Our company has recently leased from Lunarpages a dedicated Windows Server running Windows 2003 Standard and SQL Server 2005 full version. Our intention is to move a functioning business critical .NET Web Service application from a "managed" server at another hosting company to this new server. I am discovering that "unmanaged" means much more than I originally had anticipated.

The very first time I logged into the new Server, before even uploading any files, I discovered that the server had already been "compromised"... which was verified by one of your technicians. He had to totally rebuild the OS and re-install the programs. My question is, what steps do I need to take to "secure" the server yet still allow our web services to run. At our home office I have installed a hardware firewall/antivirus solution in addition to software AV on all the servers and workstations. But, I have never been tasked with securing a remote Web Hosting, and in our case, Application server.

I have already installed Grisoft AVG for Windows server antivirus software because I noticed it was being used on the other hosting company's "managed" server. But then in PLESK I noticed that there is a DR.Web antivirus program running that does not show up in Control Panel. As of this time I do not know how to access it's logs or scheduled scans. The response I get to any questions about that is "read the PLESK documentation".

The next question is about what firewall software should be used for a Windows web server. I am posing that question here and will also research the Microsoft literature. For now I will just enable Windows Firewall and hope that it doesn't immediately cut off my Remote Desktop connection, which I have set up without using PLESK.

That brings up another question. I am considering installing a program called SecureRDP freeware by a company called 2X. It will restrict access by Remote Desktop to a limited number of defined remote IP addresses. I am hoping that it will not , however, restrict access by the Lunarpages technicians, in case I need their help. Has anyone else used this software or know anything about it?

My other option is to set up VPN access to the Server and then requiring remote desktop to connect only through the VPN. I am concerned that unfettered access via RDP might be a security concern. At our home office we use non-standard ports for Terminal Services, because we have seen evidence of hackers trying to access port 3389, such that a number of times some of our Logins accounts have been suspended due to repeated incorrect logins. We have a very small staff here, so it is unlikely that the staff members themselves were responsible for the faulty logins. However, in this remote server situation, if I change the port then , once again, it might become difficult for Lunarpages techs to connect to our server.

So I reiterate, does anyone have some answers or suggestions for my concerns about properly securing a remote Windows web server. Thanks all...

Thanks for the info re: IIS Lockdown and File/Folder security permissions. I have implemented some of the measures you have mentioned and will follow through on the rest. I have set Microsoft Update to apply patches and reboot (if necessary) at 3AM EST. I know the reboot is not a good thing for a web server, but advertising the fact that the service may not be available for a few minutes each night is not the worst thing. If the service catches on we can always go to a mirror server failover I suppose.

Thanks again...

Most of the windows remote exploits attack Windows SMB file sharing or SQL.  Even if MS SQL is not installed, there are data storage libraries that are vulnerable (MDAC).

So, in network adapter properties, uncheck print and file sharing.  On the advanced tab, enable the firewall and make sure to uncheck the print and file sharing exception.  Make sure remote desktop *is* checked as an exception so you can still manage your server   

You want to block ports 137 - 139 and 445 for Windows SMB.  Default installations of SQL Server monitor TCP port 1433 and UDP port 1434. Configure your firewall to filter out packets addressed to these ports.  If you do need to connect over the public network to a SQL server, use IP filtering to only allow your servers to connect.

It is also a good idea to rename the administrator account as it is popular to do brute force dictionary attacks against this account.

It is important to have antivirus, but this will not prevent your server from being compromised over the network.

Here is a link to "Windows Server 2003 Security Guide" from Microsoft:
http://technet.microsoft.com/en-us/library/cc163140.aspx

It is also useful to run the MS Baseline Security Analyzer to make sure you have all the security patches:
 http://technet.microsoft.com/en-us/security/cc184924.aspx

The best thing to do if your server is infected with a worm or virus is to have the server reinstalled.  Then restore your data from known good backups -- you DO make backups don't you?.  The reason for this is if your server is compromised/infected, a rootkit (http://en.wikipedia.org/wiki/Rootkit) may have been installed.  This can make it impossible to detect all the virus and trojans on an infected server.  Here is a detailed story about a Virus and how difficult it is to remove:
http://www.darkreading.com/shared/printableArticle.jhtml?articleID=215800583

If this is not a good option for you, you can try to scan for infected files with an antivirus program.  But sometimes it is too late and the virus blocks scanners from being installed.  Then you will have to try an online virus scanner.

Several online virus scanners

They are slower, but you should be able to trust their scanner is not infected (like your server).

# A-Squared (Emsisoft) malware scan at http://www.emsisoft.com/en/software/ax/
# ESET (NOD32) malware scan at http://www.eset.com/onlinescan/index.php
# Microsoft's Live One Care has several types of scans at http://onecare.live.com/site/en-us/default.htm
# Panda ActiveScan at http://www.pandasecurity.com/usa/homeusers/solutions/activescan/default.htm
# SuperAntiSpyware's research center provides free scans of running computer processes at http://www.fileresearchcenter.com/
# Trend Micro's Housecall scan for malware is at http://housecall.trendmicro.com/

Virus removal tools

# Alwil Software has a free cleaner tool, Avast Free Virus Cleaner, at http://www.avast.com/eng/programs.html
# AVG has free removal tools (including VCleaner) at http://free.grisoft.com/doc/virus-removal/us/frt/0
# CureIt from Dr. Web is a capable free scanner that can be updated manually at http://www.freedrweb.com/
# F-Secure has some removal tools at http://www.f-secure.com/security_center/malware_removal_tools.html
# Malwareteks has spyware removal programs at http://www.malwareteks.com/forum-t408.html
# Microsoft's Malicous Removal Tool (updated monthly on Patch Tuesday) is at http://www.microsoft.com/security/malwareremove/default.mspx
# Norman's removal tools and information is at http://www.norman.com/Virus/en-us
# Norman also has a capable Malware Cleaner (use in Safe Mode) at http://www.norman.com/Virus/Virus_removal_tools/24789/en-us
# Smitfraud/Antivermins removal tools are at http://www.bleepingcomputer.com/forums/topic69886.html
# Softpedia has some tools at http://www.softpedia.com/get/Antivirus/Malware-Removal-Tool.shtml
# SuperAntiSpyware has a capable free on-demand antispyware program for home users at http://www.superantispyware.com/
# Symantec has individual malware removal tools at http://www.symantec.com/business/security_response/removaltools.jsp
# Trend Micro has the helpful HijackThis analyzer and some proactive tools at http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Thanks to Clamwin for these links!