Web Hosting Forum | Lunarpages


*
Welcome, Guest. Please login or register.
Did you miss your activation email?



Login with username, password and session length
September 02, 2014, 03:48:10 PM

Pages: [1]   Go Down
  Print  
Author Topic: How do I secure a dedicated Windows 2003 Web Server ?  (Read 13968 times)
jkotuby
Newbie
*
Offline Offline

Posts: 3


« on: September 12, 2006, 09:10:34 AM »

Our company has recently leased from Lunarpages a dedicated Windows Server running Windows 2003 Standard and SQL Server 2005 full version. Our intention is to move a functioning business critical .NET Web Service application from a "managed" server at another hosting company to this new server. I am discovering that "unmanaged" means much more than I originally had anticipated.

The very first time I logged into the new Server, before even uploading any files, I discovered that the server had already been "compromised"... which was verified by one of your technicians. He had to totally rebuild the OS and re-install the programs. My question is, what steps do I need to take to "secure" the server yet still allow our web services to run. At our home office I have installed a hardware firewall/antivirus solution in addition to software AV on all the servers and workstations. But, I have never been tasked with securing a remote Web Hosting, and in our case, Application server.

I have already installed Grisoft AVG for Windows server antivirus software because I noticed it was being used on the other hosting company's "managed" server. But then in PLESK I noticed that there is a DR.Web antivirus program running that does not show up in Control Panel. As of this time I do not know how to access it's logs or scheduled scans. The response I get to any questions about that is "read the PLESK documentation".

The next question is about what firewall software should be used for a Windows web server. I am posing that question here and will also research the Microsoft literature. For now I will just enable Windows Firewall and hope that it doesn't immediately cut off my Remote Desktop connection, which I have set up without using PLESK.

That brings up another question. I am considering installing a program called SecureRDP freeware by a company called 2X. It will restrict access by Remote Desktop to a limited number of defined remote IP addresses. I am hoping that it will not , however, restrict access by the Lunarpages technicians, in case I need their help. Has anyone else used this software or know anything about it?

My other option is to set up VPN access to the Server and then requiring remote desktop to connect only through the VPN. I am concerned that unfettered access via RDP might be a security concern. At our home office we use non-standard ports for Terminal Services, because we have seen evidence of hackers trying to access port 3389, such that a number of times some of our Logins accounts have been suspended due to repeated incorrect logins. We have a very small staff here, so it is unlikely that the staff members themselves were responsible for the faulty logins. However, in this remote server situation, if I change the port then , once again, it might become difficult for Lunarpages techs to connect to our server.

So I reiterate, does anyone have some answers or suggestions for my concerns about properly securing a remote Windows web server. Thanks all...
Logged
DSB
Computer Nerd
Jabba the Hutt
*****
Offline Offline

Posts: 597


Programmer of things...


WWW
« Reply #1 on: September 12, 2006, 11:31:57 AM »

I'm not currently using a Windows hosting account but I run Win2K3 at home.

1. The first thing I would do after installing the OS is disable IIS.
2. Patch the OS completely using Windows Update.
3. Reset NTFS permissions on every file and folder in the system to be as limiting as possible.

    Administrators  - Full Permissions
    System - Full Permissions

    Then you apply the necessary permissions to indidual folders or folder sets to provide functionality to certain groups or internet users.

4. Run IIS Lockdown Utility
5. Enable IIS

That should do it and you should be very secure.  Of course you would need to keep up with the windows updates as well as other updates to critical systems.

Once again, this assumes you have access to all of these things.
Logged

jkotuby
Newbie
*
Offline Offline

Posts: 3


« Reply #2 on: September 20, 2006, 04:40:08 AM »

Thanks for the info re: IIS Lockdown and File/Folder security permissions. I have implemented some of the measures you have mentioned and will follow through on the rest. I have set Microsoft Update to apply patches and reboot (if necessary) at 3AM EST. I know the reboot is not a good thing for a web server, but advertising the fact that the service may not be available for a few minutes each night is not the worst thing. If the service catches on we can always go to a mirror server failover I suppose.

Thanks again...
Logged
GMTurner
Berserker Poster
*****
Offline Offline

Posts: 7502



WWW
« Reply #3 on: September 20, 2006, 05:07:34 AM »

One issue I've noticed recently with automatic updates is that if the system checks before the patches have been released by MS on Patch Tuesday, it will be another day (if not longer) before the system detects them. So, you will probably want to keep an eye on it by doing the "check for updates" routine just in case something was missed...

Also, you might place a note on the site somewhere, maybe in a description of the services, a TOS or something that states that at present the system could be off-line for regular system maintenance frm 3-4AM EST. That way you can have something to fall back on if you start getting complaints about it being down... not the best solution, but until there's a way to patch windows without needing to reboot... oh, and for what it's worth, when patching a W2k3 server at work, it typically doesn't take more than a few minutes and other than during the reboot process the server seems to remain reasonably responsive... but the specs on that server are also lower than the basic dedicated server LP has, so I don't think it should be too big of a problem... and the reboot is normally just a few of minutes...

Logged

The above post was made at a time when I gave a dang and doesn't necessarily reflect my current views or opinions.

For those no longer with us ... Grr..!!

Turner's Lounge
Jedi_Johnny
Trekkie
**
Offline Offline

Posts: 10


« Reply #4 on: February 06, 2009, 03:35:16 PM »

Most of the windows remote exploits attack Windows SMB file sharing or SQL.  Even if MS SQL is not installed, there are data storage libraries that are vulnerable (MDAC).

