Hardening a file-serving Windows Server 2019 instance
I'm in the process of re-configuring and securing a server for the small company that I work for. We use it to store design files and other data with Autodesk Vault. It's running on a VPS from a server provider close by.
The reason I'm doing this is that we've been notified by our server provider that they receive complaints about our server misbehaving on the internet, indicating it is compromised to some extent. We haven't noticed any problems other than that. The server was originally set up before I came to the company, and I could not find any documentation about its configuration. It was also running Windows Server 2012, so I decided to start afresh with a new VPS running Windows Server 2019. This is the first time I'm working with Windows as a server OS, but I have some experience of managing Ubuntu servers.
Looking in Event Viewer on the old server, there are endless "4625 Audit Failure" logon attempts to the server, but also quite a few successful logins that do not originate from me or our organization. Example of a 4624 Audit Success:
An account was successfully logged on.
Subject:
Security ID: NULL SID
Account Name: -
Account Domain: -
Logon ID: 0x0
Logon Type: 3
Impersonation Level: Impersonation
New Logon:
Security ID: ANONYMOUS LOGON
Account Name: ANONYMOUS LOGON
Account Domain: NT AUTHORITY
Logon ID: 0x9ABEAB7
Logon GUID: {00000000-0000-0000-0000-000000000000}
Process Information:
Process ID: 0x0
Process Name: -
Network Information:
Workstation Name:
Source Network Address: 117.45.167.129
Source Port: 11949
Detailed Authentication Information:
Logon Process: NtLmSsp
Authentication Package: NTLM
Transited Services: -
Package Name (NTLM only): NTLM V1
Key Length: 0
So, to harden the new server I've done the following
- Chosen a much more secure password than before
- Installed IPBan (https://github.com/DigitalRuby/IPBan) which blocks IPs that fail login attempts using various services
- Disabled NTLM login, as per the recommendations from IPBan installation guide
I would like to block all possible routes of access by only allowing Autodesk Vault, which communicates over HTTP(S) at port 80/443 (I'll likely configure it so that only HTTPS is allowed), and remote desktop, which I need to manage the server. But looking at the Windows Defender Firewall default rules, there are tons of open ports as default configuration. I find this a bit strange on a server OS - I want it to block everything that I don't explicitly allow. Can I safely disable all of these except RDP and HTTPS? Does it help? Have I missed something else obvious in my server hardening procedure? Screenshot of allowed services in Windows Defender Firewall
Have a good weekend!
First of all, reinstall the server, because :
- This one might be compromised and can't be trusted anymore.
- Windows is secure by default, and maybe someone lowered the security settings of your server, hard to tell if there are no documentation.
You can take a look at this canonical question: How do I deal with a compromised server?
Check the Windows Security Baselines too, Microsoft updates them regularly.
About the firewall rules, you can export them first :
If you don't need RDP, remote management, remote powershell,... it's safe to disable or delete the default rules (ensure you can access the VM console first, if you remove everything you won't be able to connect using RDP) and create the rules that you need.