When working with a new Windows Server, protecting against attackers is one of the first things you want to do. A standard Windows Server configuration is not inherently locked and leaves important protections open and accessible to hackers. Let’s see how to secure our web server!
Change the RDP port from the default
By default, RDP access to your server is open on port 3389. This is a common port for RDP and is the default configuration on most Windows servers and computers. Since this port is a default setting on many systems, hackers will attempt to attack RDP on this port for any computer connected to the Internet using automated programs to try thousands of password combinations against your server.
One of the easiest things we can do to secure our server is to change this default port from 3389 to another unused port that is less likely to be randomly attacked by attackers. We can use this registry to make this necessary change.
To get started, open your Start menu and open regedit to open the Registry Editor.
Navigate to the next subkey, located on HKEY_LOCAL_MACHINE System CurrentControlSet Control Terminal Server WinStations RDP-Tcp PortNumber.
Open the subkey by double clicking and change the base type from Hexadecimal to Decimal.
Simply change this value from the default port of 3389 to your desired unused port. For example 3301. Once saved, you must restart your server for the changes to take effect.
This simple change can slow down and prevent hundreds or thousands of potential attacks on your server. If the attacker doesn’t know your RDP port, or if it’s an unusual port that he wouldn’t normally try, he won’t be able to try to log into your server and you can save your systems from successful brute-forcing attacks.
This brings us to our next point, updating system and user passwords.
Update passwords, create users and disable standard accounts
Another easy way to protect your server from attackers is to make sure you have updated all system passwords to strong, non-default credentials and disable or change the default usernames.
Now with Windows Server there are no default user passwords as you set them when setting up your operating system. But if your server or server administrator is still using the default Administrator user, it is in your best interest to create a strong password, or better yet, create a new user and disable the default Administrator user.
Like automated attacks on RDP, attackers will programmatically use software to guess passwords for standard users. One of the standard users for Windows Server is the Administrator user.
Let’s take a look at how to create a new administrative user, update this password to something really strong, and disable the default admin account.
To get started, navigate to the local user and account management menu by searching your computer for lusrmgr.msc.
Select the Users group in the left action pane and right click on our main action pane to create a New user.
Your new username must be something unique and unexpected for an administrative user. Typical usernames such as itadmin, support or just admin, will be easily guessed by hackers and attacked programmatically because they are common administrative usernames. I recommend that you combine your company name with the username, or provide administrator accounts to specific users who need them, to provide a unique name that would be difficult for an attacker to guess. In addition, your password must be 12+ characters long, including a combination of letters, numbers, symbols, and various capital letters.
After entering the desired information, select Create to create the new user. Now find your new user in the user group, right click and go to Properties.
Navigate to the file “Member of“ tab so we can add our new user to the Administrators group.
Click Add at the bottom of the menu. Enter “Administrators” in “Enter the object names to select” and click “Check Names”.
The entire group of administrators is identified and displayed. If you are using Active Directory, you can enter your domain and username for the Administrators group.
Select OK and we can see that our user has been added to the Administrator Users group! Click OK to return to the Local users and groups manager.
Now that we’ve created our new administrator user, with a strong password and a hard-to-guess username, we can completely disable our original administrator user.
To do this, right-click on the administrator, go to Properties and check Account is disabled. Click Apply!
Congratulations! You have now created a new administrator user and disabled the default admin account. Between the disabled default user and our modified default RDP port, our server is more secure than ever before against automated attacks.
But this is just the beginning! Follow a similar process for any third-party software or services used by your server. You can update default usernames and passwords for SQL servers, control panels, and any other service accessible over the Internet to maintain the security of your Windows Server.
Create secure firewall rules and block incoming connections
An important part of server security is creating strong firewall rules to prevent bad connections from occurring in the first place.
In most cases, firewalls must be configured to block all incoming connections unless otherwise specified. This gives you the best possible security as you are blocking everything except certain ports and services that you have manually configured to allow.
While we cannot determine exactly which ports and services are used on your server, you can use this article to configure your advanced firewall settings.
The important thing is to make sure that all incoming connections are blocked unless an exception is raised with a new firewall rule. This is a default setting for Windows Server, but it’s worth verifying it on your server!
Common ports that your web server may require include TCP port 80 (https), 443 (ssl), 1433 (MSSQL), 3306 (MySQL), ad 3389 (RDP).
Any rules created on the firewall should apply to specified external IP addresses where applicable, rather than being open to the Internet as a whole. Services such as SQL may not need to be accessed over the general Internet and may only require access through a single server or IP address. It’s worth taking the extra time to ensure that remote access for any port or service is limited to addresses that absolutely need access, otherwise we’ll open our server to potential attacks, exploits, and brute-forcing. attempts.
Remember, you can always lock and reopen a port if it causes problems or needs additional remote access. By securing our server in this way, by accessing only the necessary services, our important data and login credentials will be significantly protected.
Install strong and up-to-date antivirus protection
Another great way to protect our servers from attackers is to implement strong and secure antivirus and spam protection.
Proper antivirus software will prevent malicious executables from running on your server, in case they are downloaded or manage to make their way into your systems. Antivirus or AV software should be a priority and it’s worth spending the extra money to get a good service that protects you from the latest threats.
AV software should be up to date and patched often as new threats emerge every day. In addition, including spam protection can help prevent malicious files from ever being received by a user in your organization. This helps prevent potentially malicious messages from reaching the inbox, reducing the likelihood that an unsuspecting user will open or run such a file.
Using brute force detection and blocking software can also stop hackers. Brute force detection software can detect failed login attempts against RDP, SQL and other services and block remote addresses after a number of failed attempts. Often these applications block an IP address for a certain time after, for example, 5 bad login attempts. That way, if a malicious user tries to attack your server, it will be quickly and automatically identified and blocked.
If a legitimate user in your organization is blocked, you can always whitelist selected IP addresses or users to grant them access.
Securing Your Server: The Basics
While these are just some of the ways we can and need to protect our servers, these are by far the most important elements to implement first. These simple guidelines will certainly secure your server in a way that wouldn’t be possible if they weren’t included.
Security is a 24/7 365 job and hackers are always ready to carry out attacks. We can use automated software and strong inbound rules to reduce the number of attacks entering the server and the chance that a compromise will be successful.
Between strong RDP credentials, non-standard usernames and passwords, strong firewall rules and up-to-date anti-virus software, you are well on your way to protecting sensitive data and services from attackers around the world.