The next step in securing a server is to reduce the attack surface, thereby reducing the server’s vulnerabilities. Hardening the server requires that you should look for security guidelines and best practices for Windows servers and for the specific network services you are installing, such as Microsoft Exchange or Microsoft SQL Server.
One of the most important steps in securing a server is to make sure that Windows, Microsoft applications, and other network applications are kept current with the newest security patches. As with clients, you can do this using Windows updates, WSUS, and SCCM. Before applying patches to a production system, make sure that you test the security updates.
In order to minmize server’s attack surface, any service that is not necessary should be disabled so that this service cannot be exploited in the future. In addition, you should consider using host firewalls (such as Windows Firewall) that will block all ports that are not being used.
To reduce the effect of losing a server, you should separate the services. Installing all of your services on one server should also be avoided. You also need to plan for the rest and hope for the best. This means that you need to anticipate that a server will eventually fail. Therefore, you should consider using RAID disks, redundant network cards, redundant power supplies, and clusters.
You should also disable or delete any unnecessary accounts. For example, renaming administrator account with something else which is harder to judge by a hacker is also a good trick. In addition, you should not use the administrator account for everything. For example, if you have to run a specific service, create a service account for that service and give it the minimum rights and permissions that it needs to run. Of course, the guest account should be disabled.
Besides disabling or deleting unnecessary accounts and only assigning the minimum rights and permissions necessary for users to do their jobs, you should also minimize who can log on locally to the server.
In addition, you should disable any insecure authentication protocols. For example, you should not use Password Authentication Protocol (PAP) when using remote access protocols. Don’t use FTP with passwords if its content does not need to be secure. Alternatively use either anonymous account that does not need passwords or use secure FTP, which encrypts the password and content when being transmitted over the network. For similar reasons, you should not use telnet. Instead, use SSH.
Finally, enabling an audit and logging policy and reviewing these logs on a regular basis is also a recommended practice. If someone tries to hack a server or do something that he or she should not be doing, you will have a record of that person’s activities. This logs should contain information of successful and failed account logins.
Microsoft Baseline Security Analyzer (MBSA) is a software tool provided by Microsoft to highlight/report the security status of a system by assessing missing security updates and less-secure security settings Microsoft Windows components(e.g. Internet Explorer, IIS) and products(e.g. Microsoft SQL Server, Microsoft SharePoint Server and Microsoft Office macro settings). See Figure
Figure:Microsoft Baseline Security Analyzer
Microsoft often publishes security guides and best practices guides for various products. In addition, Microsoft has published the Threats and Countermeasures—Security Settings in Windows Server 2008 and Windows Vista, which can be found here