Note: This is not a canonical list. These is meant to be a guide, but it is by no means a complete list of everything you'll need to do to be 100% secure.

Jake's top ten:

First: Before you do anything, go into your Services applet in Control Panel. Make sure you know what EVERYTHING does. I mean it. Go through, type in the name of every service into Google, and figure it out. I believe there is no way in sam-hell that you can administer a server properly without knowing the function and perils of everything that is running, ESPECIALLY on automatic startup. Linux users, reading this too? GO DO IT NOW.

Second: Take that knowledge from above, and turn everything you don't need off. "Everything you don't need" is defined as programs that do not need to be running or accessed in the normal, day-to-day operations of a server. Linux users, reading this too? GO DO IT NOW. Then, uninstall everything you don't need. Browsers, mail clients, everything.

Third: Use HfNetChk [microsoft.com] twice a day. Put it on an automated script, and have it email results to someone who can and will read and interpet those results. HfNetChk will ALWAYS pick up patches and bugfixes quicker than Windows Update and it's Automatic counterpart.

Fourth: Subscribe to NTBugtraq [ntbugtraq.com]. Read the posts. Daily at the worst. More frequently at best.

Fifth: Subscribe to NANOG [nanog.org]. Most of it is offtopic for what you do, but network operators are the first people to notice widespread virus/worm attacks.

Sixth: Get a good (read: Hardware) firewall. Software firewalls are stupid marketing ploys. Start by allowing only HTTP connections to the webserver, and drop on the floor (not reject) everything else. Open up ports one by one, as necessary. Never open up NetBIOS or SQL Server ports unless absolutely necessary.

Seventh: Run the Baseline Security Analyzer [microsoft.com] and IIS Lockdown Tool [microsoft.com]. Use caution while running this - its defaults are very strict, and can knock out some custom configs.

Eighth: Lock down user accounts. Got an FTP server? Lock it down. No administrative level access by FTP. Valid user accounts should only be allowed access to their directory - lock them into a jail. No execute access allowed by FTP.

Ninth: Get a test server. Don't do any development or run any under-development applications on the live server. Only transfer fully tested (and audited!) applications on the live server. Don't run anything you didn't write without testing it on a test server first. Don't let people put code on your server that you haven't audited. I call this the human anti-virus. If you do this, you don't even need anti-virus on the server (which is terrible for performance), because you aren't running anything that you personally haven't executed before.

Tenth: Your server is your baby! I'd never think of having kids and then ignoring them for more than minutes at a time. Your server is your baby. Get an external monitoring service. Check her once an hour for problems, or better yet, write a script that checks her for you and alerts you to any unknown variance from normal operation. Take care of her!

In #4 - replace NTBugTraq w/the Full Disclosure list:

lists.netsys.com/mailman/listinfo/full-disclosure

thanks Jake...that's a classic

'bout the hardware firewall...how do I get my host to put up one?

hardware firewall...how do I get my host to put up one?

Your money talks. :)

Good thread. Most informative.

I know of someone who installed a hardware firewall a few months ago, and still left a copy of ZoneAlarm running too. ZoneAlarm hasn't seen any hits at all since the hardware firewall went in; not one.

Jake, what about Anti-Virus software?
In my friends case, he believes that his server was hacked because of a trojan that entered via an email on his mailserver.

Anti-virus software is a MUST.

Norton Corporate Edition ... how is that?

Norton Corporate Edition ... how is that?

the AV adds load to server resources...should we run it twice a day or keep it in "guard" mode?

I also wanted to know if the built in firewall in Win 03 is any use. Would it reduce server response time?

Hello,

This thread is becoming more and more interesting. I checked first point of bakedjake on win2k3 machines and searched on google. I found information for most of the processes / progarms running on machine but still for few I did not get any information. Can you provide me some information

Image Name User Name
1. crss.exe System
2. dcevt32.exe System
3. dcstor32.exe System
4. diagorb.exe System
5. mr2kserv.exe System
6. realpoke.exe System

crss.exe is a windows program: Client Server Runtime Subsystem

don't know about the others.

