Securing Servers from internal and external threat is the key aspect of managing and administering Windows Servers. If you carefully design, implement and maintain IT Infrastructure you will have a better night sleep knowing you are safe. There will not be music in the ears of oncall Engineer facing nightmare. So how you accomplish a tight security and control on IT infrastructure without compromising work environment. Here are some tips for you.
You must have an isolated Head Office network from branch office. You can purchase MPLS or IP WAN service from your ISP. Alternatively you can create site to site VPN using security appliance or application like Forefront TMG 2010. A better design approach would be a multi-tier firewall so that your internal server, DMZ servers and branch servers stay securely connected. You can have specific VLANs for specific servers/services/applications with correct Access Control List (ACL) in Cisco switches and routers. This will add another layer of firewall to the network.
Computer based Firewalls
In Windows Server 2008 and Windows Server 2012, there is built in firewall. You can configure that built-in firewall for a group of servers or individual server to provide host based firewall. Both Server 2008 and Server 2012 shipped with advanced Firewall and security configuration tools which you can administer through Group Policy object.
Intrusion Detection System
Another key aspect of firewall is security appliance that provide you to harden security using Intrusion Detection System (IDS) /Intrusion Protection System (IPS). These are third-party Devices or appliance. The IDS helps you monitor network traffic, logs data about the traffic, analyses the traffic based on signatures and anomalies, recognizes potential attacks, and alerts the IT staff to the perceived attack. The IPS does all that, but it also has the capability to react to the perceived attack. IPS is also capable of reacting to an attack based on your configured rules.
Server Hardening- The bottom line
You execute the following action to stop being hacked or take these actions to prevent hacking
- Isolate Administrator Role for individual tasks similar to their job description.
- Stopping and disabling all unnecessary services and applications
- Renaming the Administrator account
- Implement password policy using Default Domain Policy in Group Policy Object
- Implement GPO to secure servers and clients
- Deleting or disabling all unnecessary user accounts
- Use of Service Account to run services and application instead of running services using IT Admin’s generic account and store password to safe location
- Create Role Based User Account instead of using user account by user name
- Requiring strong authentication and certificates to access applications
- Performing regular firmware, operating system and application updates using WSUS or SCCM
- Installing renowned Antivirus and Anti-Spyware program and manage them centrally
- Document all system configurations and store these documents in safe location
- Audit and monitor IT infrastructure regularly to prevent any misconfiguration
- Use Read only Domain Controller (RODC) for branch office
- Utilize great benefit of Server Core Technology reducing surface attack further
- Utilize NPS, NAP and Certificate Servers to secure access to applications and services.