Basic security hardening methods for Windows Servers (2008) _win Server

The United States Cloud (MOS) provides the Windows Server 2008 R2 and the Windows Server R2 Data Center version of the cloud host server. Windows Server security issues require extra attention because of the high market share of Windows servers, more malware such as virus Trojans for Windows servers, easy access, and low technology thresholds. To safely use Windows cloud hosts, it is recommended that you apply the following simple security hardening measures. Simple as it may be, it is enough to defend most of the more common security risks.

First, set strong password

The US cloud Windows Server will automatically generate a 12-bit random password for the administrator account after it is created, and it is recommended to change the password immediately after the first login to the Windows Server. Passwords as random as possible, to include numbers, uppercase and lowercase letters and special symbols, length of at least 12 bits. You can use some tools, such as: Https://identitysafe.norton.com/password-generator, to generate a strong random password. and change the password at least once every 3 months.

The method to modify the password is: After the administrator successfully logged into the host, press "Ctrl-alt-delete", select "Modify password" (Hint: you can login through the United States Cloud Web terminal, click on the upper right corner of the "Ctrl-al-delete" button to enter the key combination)

Second, turn on automatic system update

The United States Mission Cloud Windows Server has obtained the original license, you can open the Windows Update Service, Automatic Update patch system vulnerabilities to avoid being exploited by malicious attackers to invade the server. Use the following process to check whether automatic updating is enabled, or if it is not enabled, it is recommended.

Windows Server 2008

Click on the taskbar "Server Manager" icon in the Panel on the right, click "Configure Update" in the pop-up dialog box, select "Install updates automatically"

Windows Server 2012

Click the Server Manager icon in the taskbar to open the Server Manager dashboard, click "Configure this local server" click "Windows Update" after the link in the pop-up window, if the automatic update is not enabled, display as shown in the warning, click "Enable Automatic Updates."

Third, open the firewall

The United States cloud has provided a firewall service, if you are using the United States cloud host, you can use the United States Cloud Control Panel firewall services provided by the firewall settings. The firewall provided by the United States Mission cloud Platform is the firewall function of the network port provided by the cloud platform outside the virtual machine, and the configuration is relatively simple and suitable for use. If its functionality meets your needs, it is recommended that you turn off the firewall built into the Windows system. Otherwise, you can set up Windows built-in firewalls by referring to the following.

(Tip: To prevent Windows from having a firewall and cloud Platform firewall feature, set the firewall for the cloud platform to open after Windows has its own firewall enabled.) )

If the Windows Server purchased the public network bandwidth, there will be a public network IP address Card with the public network docking. Users can access this IP address to access services deployed on the host. But at the same time, a malicious attacker could also exploit a system vulnerability to invade your server via this public network IP. At this point, in addition to turning on Automatic Updates to fix system vulnerabilities in a timely manner, it is also recommended that Windows Server firewall be opened to reduce the risk of exposure to public networks by reducing the port directly exposed to the public network. Also, for service ports such as Remote Desktop (TCP 3389) for administrative purposes, it is best to set up an IP whitelist that allows access to minimize the risk of malicious scanning.

(Hint, it is recommended that the firewall be configured through the Web terminal of the US cloud console to prevent misoperation in the configuration process, resulting in Remote Desktop Connection shutdown.) )

The steps to turn on Windows Firewall are as follows:

Windows Server 2008

Click the Server Manager icon in the taskbar to the right panel. Click "Go to Windows Firewall" in the tree-like list on the left, click "Advanced Security Windows Firewall" in the pop-up dialog box, select the "Public Profile" leaf sign, to determine "firewall status" to "open", Click "OK" to close the dialog box

After the firewall is turned on, to ensure that Remote Desktop access is not affected, you need to make sure that Remote Desktop access is enabled by:

In the tree-like list on the left, expand Advanced Security Windows Firewall, click Inbound Rules, and in the list of rules in the middle, see if Remote Desktop (tcp-in) is turned on. If not, select the rule and click "Enable Rule" on the right to open

