Arabic Arabic Chinese (Simplified) Chinese (Simplified) Dutch Dutch English English French French German German Italian Italian Portuguese Portuguese Russian Russian Spanish Spanish

Tips

The following security tips are how-to's and suggestions on how to protect your personal computer, office computer, network, server and or website. The following tips do not guarantee that  you will not be hacked.  If configured properly it will make it harder for you to be hacked.
  • Use a firewall Windows has a firewall already built in and automatically turned on.
  • Keep all software up to date Make sure to turn on automatic updates in Windows Update to keep Windows, Microsoft Office, and other Microsoft applications up to date. Turn on automatic updates for non-Microsoft software as well, especially browsers, Adobe Acrobat Reader, and other apps you regularly use.
  • Use antivirus software and keep it current If you run Windows you have Windows Security or Windows Defender Security Center already installed on your device.
  • Make sure your passwords are well-chosen and protected To learn how, see Protect your passwords.
  • Don’t open suspicious attachments or click unusual links in messages. They can appear in email, tweets, posts, online ads, messages, or attachments, and sometimes disguise themselves as known and trusted sources.
  • Browse the web safely Avoid visiting sites that offer potentially illicit content. Many of these sites install malware on the fly or offer downloads that contain malware. Use a modern browser like Microsoft Edge, which can help block malicious websites and prevent malicious code from running on your computer.
  • Stay away from pirated material Avoid streaming or downloading movies, music, books, or applications that do not come from trusted sources. They may contain malware.
  • Don't use USBs or other external devices unless you own them To avoid infection by malware and viruses, ensure that all external devices either belong to you or come from a reliable source.

Keep your device secure

Make sure to download recommended updates from your device's manufacturer or operating system provider, especially for important software such as your internet browser. Antivirus software, antispyware software, and firewalls are also important tools to thwart attacks on your device.

Keep up-to-date

Update your system, browser, and important apps regularly, taking advantage of automatic updating when it's available. These updates can eliminate software flaws that allow hackers to view your activity or steal information. Windows Update is a service offered by Microsoft. It will download and install software updates to the Microsoft Windows Operating System, Internet Explorer, Outlook Express, and will also deliver security updates to you. Patching can also be run automatically for other systems, such as Macintosh Operating System. For mobile devices, be sure to install Android or iPhone updates that are distributed automatically.

Antivirus software

Antivirus software protects your device from viruses that can destroy your data, slow down or crash your device, or allow spammers to send email through your account. Antivirus protection scans your files and your incoming email for viruses, and then deletes anything malicious. You must keep your antivirus software updated to cope with the latest "bugs" circulating the internet. Most antivirus software includes a feature to download updates automatically when you are online. In addition, make sure that the software is continually running and checking your system for viruses, especially if you are downloading files from the web or checking your email. Set your antivirus software to check for viruses every day. You should also give your system a thorough scan at least twice a month.

Antispyware software

Spyware is software installed without your knowledge or consent that can monitor your online activities and collect personal information while you're online. Some kinds of spyware, called keyloggers, record everything you key in—including your passwords and financial information. Signs that your device may be infected with spyware include a sudden flurry of ads, being taken to websites you don't want to go to, and generally slowed performance. Spyware protection is included in some antivirus software programs. Check your antivirus software documentation for instructions on how to activate the spyware protection features. You can buy separate antispyware software programs. Keep your antispyware software updated and run it regularly. To avoid spyware in the first place, download software only from sites you know and trust. Make sure apps you install on a mobile device come from the Apple App Store for iPhones or Google Play for Android devices.

Firewalls

A firewall is a software program or piece of hardware that blocks hackers from entering and using your computer. Hackers search the internet the way some telemarketers automatically dial random phone numbers. They send out pings (calls) to thousands of computers and wait for responses. Firewalls prevent your computer from responding to these random calls. A firewall blocks communications to and from sources you don't permit. This is especially important if you have a high-speed internet connection, like DSL or cable. Some operating systems have built-in firewalls that may be shipped in the "off" mode. Be sure to turn your firewall on. To be effective, your firewall must be set up properly and updated regularly. Check your online "Help" feature for specific instructions.

