I would go to the microsoft W2003 website and read up on all the patches and security tips there.

Any recommended firewalls & av software for windows 2003 server?

What about unplug the network cable? :-) :-) :-) LOL

Sorry ... this is an st..d joke I have to do all the time ;-) .. I don't know anything about security sooo... :-) ... and if Friday for me also .. almost time to go home :)

PS: By the way ... the unplugued cable .. it works! I already tested it LOL LOL

Note: This is not a canonical list. These is meant to be a guide, but it is by no means a complete list of everything you'll need to do to be 100% secure.

Jake's top ten:

First: Before you do anything, go into your Services applet in Control Panel. Make sure you know what EVERYTHING does. I mean it. Go through, type in the name of every service into Google, and figure it out. I believe there is no way in sam-hell that you can administer a server properly without knowing the function and perils of everything that is running, ESPECIALLY on automatic startup. Linux users, reading this too? GO DO IT NOW.

Second: Take that knowledge from above, and turn everything you don't need off. "Everything you don't need" is defined as programs that do not need to be running or accessed in the normal, day-to-day operations of a server. Linux users, reading this too? GO DO IT NOW. Then, uninstall everything you don't need. Browsers, mail clients, everything.

Third: Use HfNetChk [microsoft.com] twice a day. Put it on an automated script, and have it email results to someone who can and will read and interpet those results. HfNetChk will ALWAYS pick up patches and bugfixes quicker than Windows Update and it's Automatic counterpart.

Fourth: Subscribe to NTBugtraq [ntbugtraq.com]. Read the posts. Daily at the worst. More frequently at best.

Fifth: Subscribe to NANOG [nanog.org]. Most of it is offtopic for what you do, but network operators are the first people to notice widespread virus/worm attacks.

Sixth: Get a good (read: Hardware) firewall. Software firewalls are stupid marketing ploys. Start by allowing only HTTP connections to the webserver, and drop on the floor (not reject) everything else. Open up ports one by one, as necessary. Never open up NetBIOS or SQL Server ports unless absolutely necessary.

Seventh: Run the Baseline Security Analyzer [microsoft.com] and IIS Lockdown Tool [microsoft.com]. Use caution while running this - its defaults are very strict, and can knock out some custom configs.

Eighth: Lock down user accounts. Got an FTP server? Lock it down. No administrative level access by FTP. Valid user accounts should only be allowed access to their directory - lock them into a jail. No execute access allowed by FTP.

Ninth: Get a test server. Don't do any development or run any under-development applications on the live server. Only transfer fully tested (and audited!) applications on the live server. Don't run anything you didn't write without testing it on a test server first. Don't let people put code on your server that you haven't audited. I call this the human anti-virus. If you do this, you don't even need anti-virus on the server (which is terrible for performance), because you aren't running anything that you personally haven't executed before.

Tenth: Your server is your baby! I'd never think of having kids and then ignoring them for more than minutes at a time. Your server is your baby. Get an external monitoring service. Check her once an hour for problems, or better yet, write a script that checks her for you and alerts you to any unknown variance from normal operation. Take care of her!

In #4 - replace NTBugTraq w/the Full Disclosure list:

lists.netsys.com/mailman/listinfo/full-disclosure

thanks Jake...that's a classic

'bout the hardware firewall...how do I get my host to put up one?

hardware firewall...how do I get my host to put up one?

Your money talks. :)

Good thread. Most informative.

I know of someone who installed a hardware firewall a few months ago, and still left a copy of ZoneAlarm running too. ZoneAlarm hasn't seen any hits at all since the hardware firewall went in; not one.

Jake, what about Anti-Virus software?
In my friends case, he believes that his server was hacked because of a trojan that entered via an email on his mailserver.

Anti-virus software is a MUST.

Norton Corporate Edition ... how is that?

Norton Corporate Edition ... how is that?

the AV adds load to server resources...should we run it twice a day or keep it in "guard" mode?

I also wanted to know if the built in firewall in Win 03 is any use. Would it reduce server response time?

Hello,

This thread is becoming more and more interesting. I checked first point of bakedjake on win2k3 machines and searched on google. I found information for most of the processes / progarms running on machine but still for few I did not get any information. Can you provide me some information

Image Name User Name
1. crss.exe System
2. dcevt32.exe System
3. dcstor32.exe System
4. diagorb.exe System
5. mr2kserv.exe System
6. realpoke.exe System

crss.exe is a windows program: Client Server Runtime Subsystem

don't know about the others.

I am going to check my local Windows 2003 server and stop these processes and see if they hamper the running of the server.

how about searching your hard-drives for these pograms?

You wouldn't need to run the complete virus scan twice a day, just be sure the auto-protect is on.

I caught many beagles and bugbears with the auto-protect that otherwise wouldn't have been caught.

what are the chances of a virus coming through on the LAN of a hosting company?

Do hosts have a method of protecting each server from another?

If you have a good anti-virus on your server, who cares what comes in on the LAN?

how is AVAST server edition?

Make sure you check for and download critical service packs from Microsoft.

Create an Administator account with a name other than "Administrator" Disable the "Administrator" account.

If you use terminal services, configure it so it runs on a different port - update firewall accordingly.

Also, the nice the thing about Windows 2003 (unlike W2k) is that most services are turned off by default. (for example IIS)

realpoke.exe seems to be a hacker tool. Disable it.

antivirus on server!

why whould you need an anti virus on your server?

You must not surf from your web server nor
read emails on your web server

it is a server, not a desktop

patches, best practices, and firewall is what you need

why whould you need an anti virus on your server?

To catch emails as they come in, if your server is also a mail server.

Is there anyway I can define which programs should run on my machine and which should not run?If this is possible then I can set list of programms and other programms can't run on my machine.I this will solve problem of hackers / virus programs.

Software firewalls are stupid marketing ploys.

I can't agree with this statement.

Yes, in a server environment you should definitely be using a hardware firewall but that doesn't mean software firewalls should be discounted as a 'marketing ploy' - they are extremely useful for protecting home machines and laptops. Good ones (like ZoneAlarm) perform very well with a minimum of fuss.

To catch emails as they come in, if your server is also a mail server.

It's the email client that activates the virus, not the mailserver.

Apart from that, common sense should be enough to keep viruses away. I have never used anti-virus software, and I've never had a virus. I own computers since the first 12 MHz AT clone was available... ;)

I have found that mail virus are coming in the mailserver folder...

...there is no mail client on our server.

Well, since the mailserver doesn't open the message, but merely moves it around to some folders and send it to a client when requested, there's no risk involved.

Something that I didn't see anybody mention is blocking access to your log files.

This might not be the case if you run your own server. But if you are going
with 3rd party web hosting company, your competitors will most likely check
in yourdomain.com/webalizer , yourdomain.com/stats, etc.. to check out your log
reports.

>> Well, since the mailserver doesn't open the message, but merely moves it around to some folders and send it to a client when requested, there's no risk involved. <<

Whether the mailserver opens it or not, isn't it a good idea to kill the virus at the point of entry, rather than storing it, and later passing it on to a client? Virus (and spam) filtering in the mailserver seems like a good idea.