[Tutorial] Secure your Dedicated Windows Server!

[Jake]

Well, i've seen alot of people renting out dedicated servers to run their KalOnline servers on - it's a huge expense and it's aggrovating when you get hacked! So i've decided to tell you guys how to secure your terminal services such as RDP (Remote Desktop Protocol). The tool i use on my server is something called "2X Secure RDP" which can be obtained from

You must be registered to see links

A Short introduction to the program can be found on the site.


What do i need to do?


First of all you need to download the application - located on the website above.
You then need to install it, and configure it. Some screenshots are below to show you how to configure it.


Step 1:

Adding a Computer Name-

First of all you need to find out your Computer name is, the easiest way possible of obtaining your computer name is doing the following:

Click Start, Run then enter in "cmd" - a command propt window will pop up - enter in this command "ipconfig /all"

You should get something like this:

Clicky

I masked out my MAC address and computer name for security issues.
Anyway, since you've found your computer name, note it down!

Step 1 - part 2.

Adding your Computer Name

Ok, you have your Computer name, and you have 2X RDP installed. Open 2X RDP up, click on Computer Name

Clicky

Next click Add - located underneath the highlighted area on the picture above.

You should get this dialogue:

After you have entered in your computer name - click ok.

You have successfully added a computer name to the allowed hosts list!


Click the close button in the right, Click Save when it asks you to!


Restart your server after this has been done.

That's all for now, i'll add more things to this thread a little later on!

 

[Aweb]

Re: [Howto] Secure your Dedicated Windows Server!

Why don't you use a more 'traditionnal' Firewall ? (just a question)

 

[Jake]

Re: [Howto] Secure your Dedicated Windows Server!

Why? Because my ports are blocked on a CISCO firewall inside the datacenter - i only have 4 ports open, and they're for the server/web and of course RDP. So i don't need a more traditional firewall, since they're just a waste of resources and cause much more trouble than anything else.

 

[NOOR]

Re: [Howto] Secure your Dedicated Windows Server!

Thanks Jake sooooo mcuh i was searching for thats ^^

 

[Jake]

Re: [Howto] Secure your Dedicated Windows Server!

No problem

 

[elex]

Re: [Howto] Secure your Dedicated Windows Server!

very nice tut was waiting for somethink like that thank you:juggle:

 

[Etryus]

Re: [Howto] Secure your Dedicated Windows Server!

works great thx man

 

[Jake]

Re: [Howto] Secure your Dedicated Windows Server!

Well, alot of people have been asking me to add more tips to this, well, 3 people, but you know, three's a crowd .


Ok, i'm going to give some advice. Generally about applications running on your server.


Just after a breif browse around the KalOnline Advertisements and doing a few port scans, i've not alot of people have ftp enabled! WHY!?

You don't need ftp enabled, well, not if you use default configuration. Put it this way, you have ftp running on our server, your server would be down within minutes!

Why?

FTPd's default Configs have everything default.. of course, hence the name, default configuration! Well, there's a problem,

This is took out of my unix server's ftpd:

MaxClientsNumber            50

This is pureftpd, not the best, and certainly not the worst ftpd. (By the way, i haven't made typos, ftpd= file trasfer protocol daemon)

Ok, back on subject. Max clients is 50, that means 50 clients are allowed to connect to the server, no, it doesn't mean 50 ip's, it means clients.

# Maximum number of sim clients with the same IP address

MaxClientsPerIP             8

50X8 = 400! 400 connections allowed, that's on my server, a webhosting server, apf ftw.

Ok, here's the max ip's per client, personally, if you're running ftpd on your windows machine, disable it, or configure it.

I don't know what everyone's favourite FTPd is, but most configuration is pretty damn straight forward.

Search for something that looks like the above.

MaxClientsPerIp - set it to 1
MaxConnectionsperClient - set it to 5

Why do i need to do this?

Well, to be honest, i point 200k bots at your server, with ftp all connecting to your ftp server hammering the connection, you're screwed.


Ok, so i've done that, now what?

Uninstall it

Nah, keep it if you really need it, i suggest rapidshare for uploading files, then copy and pasting the link into a browser on your server.
Then after you've downloaded the files, delete them from RS.