Use strong protection

Making use of complex passwords and strong methods of authentication can help keep your personal information secure.

Choose strong passwords

Protect your devices and accounts from intruders by choosing passwords that are hard to guess. Use strong passwords with at least eight characters, a combination of letters, numbers and special characters. Don't use a word that can easily be found in a dictionary or any reference to personal information, such as a birthday. Some hackers use programs that can try every word in the dictionary, and can easily find personal information such as dates of birth. Try using a phrase to help you remember your password, using the first letter of each word in the phrase. For example, HmWc@w2—How much wood could a woodchuck chuck. Choose unique passwords for each online account you use: financial institution, social media, or email. If you have too many passwords to remember, consider using password manager software, which can help you create strong individual passwords and keep them secure.

Use stronger authentication

Many social media, email, and financial accounts allow the use of stronger authentication methods. These methods can include using a fingerprint, one-time codes sent to a mobile device, or other features that ensure a user is supposed to have access to the account. For more information on strong authentication methods, visit the Lock Down Your Login Campaign.

Protect your private information

While checking email, visiting websites, posting to social media, or shopping, pay attention to where you click and who you give your information to. Unscrupulous websites or data thieves can attempt to trick you into giving them your personal data.

Be careful what you click

Phishing attacks—where hackers send seemingly genuine messages to trick you to hand over personal information—are becoming more sophisticated. For instance, you may receive an urgent message stating that your bank account has been locked and requiring you to enter your password and Social Security number to unlock it. Think twice before clicking on links in messages such as this. Most genuine messages from financial institutions will not ask for personal information directly, but will instead instruct you to call or visit a website directly. You can also verify the email address that sent the message to ensure it came from the expected sender.

Shop safely

When shopping online, check out the website before entering your credit card number or other personal information. Read the privacy policy and look for opportunities to opt out of information sharing. (If there is no privacy policy posted, beware! Shop elsewhere.) Learn how to tell when a website is secure. Look for "https" in the address bar or an unbroken padlock icon at the bottom of the browser window. These are signs that your information will be encrypted or scrambled, protecting it from hackers as it moves across the internet.

Be careful what you share

Social media allows sharing of all aspects of life, but it's important to control who has access to the information you share. Information thieves can use social media postings to gather information and then use the information to hack into other accounts or for identity theft. To protect yourself, make use of privacy settings to limit the visibility of personal posts to your personal networks, and restrict the amount of information you share with the general public.

Responding to data breaches

Even if you make all the right moves, your data may be stolen from a company you trusted to keep it safe. If you find that your personal information has been accessed without your authorization, take steps to protect yourself. Place a fraud alert on your credit file. Review your annual credit reports. And if you suspect your information has been breached, put a freeze on your credit file to prevent fraudsters from opening new accounts in your name. For more information, see the Attorney General's information sheets on identity theft.

