Our server was kinda hacked the other day. The attacker has obtained an FTP password for one of our servers and was able to download some stuff - thank God nothing critical... While I'll save the details on the attack for my next blog post (this is
quite a story actually! hackers have fooled our hosting company submitting a fake support request), I'm going to share some knowledge I've accumulated during the last couple of days dealing with the consequences.
NB: my small company is powered by a bunch of Windows 2008 R2 servers, but some of these recommendations should fit any platform, not just Windows.
So, here we go. The steps I took to protect my VPS server from future attacks:
- Set up the lockout policy. By default your windows-server is not protected from a brute-force attack. An attacker, for instance, can open a thousand RDP (Remote Desktop) connections trying different username/password combinations...
That's why you must set up the lockout policy for your server. Open "Start - Run - secpol.msc - Security Settings - Account Policies - Account Lockout Policy". Set it to "5 times" and "5 minutes" for example - this will block an account for 5 minutes after 5 invalid login attempts.
- Disable the "support user". If you rent a server, very likely there'll be a support user account for your hosting provider's tech team. Disable it. Sometimes the security is compromised by the hoster's staff (mine was).
- No FTP unless required. Disable FTP, SMTP and other unneeded services unless your customers/applications really need it. Enable the FTP only when you're actually uploading files onto the server and limit it to your IP address.
- Install a nice password manager. You'd be surprised how many people go for the "one password for everything" mode. Even some geeky tech nerds I know, even programmers and system administrators... Don't. Even the service accounts & database-users must have unique strong generated passwords only. I prefer the "LastPass" manager which is available as a Chrome extension, and it saved me a ton of headache.
- Backup. Backup. Backup. Backup. Both on-site and off-site. Create daily backup-jobs on your SQL server to backup your databases both locally and online. Even if you're running the free Express version of MS SQL Server there are still ways to create periodic "jobs".
Here's our configuration: all databases are backed up twice a day - locally, and twice a week - to an online storage. For the online storage we use Microsoft SkyDrive, it offers 25 gigs of free space (which is pretty amazing) and comes with a sync tool. Another similar option to consider would be DropBox of course.
- Firewall is a must. You can use the Windows Server 2008 built-in
firewall, it's pretty good for a start, and then upgrade to something more sophisticated later. The rule of thumb here is - DISABLE EVERYTHING. Leave ports 80 and 443 open - and that's it.
- Don't use standard ports. If you need anything beside the web-server open to the public (e.g. SQL server, terminal services) - then move the applications to non-standard ports, some weird number like 15089 etc.
The Terminal Services (RDP) port can be changed in the registry, at "HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber" (remember to restart the RDP service and allow incoming connections on the firewall).
SQL Server ports can be adjusted in the "SQL Server Configuration Manager" tool - "Network Configuraion" - "Protocols for [INSTANCENAME]" - "TCP-IP" - right-click - "Properties".
- No "/admin/" folder or other standard names. Your website's CMS folder should not be named "http://www.website.com/admin/". Your admin user should not be named "administrator". The login page for ASP.NET forms authentication should not be named "login.aspx". Etc.. You get the point.
P.S. Dear attacker! If you're reading this - please let us know what you were looking for. Why not just send us a note and we'll give you what you need - for free... We provide free versions of our software to bloggers, non-profit organizations, we give away huge discounts etc. etc. We're a small friendly company, let's talk :)
9 comments:
Wow, that's exactly what I was looking for...
windows server? you want security on windows?
Windows 2008 R2 is a VERY secure server.
Anyone who says the opposite doesn't know security and is stuck to 10 year old misbeliefs.
Btw to the above good list you should add: application security. If your web apps are vuln all the above are just useless.
Anyway very good post
"Windows 2008 R2 is a VERY secure server. " Just not by default.
Server 2008 R2 is very secure, I blog about it once in a while, along with tips and tricks. Here are a few things from my experience that might save you someday.
FTP is a very insecure protocol, and I have stopped using it all together on all of my systems. I use SFTP (FTP over SSH), you can make windows support this using copssh easily enough.
As for your backup, I'd never use a "free" solution for anything important! Get a cheap linux VPS with a privacy guarantee on the other end of the country, since that will be much more secure. Of course, another server means more configuration, more learning. Even a professional rsync backup service would be better.
As an experienced Windows admin, I've found that deleting the firewall rules will lead to more problems (updates tend to give errors and hang half way through), disabling them is acceptable but they become enabled automatically again after a windows updates. I'd recommend a physical firewall in front of the server!
Heh, Phil's post says to me "Microsoft Windows Server 2008 R2 is safe and secure, as long as you don't rely on its own security and safety". Have to install SSH to get a secure transfer protocol; use Linux (!) for secure backup; use a physical firewall (something Linux is good for). Why not just use Linux then?
"Why not just use Linux then?"
LDAP and Kerberos Authentication. Much as I don't like Windows AD, it is *MUCH* easier to handle than openLDAP.
"Windows 2008 R2 is a VERY secure server. " Just not by default.
Because everyone knows if you're looking for security look to default.... lol
Did you know banks aren't safe when the alarms off and the vault doors open?
What triggered your attention that the files had been copied by the incorrect user? Do you use event viewer security logon/off notifications, file level auditing or some other method/third party tool?
I'm trying to improve my 2008R2 security knowledge and already follow most of the steps listed above but am not sure of the best way to setup intrusion detection.
I only need to leave port 443 open as I support small business and all staff needing access know to use HTTPS. I am also testing hardware firewall (watchguard xtm22) which will be used for VPN access.
Also not sure what I'm doing wrong but can't post on here as my google account profile. Maybe just me!?!
Cheers
Post a Comment