What are some good general security steps to take?

Post Reply
User avatar
Edge100x
Founder
Founder
Posts: 12945
https://www.youtube.com/channel/UC40BgXanDqOYoVCYFDSTfHA
Joined: Thu Apr 18, 2002 11:04 pm
Location: Seattle
Contact:

What are some good general security steps to take?

Post by Edge100x »

We recommend taking a few simple measures to try to prevent unauthorized access to your server.

- Use a complicated administrator password, like the one we first gave you, and store it in a safe place. Remote login attempts are frequently made by automated scripts from all corners of the internet and if you use a simple password one of these might be able to guess it.

- Minimize the number of users who have the administrator password. Ideally, you should be the only one who has it. Consider setting up an FTP service like FileZilla so that others can have some access, but not unlimited access.

- Disable the "server"/"lanmanserver" service and any others that you don't actually need, through the Control Panel->Administrative tools->Services snap-in. The "server" service provides additional remote access capabilities (such as file sharing) and has been a common source of security problems for Windows versions.

- Disable NetBIOS for your network adapter; it's under the "Advanced TCP/IP settings" on the "WINS" page, under "NetBIOS setting".

- Set up the Remote Desktop (aka Terminal Services) to run on a non-default port (TCP 3389 is the default port), or (preferably) configure a firewall to block access from all IPs except for a handful of administrators. This reduces password brute-forcing attacks and improves performance in the process.

- Avoid web surfing (and client-side applications in general) on your server. Web browsers, and in particular Internet Explorer, are possibly the most common source of new, critical security vulnerabilities, and sometimes just visiting a website can infect your machine with a fresh virus. When you do open pages, visit only trusted sites.

- Make sure that you are always running the latest Windows security updates. Using the Automatic Updates server is a good way of doing this, but keep in mind that sometimes the AU service freezes when it tries to reboot after applying its updates; if this happens, you may need to manually power cycle your machine through our control panel.

- Don't run anything but trusted server executables (and trusted programs to support them) on your dedicated machine. For instance, don't run AIM, gadgets to expand your desktop, email clients, or anything of that nature. Run only plugins on your servers that you trust.

- Never let someone else who you do not know access your service directly, even temporarily, unless they represent a legitimate, established company. We have seen many instances of random strangers being allowed desktop access to a VDS/machine and using that access to load malware.

- Consider running an antivirus application in the background. This isn't generally required if you follow the other steps, however.

We don't typically recommend running a firewall inside the OS on a dedicated server because it is not really necessary if you follow the other steps, and it's very easy to block your own access to the machine (which would require us to log in for you locally to fix the problem). With a VDS, though, you could experiment with one without worry -- just keep an eye on CPU usage, since firewalls cause some overhead and can make the service more vulnerable to certain types of DoS attacks.
Post Reply