[Tutorial] Secure your Dedicated Windows Server!

Skilled Illusionist
Joined
Nov 16, 2006
Messages
308
Reaction score
76
Location
/home/jake
Well, i've seen alot of people renting out dedicated servers to run their KalOnline servers on - it's a huge expense and it's aggrovating when you get hacked! So i've decided to tell you guys how to secure your terminal services such as RDP (Remote Desktop Protocol). The tool i use on my server is something called "2X Secure RDP" which can be obtained from


A Short introduction to the program can be found on the site.


What do i need to do?


First of all you need to download the application - located on the website above.
You then need to install it, and configure it. Some screenshots are below to show you how to configure it.


Step 1:

Adding a Computer Name-

First of all you need to find out your Computer name is, the easiest way possible of obtaining your computer name is doing the following:

Click Start, Run then enter in "cmd" - a command propt window will pop up - enter in this command "ipconfig /all"

You should get something like this:

Clicky
Jake - [Tutorial] Secure your Dedicated Windows Server! - RaGEZONE Forums


I masked out my MAC address and computer name for security issues.
Anyway, since you've found your computer name, note it down!

Step 1 - part 2.

Adding your Computer Name

Ok, you have your Computer name, and you have 2X RDP installed. Open 2X RDP up, click on Computer Name

Clicky
Jake - [Tutorial] Secure your Dedicated Windows Server! - RaGEZONE Forums


Next click Add - located underneath the highlighted area on the picture above.

You should get this dialogue:

Jake - [Tutorial] Secure your Dedicated Windows Server! - RaGEZONE Forums


After you have entered in your computer name - click ok.

You have successfully added a computer name to the allowed hosts list!


Click the close button in the right, Click Save when it asks you to!


Restart your server after this has been done.

That's all for now, i'll add more things to this thread a little later on!
 
Re: [Howto] Secure your Dedicated Windows Server!

Why don't you use a more 'traditionnal' Firewall ? (just a question)
 
Re: [Howto] Secure your Dedicated Windows Server!

Why? Because my ports are blocked on a CISCO firewall inside the datacenter - i only have 4 ports open, and they're for the server/web and of course RDP. So i don't need a more traditional firewall, since they're just a waste of resources and cause much more trouble than anything else.
 
Re: [Howto] Secure your Dedicated Windows Server!

very nice tut was waiting for somethink like that thank you:juggle:
 
Re: [Howto] Secure your Dedicated Windows Server!

Well, alot of people have been asking me to add more tips to this, well, 3 people, but you know, three's a crowd ;).


Ok, i'm going to give some advice. Generally about applications running on your server.


Just after a breif browse around the KalOnline Advertisements and doing a few port scans, i've not alot of people have ftp enabled! WHY!?

You don't need ftp enabled, well, not if you use default configuration. Put it this way, you have ftp running on our server, your server would be down within minutes!

Why?

FTPd's default Configs have everything default.. of course, hence the name, default configuration! Well, there's a problem,

This is took out of my unix server's ftpd:

Code:
MaxClientsNumber            50

This is pureftpd, not the best, and certainly not the worst ftpd. (By the way, i haven't made typos, ftpd= file trasfer protocol daemon)

Ok, back on subject. Max clients is 50, that means 50 clients are allowed to connect to the server, no, it doesn't mean 50 ip's, it means clients.

Code:
# Maximum number of sim clients with the same IP address

MaxClientsPerIP             8

50X8 = 400! 400 connections allowed, that's on my server, a webhosting server, apf ftw.

Ok, here's the max ip's per client, personally, if you're running ftpd on your windows machine, disable it, or configure it.

I don't know what everyone's favourite FTPd is, but most configuration is pretty damn straight forward.

Search for something that looks like the above.

MaxClientsPerIp - set it to 1
MaxConnectionsperClient - set it to 5

Why do i need to do this?

Well, to be honest, i point 200k bots at your server, with ftp all connecting to your ftp server hammering the connection, you're screwed.


Ok, so i've done that, now what?