Parents, take control

Don't let your children risk your family's privacy. Make sure they know how to use the internet safely. For younger children, install parental control software on devices that limits the websites kids can visit. To protect your children's future credit, consider setting up a credit freeze for your child. But remember: no software can substitute for parental supervision.
Anyone having unauthorized access to your Wi-Fi network could mess up your data plans. Even if you have unlimited data, it might cause you to get hacked and lose sensitive information. You, therefore, need to learn how to block ports from accessing your router to prevent any effects. The specifics differ depending on the router you use, but here is the general guide on how you can block a port on any router; You can use two methods when dealing with a D-Link router, port forwarding or virtual server. Port forwarding will allow you to block numerous networks at once, while a virtual server only blocks a single network at a time. No matter the route you use, you first have to access the settings. For the D-Link, enter 192.168.0.1 in the browser and search. For a TP-Link device, use 192.168.1.1 for other routers; go with www.routerlogin.com to log into your account. The specifics differ slightly depending on the router, but they all have an advanced settings tab. Go to it to see all the router’s settings. It is important to know the IP addresses of all the ports you want to block since you can’t stop them without them. If you are using a D-Link router, go to the port forwarding option and follow the prompts to enter the details of all the ports you want to be blocked. In the window for the computer name, schedule it to never to mean that the port will never access your network again. On a NetGear router, go to advanced settings, the security tabs, and the block services. You will have the option to temporarily block ports or permanently block them. Select on then scroll to the service table and add the port number you want to block. Select a protocol to block the port; if you are unsure, you can use both UDP and TCP; then, choose never to cut off the port on schedule. Make sure you then save the settings for them to take effect. On a TP-Link router, go to security options and then firewall. Enable the firewall and allow packets not specified to be filtered out of the router after enabling IP address filtering. Save the settings, then go to IP address filtering. Click on add new and enter the IP address you want to block at the WAN port and LAN address frame, select Deny, and save the settings. Each of these methods works for the specific router options, and it is a good way to manage the number of people who get access to your network.
The main reason to close a router port is to address security and privacy vulnerabilities. If you just leave every port open at all times, even the unnecessary and unused ports, you are essentially putting yourself at risk for reason. Closing these ports will stop would-be hackers, so you won’t have to go online to learn what is a DNS address and how to stop identity thieves.

Insider Tip - In some cases, you may have to restart the router for these changes to be accepted.

This is a fairly straightforward process, akin to learning how to turn off 5GHz on a router. However, each router is different, so it varies according to make and model. With that in mind, we have tried to keep this guideline as universal as possible.

STEP 1

Your first step is to make sure your network is functioning properly and that you have a valid and strong Internet connection available to all wireless devices within range. Check to see that the router is plugged into the modem via Ethernet cable and that you use the network to connect to the Internet. STEP 2 Now it is time to access a dedicated settings page or the admin panel. This process varies depending on the router, so check your instruction manual or hit up a quick web search for specific details on how to do this with your router. Be sure to set aside your network name, public IP address, default password, and any other relevant information for later. STEP 3 In most cases, you can access the router’s settings page by inputting your router’s IP address in the address bar of a web browser. Otherwise, use dedicated firmware of a mobile app provided by the router’s manufacturer. STEP 4 Once on the settings page, look for port options, otherwise called port forwarding options. Turn off whichever ports you desire and be sure to save your changes.
You’ve assigned the device a static IP address and also know what your public IP address is. Now, you can proceed to access your router and set up port forwarding. The process will vary slightly depending upon the brand of router you’re using.
  • Locate your router’s IP address (default gateway address).
  • Head over to your router’s settings.
  • Enter your credentials (device username and password).
  • Look around for the Port Forwarding tab.
  • On the Port Forwarding tab, enter your device’s name and open your preferred port—for example, type 8080 to open port 8080.
  • Save your settings.
However, to give you a better idea of how to go about it, we’ve covered the steps to set up port forwarding manually on some of the most commonly used router options. So without further ado, let’s take a look at how you can set up port forwarding on:

Asus Router

To set up port forwarding on your Asus router, all you have to do is follow the steps mentioned in this guide on how to port forward on Asus.

Belkin Router

If you want to set up port forwarding on your Belkin router, follow the steps mentioned in this guide on how to port forward on Belkin.

TP-Link Router

To set up port forwarding on your TP-Link router, all you have to do is follow the steps mentioned in this guide on how to port forward on TP-Link.

Draytek Router

If you want to set up port forwarding on your Draytek router, follow the steps mentioned in this guide on how to port forward on Draytek.

Dovado Router

To set up port forwarding on your Dovado router, all you have to do is follow the steps mentioned in this guide on how to port forward on Dovado.

