Welcome to WebmasterWorld Guest from 220.127.116.11
Forum Moderators: ocean10000
How do I avoid hackers from breaking into my Windows 2003 server?
Please advise best practices and also recommend firewalls, etc.
What about the bult in firewall in Windows 2003 server, is it good?
Please also point to threads on this topic.
Jake's top ten:
First: Before you do anything, go into your Services applet in Control Panel. Make sure you know what EVERYTHING does. I mean it. Go through, type in the name of every service into Google, and figure it out. I believe there is no way in sam-hell that you can administer a server properly without knowing the function and perils of everything that is running, ESPECIALLY on automatic startup. Linux users, reading this too? GO DO IT NOW.
Second: Take that knowledge from above, and turn everything you don't need off. "Everything you don't need" is defined as programs that do not need to be running or accessed in the normal, day-to-day operations of a server. Linux users, reading this too? GO DO IT NOW. Then, uninstall everything you don't need. Browsers, mail clients, everything.
Third: Use HfNetChk [microsoft.com] twice a day. Put it on an automated script, and have it email results to someone who can and will read and interpet those results. HfNetChk will ALWAYS pick up patches and bugfixes quicker than Windows Update and it's Automatic counterpart.
Fourth: Subscribe to NTBugtraq [ntbugtraq.com]. Read the posts. Daily at the worst. More frequently at best.
Fifth: Subscribe to NANOG [nanog.org]. Most of it is offtopic for what you do, but network operators are the first people to notice widespread virus/worm attacks.
Sixth: Get a good (read: Hardware) firewall. Software firewalls are stupid marketing ploys. Start by allowing only HTTP connections to the webserver, and drop on the floor (not reject) everything else. Open up ports one by one, as necessary. Never open up NetBIOS or SQL Server ports unless absolutely necessary.
Seventh: Run the Baseline Security Analyzer [microsoft.com] and IIS Lockdown Tool [microsoft.com]. Use caution while running this - its defaults are very strict, and can knock out some custom configs.
Eighth: Lock down user accounts. Got an FTP server? Lock it down. No administrative level access by FTP. Valid user accounts should only be allowed access to their directory - lock them into a jail. No execute access allowed by FTP.
Ninth: Get a test server. Don't do any development or run any under-development applications on the live server. Only transfer fully tested (and audited!) applications on the live server. Don't run anything you didn't write without testing it on a test server first. Don't let people put code on your server that you haven't audited. I call this the human anti-virus. If you do this, you don't even need anti-virus on the server (which is terrible for performance), because you aren't running anything that you personally haven't executed before.
Tenth: Your server is your baby! I'd never think of having kids and then ignoring them for more than minutes at a time. Your server is your baby. Get an external monitoring service. Check her once an hour for problems, or better yet, write a script that checks her for you and alerts you to any unknown variance from normal operation. Take care of her!
This thread is becoming more and more interesting. I checked first point of bakedjake on win2k3 machines and searched on google. I found information for most of the processes / progarms running on machine but still for few I did not get any information. Can you provide me some information
Image Name User Name
1. crss.exe System
2. dcevt32.exe System
3. dcstor32.exe System
4. diagorb.exe System
5. mr2kserv.exe System
6. realpoke.exe System
Create an Administator account with a name other than "Administrator" Disable the "Administrator" account.
If you use terminal services, configure it so it runs on a different port - update firewall accordingly.
Also, the nice the thing about Windows 2003 (unlike W2k) is that most services are turned off by default. (for example IIS)
Software firewalls are stupid marketing ploys.
I can't agree with this statement.
Yes, in a server environment you should definitely be using a hardware firewall but that doesn't mean software firewalls should be discounted as a 'marketing ploy' - they are extremely useful for protecting home machines and laptops. Good ones (like ZoneAlarm) perform very well with a minimum of fuss.
To catch emails as they come in, if your server is also a mail server.
It's the email client that activates the virus, not the mailserver.
Apart from that, common sense should be enough to keep viruses away. I have never used anti-virus software, and I've never had a virus. I own computers since the first 12 MHz AT clone was available... ;)
This might not be the case if you run your own server. But if you are going
with 3rd party web hosting company, your competitors will most likely check
in yourdomain.com/webalizer , yourdomain.com/stats, etc.. to check out your log
Whether the mailserver opens it or not, isn't it a good idea to kill the virus at the point of entry, rather than storing it, and later passing it on to a client? Virus (and spam) filtering in the mailserver seems like a good idea.
why whould you need an anti virus on your server?
1) to protect against momentary stupidity
2) to protect against new viruses which target using means other than email such as welchia and blaster. These viruses simply find vulnerable machines ... no one needs to even be logged in or on the desktop or anything. REMEMBER TODAY MANY VIRUSES HAVE NOTHING TO DO WITH EMAIL OR BROWSING. Code red and nimbda did not require any user initiation of the virus.
Anyone on a windows machine who does not have an up-to-date anti-virus product on every single machine is having the equivelent of anonymous unprotected sex at the local neighborhood gas station. In other words, he or she deserves whatever happens to them. The "it has never happened to me" mindset will lead to disaster.
doesn't mean software firewalls should be discounted as a 'marketing ploy'
Software firewalls are worse than useless as they give people a false sense of security. They increase the instability of machines, harrass users with too much data (often leading to them being disabled entirely) and don't to a particularly good job in the first place.
Code red and nimbda did not require any user initiation of the virus.
This is a half-truth; you're leading people in the wrong direction.
If you had anti-virus installed, you'd still get hit with Code Red or nimda. These (and welchia, and blaster) result from not having patched machines. Anti-Virus is the wrong solution here.
Running anti-virus to protect a machine is like running a car with an engine on fire, and having a fire extinguisher always spraying your engine. The engine shouldn't be on fire in the first place!