Better security in 5 easy steps
I love it when your server gets hacked, it gives me some measure of job security. However, I’m tired of seeing the same things every single time, so I’m going to tell you 5 easy ways to make your Windows web server more secure:
1. Disable the administrator account. This one should be a no-brainer. Let’s say you are a hacker, and you’re looking to log into an account that has total control over a Windows box. Hmm, I wonder what the name of that account would be? Create another account with full administrator rights and then disable administrator.
2. Use a complicated password for your newly created admin account. Every day at work I have to request login credentials from our users, and you have no idea how many times I’ve seen ‘password1′. I’d recommend a completely random string of letters, numbers, and symbols.
Whatever you do, don’t use leet speak. ‘P@$$w0rd’ isn’t any better than ‘password1′.
3. Prohibit any unused server extensions in IIS. Not running PHP? Disable it. The same goes for any scripting language that’s not in use.
4. Don’t place website data on your system partition. If you can, put it on a different physical drive. This not only makes sense from a security perspective, it’s also very practical in case of OS failure. If Windows breaks, just reinstall it and all of your website files are safe on the other drive.
5. This isn’t exactly a technical security suggestion, but if you’re going to have some stranger do work on your server, get some personally identifiable information about him. Get his real name, phone number, email address, anything, don’t just hand over your IP and login information. I’m flattered that you trust me, but I wouldn’t give my server over to a stranger unless I knew I could hold him accountable if he screwed it up.
Don’t let the Linux crowd tell you that Windows is unfit for web servers. Server 2003 is fast, easy to use, and just as secure as any Linux distro as long as you set it up properly. Just be sure to keep it patched, read up on the latest security news, and you’ll be fine.
If you enjoyed this post, make sure you subscribe to my RSS feed!