Netgear Router

To set up port forwarding on the Netgear router, follow the steps mentioned in this guide to port forward on Netgear. Once you’ve set up port forwarding on your router, the final step is to check whether it is working correctly. There are a variety of port checker tools that you can use, such as FreePortScanner, PortChecker.co, Advanced Port Scanner, and NetworkAppers.
You probably already have an idea of how networks work. Each device has an IP address, and there are two types of IP addresses: private (or internal) and public (or external). A private IP address is used in internal networks, whereas a public IP address is accessible to the outside world. When you request information from the Internet, your router’s public IP address is sent along with your device’s private IP address. However, this raises an all-important question: how does the requested information reach the network’s right device? This is made possible due to a process known as Network Address Translation (NAT). Basically, it occurs at the transport and network layers, where the flow of network traffic is routed through the router so that multiple devices behind it can share a single public IP address. As a result, users can request web sites simultaneously, and it will all be directed to the intended device. So, where do ports come in here? Well, a good analogy is to think of them as extensions on a phone system. In simple terms, they ensure a computer or mobile device knows which application the data packets are destined for by looking at the port number. There are 65,536 ports available for use in UDP or TCP, and some have pre-assigned uses. Take, for instance, port 80 is used to access HTTP websites.  You can view the full list of port numbers and their uses here. Then other ports don’t have any specific applications and can be used for whatever purpose you want.  
By default, some ports are blocked on modern-day routers. This is a great security feature because malicious requests are prevented from reaching the core processes that may be running on your computer. However, at the same time, this can also result in problems for applications that need information sent back to them from the Internet – the router will block them. If you want to allow information to be sent to an internal computer from the Internet, you will have to tell your router to forward a certain port. As a result, when the router receives a packet intended for a specified port, it is gets forwarded to a specified local computer. But configuring port forwarding manually each time can prove a hassle, and so UPnP was developed. Universal Plug and Play automatically handles the process of port forwarding and works fine for the most part. There are, however, some instances where it will let you down or might be disabled on your router for security purposes. Either way, in this scenario, you have no other option but to forward the ports manually.
If you want to avoid the hassle of setting up port forwarding manually and/or the security concerns that arise with its use or opening ports on your router is restricted at ISP level, and you’re looking for an alternate, PureVPN has got you covered. The first-of-its-kind Port Forwarding add-on allows you to simultaneously use port forwarding and VPN, making secure and seamless communication with any device or server a reality! With PureVPN’s Port Forwarding add-on, opening ports has become really easy either it could be PC, Xbox, PS5, or anything else for any purpose you can do in just 3 easy steps:
  1. Sign up to PureVPN.
  2. Scroll down to select “Get Port Forwarding.”
  3. Enter your details, and you are good to go.
  4. Now go to your PureVPN account dashboard.
  5. Navigate to the Port Forwarding section.
  6. And you’re ready to open your desired ports.
  The following are some benefits of using PureVPN’s Port Forwarding add-on:
  • Speed up your uploads/downloads.
  • Access your laptop or desktop remotely from anywhere.
  • Open specific ports for programs, multiplayer games, etc.
  • Improve online gaming performance.
  • Stay protected against various threats when forwarding ports – and more!
Server security describes the software, tools, and processes used to protect a business’ server from unauthorized access and other cyberthreats. It is a key requirement for most system administrators and cybersecurity teams. Linux security is considered good, based on the operating system’s strong default permissions structure. However, you must still adopt best practices to keep your servers running safely and effectively. Whether your Linux server is running Ubuntu, Debian, or some other distribution, follow these steps to strengthen your Linux server’s default configuration.

