Web Hosting Forum | Lunarpages

Author Topic: How do I secure a dedicated Windows 2003 Web Server ?  (Read 18753 times)

Offline jkotuby

  • Newbie
  • *
  • Posts: 3
How do I secure a dedicated Windows 2003 Web Server ?
« on: September 12, 2006, 09:10:34 AM »
Our company has recently leased from Lunarpages a dedicated Windows Server running Windows 2003 Standard and SQL Server 2005 full version. Our intention is to move a functioning business critical .NET Web Service application from a "managed" server at another hosting company to this new server. I am discovering that "unmanaged" means much more than I originally had anticipated.

The very first time I logged into the new Server, before even uploading any files, I discovered that the server had already been "compromised"... which was verified by one of your technicians. He had to totally rebuild the OS and re-install the programs. My question is, what steps do I need to take to "secure" the server yet still allow our web services to run. At our home office I have installed a hardware firewall/antivirus solution in addition to software AV on all the servers and workstations. But, I have never been tasked with securing a remote Web Hosting, and in our case, Application server.

I have already installed Grisoft AVG for Windows server antivirus software because I noticed it was being used on the other hosting company's "managed" server. But then in PLESK I noticed that there is a DR.Web antivirus program running that does not show up in Control Panel. As of this time I do not know how to access it's logs or scheduled scans. The response I get to any questions about that is "read the PLESK documentation".

The next question is about what firewall software should be used for a Windows web server. I am posing that question here and will also research the Microsoft literature. For now I will just enable Windows Firewall and hope that it doesn't immediately cut off my Remote Desktop connection, which I have set up without using PLESK.

That brings up another question. I am considering installing a program called SecureRDP freeware by a company called 2X. It will restrict access by Remote Desktop to a limited number of defined remote IP addresses. I am hoping that it will not , however, restrict access by the Lunarpages technicians, in case I need their help. Has anyone else used this software or know anything about it?

My other option is to set up VPN access to the Server and then requiring remote desktop to connect only through the VPN. I am concerned that unfettered access via RDP might be a security concern. At our home office we use non-standard ports for Terminal Services, because we have seen evidence of hackers trying to access port 3389, such that a number of times some of our Logins accounts have been suspended due to repeated incorrect logins. We have a very small staff here, so it is unlikely that the staff members themselves were responsible for the faulty logins. However, in this remote server situation, if I change the port then , once again, it might become difficult for Lunarpages techs to connect to our server.

So I reiterate, does anyone have some answers or suggestions for my concerns about properly securing a remote Windows web server. Thanks all...

Offline DSB

  • Computer Nerd
  • Jabba the Hutt
  • *****
  • Posts: 597
  • Programmer of things...
    • b-a-k-e-r.com
Re: How do I secure a dedicated Windows 2003 Web Server ?
« Reply #1 on: September 12, 2006, 11:31:57 AM »
I'm not currently using a Windows hosting account but I run Win2K3 at home.

1. The first thing I would do after installing the OS is disable IIS.
2. Patch the OS completely using Windows Update.
3. Reset NTFS permissions on every file and folder in the system to be as limiting as possible.

    Administrators  - Full Permissions
    System - Full Permissions

    Then you apply the necessary permissions to indidual folders or folder sets to provide functionality to certain groups or internet users.

4. Run IIS Lockdown Utility
5. Enable IIS

That should do it and you should be very secure.  Of course you would need to keep up with the windows updates as well as other updates to critical systems.

Once again, this assumes you have access to all of these things.

Offline jkotuby

  • Newbie
  • *
  • Posts: 3
Re: How do I secure a dedicated Windows 2003 Web Server ?
« Reply #2 on: September 20, 2006, 04:40:08 AM »
Thanks for the info re: IIS Lockdown and File/Folder security permissions. I have implemented some of the measures you have mentioned and will follow through on the rest. I have set Microsoft Update to apply patches and reboot (if necessary) at 3AM EST. I know the reboot is not a good thing for a web server, but advertising the fact that the service may not be available for a few minutes each night is not the worst thing. If the service catches on we can always go to a mirror server failover I suppose.

Thanks again...

Offline GMTurner

  • Berserker Poster
  • *****
  • Posts: 7499
    • Turner's Lounge
Re: How do I secure a dedicated Windows 2003 Web Server ?
« Reply #3 on: September 20, 2006, 05:07:34 AM »
One issue I've noticed recently with automatic updates is that if the system checks before the patches have been released by MS on Patch Tuesday, it will be another day (if not longer) before the system detects them. So, you will probably want to keep an eye on it by doing the "check for updates" routine just in case something was missed...

