Securing Windows Server 2003 Dedicated Server

While Windows Server 2003 can be more secure than its predecessors, it is only as secure as the weakest link. Therefore, you will want to have everything as secure as possible. This includes, but is not limited to, using software firewalls, hardware firewalls and the Microsoft auto-update feature built into windows 2003. The easiest way to have an unsecured server is by not having the latest updates. This is why enabling the Microsoft auto-updates will be talked about first, which we believe to be the most important.

Microsoft auto-updates keep your computer up to date as much as possible. To help ease the distribution of the updates, Microsoft decided to have the new patches and updates get pushed out every second Tuesday of the month. However, if a huge security risk is known, then Microsoft will push the patch out as soon as possible. Enabling Microsoft updates is fairly easy and just about anybody can do it. It should be enabled by default, but in case it is not, or if you want to change a setting, you can do it by following these steps:

  1. Open up System Properties, and click on the Automatic Updates tab. You can disable auto updates all together, however this is defiantly not recommended.
  2. After you enable the auto-updates, you will then see your options for the auto-updates. You can have it notify you before downloading and installing the updates, you can have it download them but notify you before installing, or you can have to download and install them at a schedule time.
  3. The two settings we would recommend is to either have it automatically download and install at a scheduled time or download and notify you before installing. Having it download and store the updates will give time from the owner\administrator of the Windows Dedicated Server to take a look at what they are installing and be able to respond quickly to any problems that could arise when installing the updates. Having it download and install automatically would be recommended for people that don't always have time to check their server for the new patches and for non-critical servers.
  4. The nice thing about having it download and install automatically is that you can set it to install them on a weekend or during non-peak hours. That way if anything does happen you would have more time to react.

This now brings us to the Microsoft Windows Firewall. Microsoft has included a built-in firewall with Windows Server 2003. It is a software-based firewall, and while it will have a few faults that we will get to shortly. It is still recommended that you use it, as some protection is better than no protection. With the firewall enabled, you can deny and allow traffic on programs, ports and services. You can set a scope to allow only traffic from allowed IPs or subnets, or allow traffic from all IPs. Out of all the ports on a windows server, you need to only allow all traffic on a few of them. Such as 25 (SMTP), 80 (HTTP), 443 (HTTPS), etc. Many of the other ports you should only allow authorized IPs access, such as 21 (FTP), and 3389 (RDP). That way, even if someone figured out your passwords, they would only be able to get in if they are on the allow list.

However, this is a problem using the Microsoft Firewall, there is no way to manage it outside of connecting to the machine with RDP and editing the rules yourself. However if you only allow connections from certain IPs with RDP, then that in itself will keep you from changing the rules if you are not utilizing an authorized IP.

The alternative solution is to use our managed dedicated firewall service. This Cisco PIX hardware firewall is a fully-managed service and will allow us to create rules for you such as the allow and/or deny from certain IPs. Thus, if you block all FTP traffic but need to allow it, you could contact us and we’ll change it to allow for the time you need it and then block it after you are done.

However, having a firewall and Windows updates will not always keep an intruder out. You have to make sure that the code on your website is secure, and that your authorized users aren't using the windows dedicated server for anything other than server-related tasks. Such as surfing the web on it, or downloading strange files to it. Any one of those things can make a secure Windows Dedicated Server an unsecured Windows Dedicated Server.

Keeping a secured Windows Dedicated Server is not the hardest thing to do, it just takes a bit of time to configure at the beginning. As long as you stay on top of the Windows updates and manually check them, as well as setup your firewall properly, you shouldn't have much to worry about. Having anti-virus/spyware on a server isn't always necessary but it is recommended. By having such software you will be creating another layer of security on your server, and extra security is always good security.