1. Only install required packages

You should only install the packages that your business needs to run in order to protect the functionality of your server. Linux server distributions come with a variety of common packages already installed, such as adduser and base-passwd. During installation, users can opt to install additional packages, including an Open SSH server, a DNS server, a LAMP stack, and a print server. You can also add further packages through the default package management system. Packages can be drawn from official repositories or by adding PPAs (Personal Package Archives), repositories created by Linux users, to gain access to a wider selection of programs. However, the more packages you install, particularly from third-party repositories, the more vulnerabilities you could be introducing into the system. Keep installed packages to a reasonable minimum and periodically eliminate what isn’t needed.

2. Disable the root login

Linux distributions include a superuser called ‘root’ that contains elevated administrative permissions. Keeping root login enabled can present a security risk and diminish the safety of small business cloud resources hosted on the server, as hackers can exploit this credential to access the server. To strengthen your server security, you must disable this login. The process of disabling the root account varies depending upon which distribution of Linux you are using – you must first create a new user account and assign elevated (sudo) permissions, so that you will still have a way of installing packages and performing other admin actions on the server. Alternatively, you can assign these permissions to an existing user in order to ensure a secure server login.

3. Configure 2FA

Two-factor authentication (2FA) greatly improves the security of user access by requiring a password and second token before users can log on to the server. To set up 2FA on a Debian server and Debian-derived distributions, you should install the libpam-google-authenticator package. The package can display a QR code or produce a secret token that can be added to a software authentication device, such as Google Authenticator or Authy. 2FA can be used in conjunction with SSH (Secure Shell) to enforce the requirement for a second credential when logging into the server. SSH is a protocol that creates an encrypted, text-based connection to a remote server. Together, these make the server more resistant to brute force, unauthorized login attempts and can improve cloud safety for small businesses.

4. Enforce good password hygiene

Good password hygiene isn’t only relevant to users logging into their personal computers or SaaS applications. For servers, administrators also need to ensure that users are utilizing sufficiently rigorous passwords. This practice makes them much more resistant to attacks.

Enforcing a minimum cryptographic strength

Passwords used by your staff should be above a certain cryptographic strength, for example, at least 12 characters, with a random mix of letters, numbers, and symbols. To enforce this across your business, consider implementing a password management tool that can validate the level of security of a password or generate one of sufficient complexity.

Enforcing regular password rotation

Make sure that your staff is regularly updating all their passwords for applications and logins, especially those with administrative server access. Most Linux distributions contain, by default, a utility for modifying password expiry and aging information. This program can force the user to reset their password at a regular interval. Chage is one such CLI (command-line interface). Administrators can force users to change their password after a certain number of days, for instance, by using the -W operator: Change -W 10 daniel Run from elevated permissions, this command will force the user ‘daniel’ to change their password after 10 days have passed. Forced password changes can also be enforced as bathes or upon login events.

5. Server-side antivirus software

While Linux computers are considered relatively resistant to viruses, malware, and other forms of cyberattack, all Linux endpoints – including desktops – should run antivirus protection. Antivirus products will enhance the defensive capabilities of any server it runs. Next-gen Linux server antivirus from Avast Business supports both 32-bit and 64-bit hardware, and features on-demand scanning initiated over a CLI.

6. Update regularly or automatically

You should not hold old, unpatched packages, as these introduce critical vulnerabilities to the system that could be exploited by cybercriminals. To avoid this problem, ensure that your server, or server pool, is updated regularly. Many Linux distributions, notably Ubuntu, are also updated in a rolling distribution cycle with both long-term (LTS) and short-term release versions. Your security teams should consider from the start whether they want to run bleeding edge or stable software on their machines, and configure the appropriate update policies. Additionally, many Linux distributions contain tools for applying automated updates. The unattended-upgrades package available for Debian, for instance, will poll for updates at a fixed interval and apply them automatically in the background.

