Securing Windows Servers
It is important when installing and maintaining a Microsoft Windows server to perform initial and maintenance security checks on the server. Below is a checklist of basic tasks that should be performed on each server on initial setup and monthly to ensure continued security of the server. Please note that adding additional services like SQL server requires additional tasks to be performed routinely.
Windows Update - One of the most important steps when installing a new Windows server is to perform all of the critical Windows Updates. If possible install Windows from media slipstreamed with the most current service packs and install updates from media such as a DVD before connecting it to the network for the first time. If that is not possible ensure the Windows Firewall is turned on when you connect the server to the network to patch it.
AntiVirus - Installing AntiVirus is an important step in securing your server. For servers that are part of the University of Hawaii, you can download and install McAfee at www.hawaii.edu/software Verify that the server is getting updated virus definitions often.
MS Baseline Security Analyzer - Download and run the Microsoft Baseline Security Analyzer to find any potential holes or missed patches http://technet.microsoft.com/en-us/security/cc184924
Windows Firewall - Ensure that the Windows Firewall is turned on and that only the services and ports necessary are allowed for inbound and outbound traffic. Check this often and close ports that are no longer needed.
Change network scanner default password - If there is a scanner attached to the network it is important to change the default password. You can find information on doing this in the manual for your model of scanner.
If IIS is on, restrict IIS by subnet - If possible limit access to IIS by subnet.
Anonymous FTP - Evaluate if having anonymous FTP enabled is necessary for your server and if possible restrict access by IP address.
Remove "Everyone" from data directories - When creating new shared directories, ensure that the "Everyone" group is removed from the share and security permissions.
Set Administrator password to something difficult - For auditing and security measures it is best to reset the Administator password to something difficult like a passphrase and use separate Admin accounts per user. Do not disable this account as some functions can only be done as this user.
Create personal admin accounts - Create personal admin accounts instead of allowing everyone to use the same account. This will allow for better tracking in logs of who has made changes to the server.
Set personal admin password to expire in 1 year - To ensure the continued security of the server, set the personal admin passwords to expire after a year to force admins to set a new password.
Using SQL Express - If using SQL Express, the built in administrator account "sa" by defaut has no password. You must install the SQL Management Studio to set the password.
Rename any accounts called "backup" - Rename any default backup accounts thathave a username that could be easily guessed by a hacker.
Make sure "guest" account is disabled - Always ensure that the built in "guest" account is disabled.
Make sure minimum services necessary are turned on - In the server manager, make sure that only the services that you need are turned on for each server.
Patch 3rd party software - Make sure that all 3rd party software (such as Adobe) are patched regularly.
Logging - Turn on logging for services and applications. Review logs at least monthly for unauthorized activity.
Unused Accounts - Verify that all usused accounts have either been removed or disabled.
Check Administrator group - Check this group to ensure no unauthorized changes have been made to membership.