This is just a brief run through on the first steps you should take to secure your brand new Windows based VPS, Cloud Service or Dedicated Server. It is important to take some early precautions to ensure your service is not compromised. I’ve include what I believe to be the top 5 security steps you should take, when you first get access to your service.

1. Disable default Administrator account and create a new user with Administrator permissions.

The default administrator account on a Windows Server operating system is “Administrator”. Numerous bots and automated attacks will use this username to attempt a brute force style attack. A simple way to remove this threat is too disable the default Administrator account and have a second login or user account that has administrator privileges.

When creating this new Administrator username, change it too something that is not easy to guess, for example don’t change it to “admin”.

Some examples are,

• admin-company name
• company initials-Administrator
• individual admin logins e.g. ross-admin

You could even go as far as using Admin, then adding some randomly generated numbers and letters to the end (for example admin-3242×45).

You can find more detailed steps by looking at this article in our Knowledge Base area.

2. Set a secure password for your Administrator user account.

Now that you’ve changed the username to something more secure, you should also be setting the password to something secure.

First note, do not write or store the password anywhere! The weakest link in any password based security is the end user, so make sure you reduce the chance of your password getting stolen or seen.

When setting a secure password please consider the following guidelines,

• At least 10 characters long, the longer the better
• Capitals, numbers, lowercase, and a symbol or two!
• Do not use the same password twice.
• Avoid using variations of the same password.

Specific steps to change your password can be found here in our Knowledge Base area.

3. Change the default Remote Desktop / Terminal Services Port

The default method usually provided to access your new Windows based VPS, Cloud Service or Dedicated Server is using the Windows functionality called Remote Desktop (sometimes referred too as Terminal Services).

The default port used by this remote access utility is 3389. Known bots and scripts, can attempt to breach your service via a vulnerability or through brute force. So changing the default port can also help improve the security of your server.

We recommend you choose a random port number, and do not use the same selected port number for every service you have. Try to avoid any common port selections like, 1337, 1111 or 8080.

When making these changes please keep in mind a reboot of your service may need to occur and further ensure any firewall rules aren’t blocking this new custom port setting.

On a side note, if you are not using Remote Desktop but some other Remote Access / Remote Viewing software, we would suggest you investigate how to change the default port’s for those applications also.

Be careful when changing the port, as if you make a mistake, and reboot your service, you may require Technical Support to correct the problem as you will lose access to your service.

Head over to this link, it’s an article in our Knowledge Base which explains the exact steps.

4.  Restrict access to Remote Desktop by IP Address using the Windows Firewall

Now that you’ve changed the default port for Remote Desktop, you could also consider restricting access to that port based on IP Address. You will need to have an internet connection with a static IP Address for this to be really effective. Standard home DSL / Cable / Wireless connections do NOT have a static IP, though it can be requested or purchased from your ISP.

The major issue with this is that if you are trying to access your service via Remote Desktpo from an internet connection that has not been added to the Whitelist, then this security option could prove inconvenient.

If you do have a static IP Address then you should strongly consider setting this up.

Please be careful when restricting IP Access as you could potentially lock yourself out!

We’ve put together two article’s in our Knowledge Base area that can help you set this up. One article is for making the changes on Server 2003 / Server 2003 R2, and the other article is for making those changes on Server 2008 or Server 2008 R2.

5. Install Antivirus 

As you begin to setup your service you will be downloading files, uploading files, and browsing sites from your service. To ensure your service remains virus free, please install an antivirus. Whilst there are alot of free antivirus applications out there, they commonly do not support the Windows Server OS flavours.

From our experience so far, we’ve been able to install Microsoft’s own antivirus software, Microsoft Essentials onto Windows Server 2008 and 2008 R2. So this would be a good place to start.

Another alternative is Clamwin

Final Comments

The above steps are not the only things you can do, there are numerous paid tools out there which will further assist with securing your service. However the above steps are a good starting point. I hope this has helped some of you with securing your service. Enjoy!