So, in network adapter properties, uncheck print and file sharing.  On the advanced tab, enable the firewall and make sure to uncheck the print and file sharing exception.  Make sure remote desktop *is* checked as an exception so you can still manage your server  Very Happy 

You want to block ports 137 - 139 and 445 for Windows SMB.  Default installations of SQL Server monitor TCP port 1433 and UDP port 1434. Configure your firewall to filter out packets addressed to these ports.  If you do need to connect over the public network to a SQL server, use IP filtering to only allow your servers to connect.

It is also a good idea to rename the administrator account as it is popular to do brute force dictionary attacks against this account.

It is important to have antivirus, but this will not prevent your server from being compromised over the network.

Here is a link to "Windows Server 2003 Security Guide" from Microsoft:
http://technet.microsoft.com/en-us/library/cc163140.aspx

It is also useful to run the MS Baseline Security Analyzer to make sure you have all the security patches:
 http://technet.microsoft.com/en-us/security/cc184924.aspx
Logged
Jedi_Johnny
Trekkie
**
Offline Offline

Posts: 10


« Reply #5 on: February 22, 2009, 01:57:37 PM »

More resources from Sans.org


"Securing IIS6: From the OS, Up"

http://209.85.173.132/search?q=cache:6nHYbJ-zf5EJ:https://www.sans.org/reading_room/whitepapers/windows/securing_iis6_from_the_os_up_1238+http://www.sans.org/reading_room/whitepapers/windows/securing_iis6_from_the_os_up_1238&hl=en&ct=clnk&cd=1&gl=us&client=firefox-a

PDF:   http://www.sans.org/reading_room/whitepapers/windows/securing_iis6_from_the_os_up_1238&hl=en&ct=clnk&cd=1&gl=us&client=firefox-a

"Implementing a Secure WebDAV System"

This paper describes the process of implementing a secure remote file sharing system using WebDAV. It tells why a remote file sharing system is needed, how a secure solution is implemented and assesses the security of the solution.

http://209.85.173.132/search?q=cache:aDhmmt8Np5AJ:www.sans.org/reading_room/whitepapers/windows/implementing_a_secure_webdav_system_1522%3Fshow%3D1522.php%26cat%3Dwindows+http://www.sans.org/reading_room/whitepapers/windows/implementing_a_secure_webdav_system_1522&hl=en&ct=clnk&cd=1&gl=us&client=firefox-a

PDF:
http://www.sans.org/reading_room/whitepapers/windows/implementing_a_secure_webdav_system_1522
Logged
Jedi_Johnny
Trekkie
**
Offline Offline

Posts: 10


« Reply #6 on: March 09, 2009, 11:31:52 PM »

The best thing to do if your server is infected with a worm or virus is to have the server reinstalled.  Then restore your data from known good backups -- you DO make backups don't you?.  The reason for this is if your server is compromised/infected, a rootkit (http://en.wikipedia.org/wiki/Rootkit) may have been installed.  This can make it impossible to detect all the virus and trojans on an infected server.  Here is a detailed story about a Virus and how difficult it is to remove:
http://www.darkreading.com/shared/printableArticle.jhtml?articleID=215800583

If this is not a good option for you, you can try to scan for infected files with an antivirus program.  But sometimes it is too late and the virus blocks scanners from being installed.  Then you will have to try an online virus scanner.

Several online virus scanners

They are slower, but you should be able to trust their scanner is not infected (like your server).

# A-Squared (Emsisoft) malware scan at http://www.emsisoft.com/en/software/ax/
# ESET (NOD32) malware scan at http://www.eset.com/onlinescan/index.php
# Microsoft's Live One Care has several types of scans at http://onecare.live.com/site/en-us/default.htm
# Panda ActiveScan at http://www.pandasecurity.com/usa/homeusers/solutions/activescan/default.htm
# SuperAntiSpyware's research center provides free scans of running computer processes at http://www.fileresearchcenter.com/
# Trend Micro's Housecall scan for malware is at http://housecall.trendmicro.com/

Virus removal tools

# Alwil Software has a free cleaner tool, Avast Free Virus Cleaner, at http://www.avast.com/eng/programs.html
# AVG has free removal tools (including VCleaner) at http://free.grisoft.com/doc/virus-removal/us/frt/0
# CureIt from Dr. Web is a capable free scanner that can be updated manually at http://www.freedrweb.com/
# F-Secure has some removal tools at http://www.f-secure.com/security_center/malware_removal_tools.html
# Malwareteks has spyware removal programs at http://www.malwareteks.com/forum-t408.html
# Microsoft's Malicous Removal Tool (updated monthly on Patch Tuesday) is at http://www.microsoft.com/security/malwareremove/default.mspx
# Norman's removal tools and information is at http://www.norman.com/Virus/en-us
# Norman also has a capable Malware Cleaner (use in Safe Mode) at http://www.norman.com/Virus/Virus_removal_tools/24789/en-us
# Smitfraud/Antivermins removal tools are at http://www.bleepingcomputer.com/forums/topic69886.html
# Softpedia has some tools at http://www.softpedia.com/get/Antivirus/Malware-Removal-Tool.shtml
# SuperAntiSpyware has a capable free on-demand antispyware program for home users at http://www.superantispyware.com/
# Symantec has individual malware removal tools at http://www.symantec.com/business/security_response/removaltools.jsp
# Trend Micro has the helpful HijackThis analyzer and some proactive tools at http://www.trendsecure.com/portal/en-US/tools/security_tools/hijackthis

Thanks to Clamwin for these links!
« Last Edit: March 10, 2009, 12:53:52 AM by Jedi_Johnny » Logged
Pages: [1]   Go Up
  Print  
 
Jump to: