Basic security reinforcement method of Windows server of 2008 2012

Meituan cloud (MOS) offers Windows Server 2008 R2 and Windows Server 2012 R2 data center versions of cloud hosting servers. Due to the high market share of Windows server, there are many malware such as virus trojans targeting Windows server, which are easy to obtain and have a low technical threshold. Therefore, security issues of Windows server need to be paid special attention to. To safely use the Windows cloud host, it is recommended to apply the following simple security hardening measures. Simple, but sufficient to protect against most of the more common security risks.

1. Use a strong password

Meituan cloud Windows server will automatically generate a 12-bit random password for the administrator (Administrator) account after the server is created. It is recommended to change the password immediately after the first login to Windows server. Passwords should be random, with Numbers, uppercase and lowercase letters, and special symbols, and should be at least 12 digits long. 1 some tools can be used, for example: https: / / identitysafe norton. com/password - generator, generate a strong random password. Change your password at least once every three months.

After the administrator successfully logs in to the host, press "Ctrl-Alt-Delete" and select "modify password" (note: you can log in via the Meituan cloud Web terminal, and click the "Ctrl-Al-Delete" button in the upper right corner to enter the key combination).

2. Enable automatic system update

Meituan cloud Windows server has been authorized by the original factory. It can start the update service of Windows and automatically update and repair the system vulnerability, so as to avoid being used by malicious attackers to invade the server. Use the following process to check if automatic update is enabled, or if it is not, it is recommended.

Windows Server 2008

Click the "server manager" icon in the task bar in the panel on the right, click "configure update" and in the dialog box that pops up, select "automatically install update"

Windows Server 2012

Click the "server manager" icon in the task bar to open the server manager dashboard, click "configure this local server" and click "Windows update "to open the link in the pop-up window. If automatic update is not enabled, the warning as shown in the figure will be displayed. Click" enable automatic update ".

3. Turn on the firewall

Meituan cloud already provides firewall services, if you are using Meituan cloud host, you can use the firewall services provided by Meituan cloud in the Meituan cloud control panel for firewall Settings. The firewall provided by Meituan cloud platform is the firewall function of network port provided by the cloud platform outside the virtual machine. The configuration is relatively simple and suitable for use. If its functions meet the requirements, it is recommended to close the built-in firewall of Windows system. Otherwise you can refer to the following to set up Windows's built-in firewall.

(note: to avoid conflicts between the built-in firewall of Windows and the firewall function of the cloud platform, please set the firewall of the cloud platform to "open" after enabling the built-in firewall of Windows.)

If the Windows server purchases public network bandwidth, a network card with a public network IP address will be connected to the public network. Users can access the IP address to access the services deployed on the host. But at the same time, a malicious attacker may also take advantage of the system vulnerability, through the public network IP into your server. At this point, in addition to turning on automatic update to timely repair system vulnerabilities, it is also recommended to turn on the firewall of Windows server, so as to reduce the port directly exposed to the public network and reduce the risk of dangerous port being exposed to the public network. Also, for service ports for administrative purposes such as remote desktops (TCP 3389), it is a good idea to set the IP whitelist to allow access to minimize the risk of being maliciously scanned.

(note: it is recommended to configure the firewall through the Web terminal of the Meituan cloud console to prevent misoperation during the configuration process and cause the remote desktop connection to be closed.)

The steps to enable the Windows firewall are as follows:

Windows server 2008

Click on the "server manager" icon in the task bar on the right side of the panel, click on the "transfer to Windows firewall" list on the left side of the tree, the right mouse button click on the "advanced security Windows firewall" in the pop-up dialog box, select "public profile" sign, determine the state of "firewall" to "open", click "ok" to close the dialog

After opening the firewall, in order not to affect the access of the remote desktop, we need to ensure that the access of the remote desktop is allowed. The method is as follows:

In the tree on the left, expand "advanced security Windows firewall", click "inbound rules", and in the middle of the rules list, see if "remote desktop (TCP-In)" is enabled. If not, select the rule and click "enable rule" on the right to open it