Another tip:

Windows firewall! You gotta love it! Well no, you have to despise it, but enable it! BLOCK EVERY SINGLE PORT you do not need open! It just creates more holes!

Also, Windows Updates! install them, every week take your server down for maintenance, INT, they do maintenance everyweek, not to update their files but to update the security and keep the server running well. A fresh restart makes the server run well.



Advice to those who run a private server on a home connection:

Don't run one.


More to come, when i'm not drunk and haven't slept for 4 days.

 

[BigHanded]

Re: [Howto] Secure your Dedicated Windows Server!

Jake thanks for 2nice guides.

 

[Jake]

Re: [Howto] Secure your Dedicated Windows Server!

Jake thanks for 2nice guides.

You're welcome mate, anything you need covering, post here i'll see if i can make a guide for it.

 

[ZeroSanity]

Re: [Howto] Secure your Dedicated Windows Server!

sweet, don't got a server by myself but i think alot ppl will find this useful.

 

[Jake]

Re: [Howto] Secure your Dedicated Windows Server!

Using MBSA - MicroSoft Baseline Security Analyzer

What is MBSA?

Quoted from MS website:

Microsoft Baseline Security Analyzer (MBSA) 2.0 is an easy-to-use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). Used by many leading third party security vendors including Tivoli, Patchlink and Citadel, MBSA on average scans over 3 million computers each week. Join the thousands of users that depend on MBSA for analyzing their security state.

First of all, you need to obtain MSBA by going to

You must be registered to see links

So, yeah, you've downloaded the program, what do you do next?


Step 2

Double click the downloaded file to install it, it shouldn't take less than a few minutes, but a run a quad xeon, so probably why..


Step 3

After installation has complete, you can run the program. I reccomend shutting down every application whilst running it.


So you've started it up.

Click on Scan a computer

You must be registered to see links

After that, click scan this computer (Your computer name should show, i masked mine out for security reasons)

You must be registered to see links

Ok, so you're scanning, you should get something that looks like:

You must be registered to see links

So the scans done, you then have something that looks like:

You must be registered to see links

MBSA is a good tool for those who want to secure their server the easy way, it tells you what problems your server faces and how to correct them.

As the last screenshot shows, Security Asessment: Servere

I didn't know IE Zones where that severe

Anyway, i highlighted basicly most of the important features here.

Have fun securing your server


Also, for securing MSSQL, i suggest you check google and this site:

You must be registered to see links

I make my own guides, if i use work from google, i give credit.


Credit goes to Google and Microsoft.com

 

[DeathArt]

Re: [Howto] Secure your Dedicated Windows Server!

very nice

 

[Jake]

Re: [Howto] Secure your Dedicated Windows Server!

Securing PHP:

Well, here i'm going to explain how to securde php a little better, along with apache/yourwebserver.


First of all, and the most important, do NOT run your Webserver on a administrative account.

Why?

Well, put it this way, you don't want someone hacking your webserver, then gaining complete access to your system. Create an account, setup apache/abyss or whatever you use. Then disable rights to the username you gave it.


PHP:

You'll also want to enable safe mode in the php.ini file. As with the Apache module, this restricts certain functions in PHP based on file ownership or directory location. With safe mode turned on, you're taking a proactive measure with security by defining from the start how you want PHP to behave.

open php.ini


Also, we want a full rundown of what's enabled and what's disabled on your server.

Create a .php file in your docroot with the following lines

<?php
phpinfo(); 
?>

In php.ini and restart your webserver to use this. You can verify whether safe mode is enabled using the above phpinfo technique. Another item to consider is the disable_functions directive. For instance, you could set this: Look for

safe_mode = off

change it to:

safe_mode = on

This depends on what scripts you use, some scripts and control panels need safe_mode to be off, such as Modernbill or ClientExc - Webhost Billing Panels.


Then in your browser, point to it, it'll show you what's enabled and all about your php version, if it's old, update to the most secure version, or downgrade if you need to.

disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,
proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"

Note that this list disables phpinfo as well as others. There is some overlap, here, with functions limited by safe mode. Be careful that you don't break any features you need, of course. These security settings may cause issues, so test extensively. If you don't need the functions, though, you should disable what you don't need for better security.

