[Windows] Secure your Windows VPS

Justina

Anyone who manages a server must ensure its security. Currently, there are many threats, which attack servers in a wide variety of ways. In this article, we'll provide some basic tips to help ensure your Windows server's security.

Disable your server Administrator user

Attempts to hack servers are most common through main system users. On Linux OS servers, this is the root user, and on Windows servers, this user is the Administrator. To reduce the risk of breaching into the server through this user using brute-force attacks, it is best to disable it. Instead, you can create an alternative user with full administrator privileges and use it to manage your server.

To create a user, you can check this guide.

After you created the new user, log in to your server and go to Computer management → Local users and Groups.

Right-click the Administrator user and pick Properties. Checkmark Account is disabled and click Ok.

Set up a Strong Password for Your Administrator Account

Using various ingenious techniques, it is possible to generate giant databases with potential passwords and their hash values. Such databases also include real passwords that have been leaked in various ways. There are sites, which allow downloading the existing 15GB password database. So often, bad guys don’t even have to worry about hacking your password. All they need to do is create a solution that will automatically search for text that matches your password hash in that database.

For this reason, it's essential to have a strong password and also update it regularly.

• It is very useful to use your own fancy words that are not in the dictionary. Passwords are often guessed based on words written in dictionaries. Therefore, the use of fictional words, as well as the use of words with changed inclinations, is a good way to reduce the risk of a sly word being guessed.
• Using numbers or changing letters to numbers also helps ensure password security. For example, you can use 0r4ngeC4t instead of OrangeCat as your password. This immediately reduces the risk because, in dictionaries, words are created using only letters.
• The longer the password, the more time it takes to crack it. Use as many characters as possible in the password. Definitely not 6.
• Finally, the use of characters helps. Just putting a dot at the end of your password will make it harder to crack it.

Change the default remote desktop connection Port

Just as it is recommended to change the default SSH port from 22 on Linux servers, it is recommended to change the standard RDP port 3389 on Windows servers.

The port is changed on the Registry Editor. To open it, press the Win+R combination and execute the following command:

regedit

Then follow the path below:

HKEY_LOCAL_MACHINE / SYSTEM / CurrentControlSet / Control / Terminal Server / WinStations / RDP-Tcp

Right-click on PortNumber and select Modify

In the newly opened window, you will see Value data. The value will be unclear, but you will see the port by selecting Decimal Base on the right. Put your port value there.

You can also change the RDP port via Power Shell:

Set-ItemProperty -Path 'HKLM:\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp' -name "PortNumber" -Value 3390
New-NetFirewallRule -DisplayName 'RDPPORTLatest' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort 3390

If the firewall runs on your server, you need to change the configuration to allow connections through the specified port. You can find a tutorial for this on this here.

Allow access to your server via RDP only for certain IP addresses

Through a firewall, you can specify certain IP addresses for your configured RDP port that will be able to connect to the server. When you go to the firewall, find the rule you created. Right-click and select Properties, and then select Scope. In the Remote IP address section, click Add and specify the IP address that the server can access via RDP.

Keep the Windows firewall running

A firewall is the basic protection of a server. Unfortunately, most tend to disable it because it uses server resources or sometimes blocks certain services. And yet, it is necessary because it is designed specifically to protect the server from malicious requests, software, etc. Also, the firewall filters server traffic. This is done either according to the standard or according to your custom settings.

Perform regular updates

You may have noticed that your personal PC also occasionally notifies you that updates have been released and need to be installed. This is done for a reason. Each update optimizes services, software and also addresses security vulnerabilities that third parties could exploit. For this reason, it is essential to regularly update both the operating system on your server and the software running there.

You can install updates on the server in Settings -> Update & security → Windows Update

If you host a website created with WordPress, it is also necessary to update it when the new version is already available. It is equally important to update the plugins used on the site.

Use of third-party solutions on the server to ensure security

In other words, antivirus programs. They come in both paid and free. Everyone can choose according to their needs and abilities. Here are some of the most popular free solutions that have been popular lately:

• Avira - one of the best-rated solution’s lately
• Panda - protection with a friendly interface
• Sophos - Good real-time scanning with remote access for 3 PCs.
• Kaspersky - includes some extras (VPN, dark web monitoring, password manager)

However, we cannot guarantee the safety and effectiveness of these solutions. Be sure to check the reputation of third-party equipment before installing it on the server. Besides, all additional applications use resources on your server. So it is necessary to evaluate whether your plan allows such luxury.

Conclusion

I wish I could say that basic server security is only recommended, but in my opinion, it is already becoming mandatory. Every day, more and more modern solutions appear, which increase the risk that some bad guys can use your equipment. And using a server for purposes like an attack or sending SPAM is the least of the consequences. Just think about the leakage of your personal data, the use of money on your credit card, and other things you don’t really want to think about.

So, be sure to take some time and protect your server.