Also, you might place a note on the site somewhere, maybe in a description of the services, a TOS or something that states that at present the system could be off-line for regular system maintenance frm 3-4AM EST. That way you can have something to fall back on if you start getting complaints about it being down... not the best solution, but until there's a way to patch windows without needing to reboot... oh, and for what it's worth, when patching a W2k3 server at work, it typically doesn't take more than a few minutes and other than during the reboot process the server seems to remain reasonably responsive... but the specs on that server are also lower than the basic dedicated server LP has, so I don't think it should be too big of a problem... and the reboot is normally just a few of minutes...

The above information may or may not reflect current policy, opinions, or views since it was likely made almost 10 years ago.

Offline Jedi_Johnny

  • Trekkie
  • **
  • Posts: 10
Re: How do I secure a dedicated Windows 2003 Web Server ?
« Reply #4 on: February 06, 2009, 03:35:16 PM »
Most of the windows remote exploits attack Windows SMB file sharing or SQL.  Even if MS SQL is not installed, there are data storage libraries that are vulnerable (MDAC).

So, in network adapter properties, uncheck print and file sharing.  On the advanced tab, enable the firewall and make sure to uncheck the print and file sharing exception.  Make sure remote desktop *is* checked as an exception so you can still manage your server  :D 

You want to block ports 137 - 139 and 445 for Windows SMB.  Default installations of SQL Server monitor TCP port 1433 and UDP port 1434. Configure your firewall to filter out packets addressed to these ports.  If you do need to connect over the public network to a SQL server, use IP filtering to only allow your servers to connect.

It is also a good idea to rename the administrator account as it is popular to do brute force dictionary attacks against this account.

It is important to have antivirus, but this will not prevent your server from being compromised over the network.

Here is a link to "Windows Server 2003 Security Guide" from Microsoft:

It is also useful to run the MS Baseline Security Analyzer to make sure you have all the security patches:

Offline Jedi_Johnny

  • Trekkie
  • **
  • Posts: 10
What to do if you are infected
« Reply #6 on: March 09, 2009, 11:31:52 PM »
The best thing to do if your server is infected with a worm or virus is to have the server reinstalled.  Then restore your data from known good backups -- you DO make backups don't you?.  The reason for this is if your server is compromised/infected, a rootkit (http://en.wikipedia.org/wiki/Rootkit) may have been installed.  This can make it impossible to detect all the virus and trojans on an infected server.  Here is a detailed story about a Virus and how difficult it is to remove:

If this is not a good option for you, you can try to scan for infected files with an antivirus program.  But sometimes it is too late and the virus blocks scanners from being installed.  Then you will have to try an online virus scanner.

Several online virus scanners

They are slower, but you should be able to trust their scanner is not infected (like your server).

# A-Squared (Emsisoft) malware scan at http://www.emsisoft.com/en/software/ax/
# ESET (NOD32) malware scan at http://www.eset.com/onlinescan/index.php
# Microsoft's Live One Care has several types of scans at http://onecare.live.com/site/en-us/default.htm
# Panda ActiveScan at http://www.pandasecurity.com/usa/homeusers/solutions/activescan/default.htm
# SuperAntiSpyware's research center provides free scans of running computer processes at http://www.fileresearchcenter.com/
# Trend Micro's Housecall scan for malware is at http://housecall.trendmicro.com/

Virus removal tools

# Alwil Software has a free cleaner tool, Avast Free Virus Cleaner, at http://www.avast.com/eng/programs.html
# AVG has free removal tools (including VCleaner) at http://free.grisoft.com/doc/virus-removal/us/frt/0
# CureIt from Dr. Web is a capable free scanner that can be updated manually at http://www.freedrweb.com/
# F-Secure has some removal tools at http://www.f-secure.com/security_center/malware_removal_tools.html
# Malwareteks has spyware removal programs at http://www.malwareteks.com/forum-t408.html
# Microsoft's Malicous Removal Tool (updated monthly on Patch Tuesday) is at http://www.microsoft.com/security/malwareremove/default.mspx
# Norman's removal tools and information is at http://www.norman.com/Virus/en-us
# Norman also has a capable Malware Cleaner (use in Safe Mode) at http://www.norman.com/Virus/Virus_removal_tools/24789/en-us
# Smitfraud/Antivermins removal tools are at http://www.bleepingcomputer.com/forums/topic69886.html
# Softpedia has some tools at http://www.softpedia.com/get/Antivirus/Malware-Removal-Tool.shtml
# SuperAntiSpyware has a capable free on-demand antispyware program for home users at http://www.superantispyware.com/
# Symantec has individual malware removal tools at http://www.symantec.com/business/security_response/removaltools.jsp
# Trend Micro has the helpful HijackThis analyzer and some proactive tools at http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Thanks to Clamwin for these links!
« Last Edit: March 10, 2009, 12:53:52 AM by Jedi_Johnny »


Share |