpoint Protection as prompted.

Vi. Reasonable service deployment architecture

Finally, a reasonable service deployment architecture can reduce the risks exposed to the entire Windows server site and increase the security threshold. The principles to be followed are:

Single role principle: Only one service is provided for a single VM instance server. For example, the database service is deployed on one server and the Web server is deployed on another server. In this way, you can accurately assess whether the server requires a public IP address and which ports need to be enabled, so that the public IP address and port can be exposed as little as possible to reduce risks. For example, the Database Service generally does not require a public IP address, so you do not need to buy public bandwidth, which saves both costs and improves security. For Web servers, only port 80/443 is enabled, and other ports can be disabled through the firewall.

Streamlined principle: do not enable services and functions that can be disabled. Do not install software that can be uninstalled. do not enable ports that can be disabled, do not purchase public bandwidth for hosts that do not need a public network. Adhere to the principle of minimalism, which not only saves energy and environmental protection, but also reduces security risks.