Uninstall it :P

Nah, keep it if you really need it, i suggest rapidshare for uploading files, then copy and pasting the link into a browser on your server.
Then after you've downloaded the files, delete them from RS.



Another tip:

Windows firewall! You gotta love it! Well no, you have to despise it, but enable it! BLOCK EVERY SINGLE PORT you do not need open! It just creates more holes!

Also, Windows Updates! install them, every week take your server down for maintenance, INT, they do maintenance everyweek, not to update their files but to update the security and keep the server running well. A fresh restart makes the server run well.



Advice to those who run a private server on a home connection:

Don't run one.


More to come, when i'm not drunk and haven't slept for 4 days.
 
Re: [Howto] Secure your Dedicated Windows Server!

Using MBSA - MicroSoft Baseline Security Analyzer

What is MBSA?

Quoted from MS website:

Microsoft Baseline Security Analyzer (MBSA) 2.0 is an easy-to-use tool that helps small and medium businesses determine their security state in accordance with Microsoft security recommendations and offers specific remediation guidance. Improve your security management process by using MBSA to detect common security misconfigurations and missing security updates on your computer systems. Built on the Windows Update Agent and Microsoft Update infrastructure, MBSA ensures consistency with other Microsoft management products including Microsoft Update (MU), Windows Server Update Services (WSUS), Systems Management Server (SMS) and Microsoft Operations Manager (MOM). Used by many leading third party security vendors including Tivoli, Patchlink and Citadel, MBSA on average scans over 3 million computers each week. Join the thousands of users that depend on MBSA for analyzing their security state.
First of all, you need to obtain MSBA by going to

So, yeah, you've downloaded the program, what do you do next?


Step 2

Double click the downloaded file to install it, it shouldn't take less than a few minutes, but a run a quad xeon, so probably why..


Step 3

After installation has complete, you can run the program. I reccomend shutting down every application whilst running it.


So you've started it up.

Click on Scan a computer



After that, click scan this computer (Your computer name should show, i masked mine out for security reasons)



Ok, so you're scanning, you should get something that looks like:



So the scans done, you then have something that looks like:




MBSA is a good tool for those who want to secure their server the easy way, it tells you what problems your server faces and how to correct them.

As the last screenshot shows, Security Asessment: Servere

I didn't know IE Zones where that severe :P

Anyway, i highlighted basicly most of the important features here.

Have fun securing your server


Also, for securing MSSQL, i suggest you check google and this site:



I make my own guides, if i use work from google, i give credit.


Credit goes to Google and Microsoft.com
 
Last edited:
Re: [Howto] Secure your Dedicated Windows Server!

Securing PHP:

Well, here i'm going to explain how to securde php a little better, along with apache/yourwebserver.


First of all, and the most important, do NOT run your Webserver on a administrative account.

Why?

Well, put it this way, you don't want someone hacking your webserver, then gaining complete access to your system. Create an account, setup apache/abyss or whatever you use. Then disable rights to the username you gave it.


PHP:

You'll also want to enable safe mode in the php.ini file. As with the Apache module, this restricts certain functions in PHP based on file ownership or directory location. With safe mode turned on, you're taking a proactive measure with security by defining from the start how you want PHP to behave.

open php.ini


Also, we want a full rundown of what's enabled and what's disabled on your server.

Create a .php file in your docroot with the following lines

Code:
<?php
phpinfo(); 
?>

In php.ini and restart your webserver to use this. You can verify whether safe mode is enabled using the above phpinfo technique. Another item to consider is the disable_functions directive. For instance, you could set this: Look for
Code:
safe_mode = off

change it to:

Code:
safe_mode = on

This depends on what scripts you use, some scripts and control panels need safe_mode to be off, such as Modernbill or ClientExc - Webhost Billing Panels.


Then in your browser, point to it, it'll show you what's enabled and all about your php version, if it's old, update to the most secure version, or downgrade if you need to.


Code:
disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,
proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"

Note that this list disables phpinfo as well as others. There is some overlap, here, with functions limited by safe mode. Be careful that you don't break any features you need, of course. These security settings may cause issues, so test extensively. If you don't need the functions, though, you should disable what you don't need for better security.

