Windows – What are the “to-do” on protecting Windows server facing the web

iis-7.5Securityweb-serverwindows

I currently begin to deploy Windows servers facing the web.

And I would like to know what are you way of protecting your servers ? What softwares are you using ?

On Linux, i'm using Fail2ban to prevent bruteforce and Logwatch to get daily reports about what's going on on my servers. Are there any equivalents of those softwares on Windows ? If not, what do you recommend to use to protect the server ?

Best Answer

First of all you need to think about your network design. It would be good to use at least one DMZ in oder to protect the internal network. A good Windows system for beeing public would be Windows Server 2008 R2 if you do not want to purchase the new 2012 Server. We have at least four windows based webservers which work perfectly as webservers, all based on 2008 R2. Just be sure to do the following:

  • Use the DMZ (1 or 2)
  • Do not install unused server roles
  • Be sure to stop services you will not need
  • Be sure to open RDP port (if needed) only into the internal network
  • Be sure to keep all unused ports closed
  • Use a proper Firewall solution like Cisco, Juniper or Checkpoint in front of the server
  • Keep your server up to date (at least monthly updates)
  • Make it redundant (use at least two servers, one for backup)
  • Good monitoring: Nagios (I like it ;-))

(optional) Use Hyper-V for your webserver and it's backup system. Much easier to update and check whether your updates do not interfer with the webservice in some way. In that case you will need two identical hardware machines to have redundancy in case of an hardware fault. But that's pretty expensive maybe.

Hope it helps you!

Related Topic