When working with a new Windows Server, securing it against attackers is one of the first things you will want to do. A default Windows Server configuration is not inherently locked down and leaves important protection open and accessible to hackers. Let’s take a look at how we can secure our web server!
Changing the RDP Port from the Default
By default, RDP access to your server is open on port 3389. This is a widely used port for RDP and is the default configuration on most Windows servers and computers alike. Because this port is a default setting on many systems, hackers will attempt to attack RDP on this port for any computer connected to the internet using automated programs, to try thousands of combinations of passwords against your server.
One of the easiest things we can do to secure our server is to change this default port from 3389 to another unused port that is less likely to be randomly targeted by attackers. We can use this registry to make this necessary change.
To get started, open your Start menu and enter regedit to open the Registry Editor.
Navigate to the following subkey, located at HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp\PortNumber.
Open the subkey by double-clicking and change the Base type from Hexadecimal to Decimal.
Simply change this value from the default port of 3389, to your desired, unused, port. For example, 3301. Once saved, you must restart your server for the changes to take place.
This simple change can slow down and prevent hundreds or thousands of potential attacks on your server. If the attacker does not know your RDP port, or if it is an unusual port that they wouldn’t normally try, they cannot attempt to login to your server and you can save your systems from successful brute-forcing attacks.
This brings us to our next point, updating system and user passwords.
Updating Passwords, Creating Users, and Disabling Default Accounts
Another simple way to protect your server against attackers is to be sure that you have updated all system passwords to strong, non-default credentials and disabling or changing default usernames.
Now with Windows Server, there are no default user passwords, as you set these when setting up your operating system. But if your server or server admin is still utilizing the default Administrator user, it is in your best interest to create a strong password, or better yet, create a new user and disable the default Administrator user.
Just like automated attacks against RDP, attackers will programmatically use software to guess passwords against default users. One of the default users for Windows Server is the Administrator user.
Let’s see how we can create a new administrative user, update this password to something really strong, and disable the default administrator account.
To get started, navigate to the local user and accounts management menu by searching your computer for lusrmgr.msc.
Select the Users group on the left actions-pane and right-click our main action pane to create a New User.
Your new username should be something unique and unexpected for an administrative user. Typical usernames such as itadmin, support, or just admin, will easily be guessed by hackers and programmatically attacked for being common administrative usernames. I suggest mixing your business name in with the username, or providing administrative accounts to specific users who need them, in order to provide some unique name that would be hard for an attacker to guess. Additionally, your password should be 12+ characters, including a mix of letters, numbers, symbols and differing cases.
Once you have entered the desired information, select Create to create the new user. Now, find your new user in the User group, right-click and go to Properties.
Navigate to the the “Member Of“ tab so we can add our new user to the Administrators group.
Click Add at the bottom of the menu. Enter “Administrators” in the “Enter the object names to select” and click “Check Names”.
The full administrators group will be identified and displayed. If you are using Active Directory, you may enter your domain and username for the administrator group.
Select OK and we can see our user is added to the Administrator users group! Click OK to return to the Local Users and Groups manager.
Now that we have created our new administrator user, with a strong password and a hard-to-guess username, we can disable our original Administrator user completely.
To do this, right-click the Administrator, go to Properties, and check Account is Disabled. Click apply!
Congratulations! You have now created a new administrator user and disabled the default admin account. Between the disabled default user and our changed default RDP port, our server is already more secure against automated attacks than ever.
But this is still only the beginning! Follow a similar process on any third-party software or services being utilized by your server. You can update default usernames and passwords for SQL servers, control panels, and any other internet-accessible service to ensure the security of your Windows Server.
Creating Secure Firewall Rules and Blocking Inbound Connections
An important part of server security is creating strong firewall rules to prevent bad connections from occurring in the first place.
In most circumstances, firewalls should be configured to block all inbound connections unless otherwise specified. This gives you the most security possible, as you are blocking everything except certain ports and services that you have manually configured to allow.
While we can’t detrermine exactly what ports and services are being used on your server, you can use this article provided to help configure your advanced firewall settings.
The most important thing is to be sure that all inbound connections are blocked unless an exception is made with a new firewall rule. This is a default setting for Windows Server but it is worth verifying on your server!
Common ports that may be needed for your web server include TCP port’s 80 (https), 443 (ssl), 1433 (MSSQL), 3306 (MySQL), ad 3389 (RDP).
Any rules created on the firewall should be for specified remote IP addresses when applicable, as opposed to being open to the internet as a whole. Services like SQL may not need to be accessed by the general internet and may only need to be accessed by a single server or IP address. It is worth taking the extra time to be sure that remote access for any port or service is limited to addresses that absolutely need access, otherwise we are opening our server up to potential attacks, exploits, and brute-forcing attempts.
Remember, you can always lock down a port and re-open it if it causes issues or needs additional remote access. Securing our server this way, by only opening necessary services, will go a long way in protecting our important data and credentials.
Installing Strong and Up-to-Date Anti-Virus Protection
Another great way to protect our servers from attackers is to implement strong and secure anti-virus and spam protection.
Proper anti-virus software will prevent malicious executables from running on your server, in the event that they do get downloaded or manage to find their way to your systems. Anti-Virus, or AV software, should be a priority and it is worth spending the extra money to get a good service that will protect you from the latest threats.
AV software should be up-to-date and patched often, as new threats emerge daily. Additionally, incorporating spam protection can help prevent malicious files from ever being received by a user in your organization. This helps block potentially harmful messages from reaching inboxes, which lessens the chance an unsuspecting user will open or execute such a file.
Incorporating brute-force detection and blocking software can also stop hackers in their tracks. Brute-force detection software can detect failed login attempts against RDP, SQL, and other services and block remote addresses after a number of failed attempts. Often these applications will block an IP address for a determined amount of time after say, 5 bad login attempts. That way, if an malicious user is attempting to attack your server, it will be quickly and automatically identified and blocked.
If a legitimate user in your organization gets blocked, you will always be able to whitelist select IP addresses or users to allow them access.
Securing Your Server: Covering the Basics
While these are only a few of the ways we can, and need, to protect our servers, these are by far the most important elements to implement first. These simple guidelines will certainly secure your server in a way that would not be possible if they were not incorporated.
Security is a 24/7 365 job and hackers are always ready and executing attacks. We can use automated software and strong inbound rules to reduce the amount of attacks that come in to the server and lessen the chance that a compromise will be successful.
Between strong RDP credentials, non-default usernames and passwords, strong firewall rules and up-to-date anti-virus software, you are well on your way to protecting sensitive data and services from attackers across the globe.