In the cyber security space, one of the first things I do when assessing the security of a company’s ICT assets is to analyse their server security. And often times, I find common security flaws in their servers that would have been no-brainers for a seasoned security professional.

For those of you who may not be familiar with servers, a server is a powerful computer that stores and manages information, files, or services that other computers or devices can access over a network. Think of it as a central hub that can respond to requests from other devices, such as serving a website, storing files, or managing email.

Servers can be of different types, each with their own functions.

One common type of server is a “web server.” A web server is a computer or software application that stores and serves websites and web pages to users when they request them through a web browser. It processes the user’s request, retrieves the requested web page or content from storage, and then sends it to the user’s browser for display.

In this article, I will focus on a list of ‘no-brainers’ — or security baselines that you should implement in your Windows Server for an adequate level of security.

The oldest Windows Server operating system that can run modern antivirus software is Windows Server 2008. However, Windows Server 2012 R2 is the oldest operating system that can run a Windows antivirus (e.g., Defender).

However, it’s important to note that the support for Windows Server 2008 ended on January 14, 2020. This means that Microsoft no longer provides security updates or patches for this operating system, making it less secure and potentially vulnerable to security threats.

The first no-brainer is to use an operating system on a server that is:

1. Still being supported by Windows in terms of security updates and patches; and

2. Supports antivirus software.

Once you use a server with an operating system that is still receiving security updates and patches from Microsoft, ensure you are regularly installing these patches on the servers.

I would recommend patching at least once ever fortnight; however, if you are a small operation, you can still receive good protection by patching at least once a month.

Common password policies for users and administrators are at 8 characters, however, it has been proven that the longer your password is, the harder it is to crack. It is thus recommended to have the following password requirements for server admin accounts:

• Maintain an 15-character minimum length requirement
• Require special characters such as*&(^%$, uppercase and lowercase and number.

Once you have ensured that your operating system support antivirus software, it is time to install the antivirus software itself. You can use either Windows Defender, or other antivirus software that may support a version that Defender does not support, for example, Symantec Endpoint Protection for Windows Servers.

User Account Control (UAC) is a security feature in Windows that helps prevent unauthorized changes to the system by notifying you when a program tries to make changes that require administrative permissions.

You can access UAC settings through the Control Panel. Go to “Control Panel” > “System and Security” > “Security and Maintenance” > “Change User Account Control settings.” Then set it to Always notify. This is the highest security level.

If you are storing data that includes sensitive information about yourself, your client, your business, staff, etc. you need to encrypt your data both in rest and in transit. It ensures that if your sensitive information were to be compromised, they would not be in plaintext and readable by the adversary. Choose an encryption that is easier to implement but harder to crack. Use technologies like BitLocker for disk encryption and HTTPS for secure communication.

Configure a firewall to restrict unnecessary network traffic and allow only the required ports and services to communicate with the server. Windows Firewall is a good starting point. You can implement Intrusion detection systems (IDS) or Intrusion Prevention systems (IPS) to further reinforce perimeter security if you wish.

…And the last but not the least

Regular backups are necessary for several important reasons, and they play a crucial role in data management and disaster recovery. It’s important to note that simply creating backups is not enough; you must also regularly test the backup and recovery processes to ensure they are functional, and that data can be successfully restored.

~ Please clap, follow, and leave a comment. Your support is very much appreciated. ~