I am going to check my local Windows 2003 server and stop these processes and see if they hamper the running of the server.

how about searching your hard-drives for these pograms?

You wouldn't need to run the complete virus scan twice a day, just be sure the auto-protect is on.

I caught many beagles and bugbears with the auto-protect that otherwise wouldn't have been caught.

what are the chances of a virus coming through on the LAN of a hosting company?

Do hosts have a method of protecting each server from another?

If you have a good anti-virus on your server, who cares what comes in on the LAN?

how is AVAST server edition?

Make sure you check for and download critical service packs from Microsoft.

Create an Administator account with a name other than "Administrator" Disable the "Administrator" account.

If you use terminal services, configure it so it runs on a different port - update firewall accordingly.

Also, the nice the thing about Windows 2003 (unlike W2k) is that most services are turned off by default. (for example IIS)

realpoke.exe seems to be a hacker tool. Disable it.

antivirus on server!

why whould you need an anti virus on your server?

You must not surf from your web server nor
read emails on your web server

it is a server, not a desktop

patches, best practices, and firewall is what you need

why whould you need an anti virus on your server?

To catch emails as they come in, if your server is also a mail server.

Is there anyway I can define which programs should run on my machine and which should not run?If this is possible then I can set list of programms and other programms can't run on my machine.I this will solve problem of hackers / virus programs.

Software firewalls are stupid marketing ploys.

I can't agree with this statement.

Yes, in a server environment you should definitely be using a hardware firewall but that doesn't mean software firewalls should be discounted as a 'marketing ploy' - they are extremely useful for protecting home machines and laptops. Good ones (like ZoneAlarm) perform very well with a minimum of fuss.

To catch emails as they come in, if your server is also a mail server.

It's the email client that activates the virus, not the mailserver.

Apart from that, common sense should be enough to keep viruses away. I have never used anti-virus software, and I've never had a virus. I own computers since the first 12 MHz AT clone was available... ;)

I have found that mail virus are coming in the mailserver folder...

...there is no mail client on our server.

Well, since the mailserver doesn't open the message, but merely moves it around to some folders and send it to a client when requested, there's no risk involved.

Something that I didn't see anybody mention is blocking access to your log files.

This might not be the case if you run your own server. But if you are going
with 3rd party web hosting company, your competitors will most likely check
in yourdomain.com/webalizer , yourdomain.com/stats, etc.. to check out your log
reports.

>> Well, since the mailserver doesn't open the message, but merely moves it around to some folders and send it to a client when requested, there's no risk involved. <<

Whether the mailserver opens it or not, isn't it a good idea to kill the virus at the point of entry, rather than storing it, and later passing it on to a client? Virus (and spam) filtering in the mailserver seems like a good idea.

If I close all my ports and open only those which are required will this restrict virus problem only to mails?

why whould you need an anti virus on your server?

1) to protect against momentary stupidity

2) to protect against new viruses which target using means other than email such as welchia and blaster. These viruses simply find vulnerable machines ... no one needs to even be logged in or on the desktop or anything. REMEMBER TODAY MANY VIRUSES HAVE NOTHING TO DO WITH EMAIL OR BROWSING. Code red and nimbda did not require any user initiation of the virus.

Anyone on a windows machine who does not have an up-to-date anti-virus product on every single machine is having the equivelent of anonymous unprotected sex at the local neighborhood gas station. In other words, he or she deserves whatever happens to them. The "it has never happened to me" mindset will lead to disaster.

doesn't mean software firewalls should be discounted as a 'marketing ploy'

Software firewalls are worse than useless as they give people a false sense of security. They increase the instability of machines, harrass users with too much data (often leading to them being disabled entirely) and don't to a particularly good job in the first place.

rich and tx, I respectfully disagree.

Code red and nimbda did not require any user initiation of the virus.

This is a half-truth; you're leading people in the wrong direction.

If you had anti-virus installed, you'd still get hit with Code Red or nimda. These (and welchia, and blaster) result from not having patched machines. Anti-Virus is the wrong solution here.

Running anti-virus to protect a machine is like running a car with an engine on fire, and having a fire extinguisher always spraying your engine. The engine shouldn't be on fire in the first place!