Open httpd.conf

Find:

ServerTokens

Change to

ServerTokens Prod

Then check for

ServerSignature On

Change to

ServerSignature Off

Basicly, this stops displaying server signatures (Example, when you click on a link that's none existant, it shows [IApache/1.3.37 Server at xxxxx Port 80[/I]



Remember, don't edit things you don't know what they do.


Not serving files outside of webroot,

lets say you're main folder is /homesite/

Search for

<Directory />

Add this, underneath

<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /homesite>
Order Allow,Deny
Allow from all
</Directory>

If you want to disable file listing on these directories - where you see "Options None"

Change to Options -Indexes

Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -Includes

If you want to disable more than one option, do it like this, (example took from my unix box (what applies in linux/unix on apache, will apply to windows aswell)

Options -ExecCGI -FollowSymLinks -Indexes

If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network (Local network)

Order Deny,Allow
Deny from all
Allow from 192.168.0.0/16

Restart Apache to take effect.


Also, i stress, as i did in the FTP guide, Maxconnections and MaxConnectionsPerIP is something you should look into, only allow 2 connections per ip max.

Settings such as

MinSpareServers, MaxSpareServers, StartServers, and KeepAliveTimeout

The lower the value is, the better it is if you have limited hardware on your system.



Credit goes to Google and UnixExperts

 

[Kyle12345]

Re: [Howto] Secure your Dedicated Windows Server!

Hi Jakey .

Very Nice Guide.

Have my baby?

 

[DeathArt]

Re: [Howto] Secure your Dedicated Windows Server!

First of all, and the most important, do NOT run your Webserver on a administrative account.

Apache runs with lower priviligies, so it's not that important, but in general a good idea.

I belive you recomended lighttpd before, else I'll do it now

PHP:

You'll also want to enable safe mode in the php.ini file. As with the Apache module, this restricts certain functions in PHP based on file ownership or directory location. With safe mode turned on, you're taking a proactive measure with security by defining from the start how you want PHP to behave.

Accualy safe_mode is shenanigans, and gives a bad protection that dosen't mean alot. It's being removed in PHP6.

I rather recomend that people turn off display_errors on production servers, and keep developing on a seperate server / localhost.

This depends on what scripts you use, some scripts and control panels need safe_mode to be off, such as Modernbill or ClientExc - Webhost Billing Panels.

safe_mode on only affects things as file upload in special cases, so I say if a script requires it off, it's a bad script, so don't use it

Then in your browser, point to it, it'll show you what's enabled and all about your php version, if it's old, update to the most secure version, or downgrade if you need to.

Newest php5 version for best security.

disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,
proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"

Very good idea, I can only agree on this. Even it again is a *virtual* security, as it have no meaning unless you got installed vulnerable scripts.

Note that this list disables phpinfo as well as others.

phpinfo() is a security leak in the first place

Else I agree with the rest of the guide, just wanted to comment a few.

 

[Jake]

Re: [Howto] Secure your Dedicated Windows Server!

Hi Jakey .

Very Nice Guide.

Have my baby?

I fail to see my name in your sig, it should be "Jake Culpin" the pro Sys Admin.

 

[DeathArt]

Re: [Howto] Secure your Dedicated Windows Server!

Regarding safe_mode

You must be registered to see links

(old, but still worth a read for those who are interested)

Also a php tip more:

Make sure that register_globals are set to off , and you're NOT using any scripts that requires it

 

[Jake]

Re: [Howto] Secure your Dedicated Windows Server!

phpinfo() is a security leak in the first place

Else I agree with the rest of the guide, just wanted to comment a few.

That's why i added phpinfo in the disallowed functions

Lighthttpd you should look into, i'll write a guide about it soon. I personally use Abyss, nice and stable.

 

[DeathArt]

Re: [Howto] Secure your Dedicated Windows Server!

Lighthttpd you should look into, i'll write a guide about it soon.

Using it atm, as apache keept crashing because of our website cache :/

Been running stable for 2 days now.