Open httpd.conf

Find:
Code:
ServerTokens

Change to
Code:
ServerTokens Prod

Then check for

Code:
ServerSignature On

Change to
Code:
ServerSignature Off

Basicly, this stops displaying server signatures (Example, when you click on a link that's none existant, it shows [IApache/1.3.37 Server at xxxxx Port 80[/I]



Remember, don't edit things you don't know what they do.


Not serving files outside of webroot,

lets say you're main folder is /homesite/

Search for
Code:
<Directory />

Add this, underneath

Code:
<Directory />
Order Deny,Allow
Deny from all
Options None
AllowOverride None
</Directory>
<Directory /homesite>
Order Allow,Deny
Allow from all
</Directory>

If you want to disable file listing on these directories - where you see "Options None"

Change to Options -Indexes

Turn off server side includes

This is also done with the Options directive inside a Directory tag. Set Options to either None or -Includes

Options -Includes

If you want to disable more than one option, do it like this, (example took from my unix box (what applies in linux/unix on apache, will apply to windows aswell)
Code:
Options -ExecCGI -FollowSymLinks -Indexes

If you have a resource that should only by accessed by a certain network, or IP address you can enforce this in your apache configuration. For instance if you want to restrict access to your intranet to allow only the 192.168 network (Local network)

Code:
Order Deny,Allow
Deny from all
Allow from 192.168.0.0/16


Restart Apache to take effect.


Also, i stress, as i did in the FTP guide, Maxconnections and MaxConnectionsPerIP is something you should look into, only allow 2 connections per ip max.

Settings such as

Code:
MinSpareServers, MaxSpareServers, StartServers, and KeepAliveTimeout

The lower the value is, the better it is if you have limited hardware on your system.



Credit goes to Google and UnixExperts
 
Re: [Howto] Secure your Dedicated Windows Server!

First of all, and the most important, do NOT run your Webserver on a administrative account.
Apache runs with lower priviligies, so it's not that important, but in general a good idea.

I belive you recomended lighttpd before, else I'll do it now :-)


PHP:

You'll also want to enable safe mode in the php.ini file. As with the Apache module, this restricts certain functions in PHP based on file ownership or directory location. With safe mode turned on, you're taking a proactive measure with security by defining from the start how you want PHP to behave.
Accualy safe_mode is bullshit, and gives a bad protection that dosen't mean alot. It's being removed in PHP6.

I rather recomend that people turn off display_errors on production servers, and keep developing on a seperate server / localhost.


This depends on what scripts you use, some scripts and control panels need safe_mode to be off, such as Modernbill or ClientExc - Webhost Billing Panels.
safe_mode on only affects things as file upload in special cases, so I say if a script requires it off, it's a bad script, so don't use it

Then in your browser, point to it, it'll show you what's enabled and all about your php version, if it's old, update to the most secure version, or downgrade if you need to.
Newest php5 version for best security.

Code:
disable_functions = "dl,phpinfo,shell_exec,passthru,exec,popen,system,
proc_get_status,proc_nice,proc_open,proc_terminate,proc_close"
Very good idea, I can only agree on this. Even it again is a *virtual* security, as it have no meaning unless you got installed vulnerable scripts.

Note that this list disables phpinfo as well as others.
phpinfo() is a security leak in the first place :-)

Else I agree with the rest of the guide, just wanted to comment a few.
 
Re: [Howto] Secure your Dedicated Windows Server!

Regarding safe_mode (old, but still worth a read for those who are interested)

Also a php tip more:

Make sure that register_globals are set to off , and you're NOT using any scripts that requires it :-)
 
Re: [Howto] Secure your Dedicated Windows Server!

phpinfo() is a security leak in the first place :-)

Else I agree with the rest of the guide, just wanted to comment a few.


That's why i added phpinfo in the disallowed functions ;)

Lighthttpd you should look into, i'll write a guide about it soon. I personally use Abyss, nice and stable.
 
Back