Windows server 2012

Click on the "server manager" icon in the task bar to open server manager dashboard, click on the "configure the local server" click "Windows firewall" link in the pop-up window, click the "enable or closed Windows firewall" block on the left in the pop-up dialog box, make sure that "public network Settings" selected "enable Windows firewall", and don't check the following two check box. Click ok to close the dialog

Similarly, when you enable a firewall, you also need to ensure that you allow access to the remote desktop by:

In the "Windows firewall "interface, click" advanced Settings ", open the "advanced security Windows firewall" window and select "inbound rules" in the left column. In the list of intermediate rules, find the "remote desktop-user mode (TCP-In)", and the" configuration file "is the" public "rule. If not, select the rule and click "enable rule" on the right to open it

If the IIS service is installed, the system will automatically install and enable the inbound rules that allow 80(HTTP) and 443(HTTPS) services without special configuration. However, if a third-party Web server, such as LAMP, is installed, you need to manually install the inbound rules that allow access to 80 and 443. The configuration method of Windows 2008/2012 is the same, as follows:

From the firewall "inbound rules" screen, click "new rules..." on the right. In the pop-up dialog box, select "port" and click "next step". "does this rule apply to TCP or UDP?" , select the "TCP";" ": select "specific local port ", type "80, 443" in the input box, click" next step "to select" allow connection ", click "next step" to select all check boxes, click "next step" to enter "Web service "in the name of" next step ", and click "finish".

4. Enable the IE enhanced security configuration

With enhanced security enabled for IE, the server IE browser can only access whitelist sites. This can effectively prevent administrators from accidentally visiting a malicious site on the server and causing the server to be infected with viruses or trojans. This configuration is enabled by default. If not, it is recommended to do so. The opening method is:

Windows server 2008

Click the "server manager" icon in the taskbar in the right panel of the pop-up window, and click "configure IE ESC" to open/close this function in the pop-up dialog box

Windows server 2012

Click the "server manager" icon in the task bar to open the server manager dashboard, click "configure this local server" and click the link after "IE enhanced security configuration ". Turn this feature on/off in the dialog box that pops up

5. Install and enable anti-virus software

Further, you can install and enable real-time antivirus software to further improve server security. Once the malicious software breaks through the defense line established in the previous four steps and enters the cloud host, real-time anti-virus software can prevent the malicious software from running in the cloud host and guarantee the security of the cloud host.

Windows Security Essentials is a free anti-virus software developed by Microsoft for Windows 7 / Vista. It can be used to protect Windows Server 2008 R2 data center version.

The installation of Windows Security Essentials is relatively simple. You just need to download and run the installation file from the above link and complete the step-by-step wizard.

Windows Server 2012 data center edition has few (free) anti-virus software available. You can now apply to try System Center 2012 R2 Configuration Manager and install the anti-virus client System Center Endpoint Protection.

Installation method:

After downloading the package, unzip it (currently SC2012_R2_SCCM_SCEP.exe) and enter the SMSSETUP/CLIENT directory

Double-click to execute scepinstall and follow the instructions to install System Center Endpoint Protection step by step.

This site suggests a standalone server installation: mcafee 8.8

6. Reasonable service deployment architecture

Finally, a reasonable service deployment architecture can reduce the exposure of the entire Windows server site and increase the security threshold. The principles to follow are:

Single 1 role principle: 1 cloud host server can only do 1 thing and provide 1 service. For example, the database service is on one server and the Web server is deployed on another. In this way, we can accurately assess whether the server needs a public network address and which ports need to be opened. In this way, we can expose the public network address and port as little as possible, thus reducing the risk points. For example, database service 1 generally does not require a public network address, thus eliminating the need to purchase public network bandwidth, saving money and making it more secure at the same time. The Web server only opens port 80/443, and all other ports can be closed through the firewall.

Principle of simplification: can not open the service and function is not open, can not install the software as far as possible not to install, can not open the port to ensure not to open, can not use the public network host do not buy the public network bandwidth. Adhere to the principle of minimalism, not only energy-saving and environmental protection, but also reduce safety risks.