Windows Server 2012

Click the Server Manager icon on the taskbar to open the Server Manager dashboard. Click "Configure this local server" click "Windows Firewall" after the link in the pop-up window, click on the left side of the "Enable or shut down Windows Firewall" in the pop-up dialog box, make sure "Public network Settings" under Select " Enable Windows Firewall, and do not tick the two check boxes below. Click "OK" to close the dialog box

Also, after you enable the firewall, you need to ensure that access to remote Desktop is allowed by:

In the Windows Firewall interface, click "Advanced Settings" to open the Advanced Secure Windows Firewall window, select "Inbound Rules" in the left-hand column, and in the list of intermediate rules, locate the Remote Desktop-user mode (tcp-in) and the rules "public" for "config file". If not, select the rule and click "Enable Rule" on the right to open

If the IIS service is installed, inbound rules for the Allow (HTTP) and 443 (HTTPS) service are automatically installed and enabled, and no special configuration is required. However, if you have a Third-party Web server installed, such as lamp, you will need to manually install inbound rules that allow access to 80 and 443. Windows 2008/2012 has the same configuration method as the following:

In the firewall "Inbound Rules" interface, click on the right "new rule ..." In the pop-up dialog box, select "Port" and click "Next" "" is this rule applied to TCP or UDP? ", select" TCP ";" This rule applies to all local ports or to specific ports ": Select" specific local Port ", enter" 80, 443 "in the input box, click" Next "to select" Allow Connection ", click" Next "to select all the check boxes, click" Next "to enter" Web Services "in the name, click" Finish "

Four, open IE enhanced Security configuration

After IE's enhanced Security configuration is enabled, the server IE browser can only access the whitelist site. This can effectively avoid the administrator in the server accidentally visit the malicious site caused the server infected with a virus or Trojan horse. The configuration is turned on by default. If it is not turned on, the recommendation is open. The Open method is:

Windows Server 2008

Click on the taskbar "Server Manager" icon in the pop-up window on the right panel, click "Configure IE ESC", in the pop-up dialog box to open/close the function

Windows Server 2012

Click the Server Manager icon in the taskbar to open the Server Manager dashboard, click "Configure this local server" click "IE Enhanced Security Configuration" after the link, in the pop-up dialog box to open/close the function

　V. Install and enable antivirus software

Further, you can install and enable real-time anti-virus software to further improve the security of your servers. Once the malware broke through the front four steps to build a line of defense, into the cloud host, real-time anti-virus software can prevent malicious software in the cloud host operation, to protect the security of the cloud host.

Windows Security Essentials is a free antivirus software developed by Microsoft for Windows 7/vista that can be used to protect Windows Server 2008 R2 Data Center Edition.

Windows Security Essentials Installation is simpler, just download and run the installation file on the link above, and complete the wizard step-by-step.

The Windows Server 2012 Data Center version is available (free) anti-virus software is not much. You can now apply for a trial System Center R2 Configuration Manager and install its accompanying antivirus client System Center Endpoint Protection.

The installation method is:

Download packages after decompression (currently for Sc2012_r2_sccm_scep.exe), into the Smssetup/client directory

Double-click Execute Scepinstall and follow the prompts to install system Center Endpoint Protection gradually.

Yun-Habitat Community Small series recommended standalone server installation: McAfee 8.8

Six, reasonable service deployment framework

Finally, a reasonable service deployment architecture can reduce the risk of exposure to the entire Windows Server site and elevate the security thresholds. The principles to be followed are:

Single-Role principle: A cloud host server does only one thing, providing only a service. For example, the database service is on one server and the Web server is deployed in another. This allows a more accurate assessment of whether the server needs a public address and which ports to turn on so as to minimize the risk by exposing the public address and port as little as possible. For example, a database service generally does not require a public address, so there is no need to purchase public network bandwidth, both cost-saving and more secure. The Web server typically only opens port 80/443, and other ports can be closed through the firewall.

Streamlining principle: Can not open the service and function is not open, can not install the software as far as possible not to install, can not open the port to ensure that not open, can not use the public network of the host do not buy public network bandwidth. Adhere to the principle of minimalism, both energy saving and environmental protection, but also reduce security risks.