7. Enable a firewall

Every Linux server should be running a firewall as an initial line of defense against unauthorized or malicious connection requests. UFW (uncomplicated firewall) is a common basic Linux firewall. You should inspect the firewall policy to ensure that it makes sense for your business’ operating environment. These days, Distributed Denial of Service (DDoS) attacks also present a threat for some operators. Internet-facing Linux servers can be placed behind a proxy service to inspect and scrub inbound traffic, providing DDoS protection. Additionally, there are open source scripts that can be installed directly onto the server.

8. Backup your server

There are always things that can go wrong when it comes to computer systems, and packages can create dependency problems and other issues. It’s therefore vital that you retain the ability to rollback changes to your server. A robust backup approach should involve creating two copies, one offsite, for every primary protected device. Simpler system rollback tools are available for Linux servers that can help to automate this process and allow for speedier disaster recovery (DR).

Keep security in mind

Linux may be the best server for your small business or enterprise, as distributions generally have a decent security posture automatically configured. However, to significantly increase your defenses and minimize the chances that malicious users will gain access, you must harden your Linux server by applying the best practice tips. Using a server-side antivirus tool, such as Avast Business Linux Antivirus, should always be part of a multi-layered security policy.
This primer will introduce you to basic Linux server security. While it focuses on Debian/Ubuntu, you can apply everything presented here to other Linux distributions. I also encourage you to research this material and extend it where applicable.

1. Update your server

The first thing you should do to secure your server is to update the local repositories and upgrade the operating system and installed applications by applying the latest patches. On Ubuntu and Debian:
$ sudo apt update && sudo apt upgrade -y
On Fedora, CentOS, or RHEL:
$ sudo dnf upgrade

2. Create a new privileged user account

Next, create a new user account. You should never log into your server as root. Instead, create your own account (""), give it sudo rights, and use it to log into your server. Start out by creating a new user:
$ adduser <username>
Give your new user account sudo rights by appending (-a) the sudo group (-G) to the user's group membership:
$ usermod -a -G sudo <username>

3. Upload your SSH key

You'll want to use an SSH key to log into your new server. You can upload your pre-generated SSH key to your new server using the ssh-copy-id command:
$ ssh-copy-id <username>@ip_address
Now you can log into your new server without having to type in a password.

4. Secure SSH

Next, make these three changes:
  • Disable SSH password authentication
  • Restrict root from logging in remotely
  • Restrict access to IPv4 or IPv6
Open /etc/ssh/sshd_config using your text editor of choice and ensure these lines:
PasswordAuthentication yes PermitRootLogin yes
look like this:
PasswordAuthentication no PermitRootLogin no
Next, restrict the SSH service to either IPv4 or IPv6 by modifying the AddressFamily option. To change it to use only IPv4 (which should be fine for most folks) make this change:
AddressFamily inet
Restart the SSH service to enable your changes. Note that it's a good idea to have two active connections to your server before restarting the SSH server. Having that extra connection allows you to fix anything should the restart go wrong. On Ubuntu:
$ sudo service sshd restart
On Fedora or CentOS or anything using Systemd:
$ sudo systemctl restart sshd

5. Enable a firewall

Now you need to install a firewall, enable it, and configure it only to allow network traffic that you designate. Uncomplicated Firewall (UFW) is an easy-to-use interface to iptables that greatly simplifies the process of configuring a firewall. You can install UFW with:
$ sudo apt install ufw
By default, UFW denies all incoming connections and allows all outgoing connections. This means any application on your server can reach the internet, but anything trying to reach your server cannot connect. First, make sure you can log in by enabling access to SSH, HTTP, and HTTPS:
sudo ufw allow sshsudo ufw allow http $ sudo ufw allow https
Then enable UFW:
$ sudo ufw enable
You can see what services are allowed and denied with:
$ sudo ufw status
If you ever want to disable UFW, you can do so by typing:
$ sudo ufw disable
You can also use firewall-cmd, which is already installed and integrated into some distributions.

6. Install Fail2ban

Fail2ban is an application that examines server logs looking for repeated or automated attacks. If any are found, it will alter the firewall to block the attacker's IP address either permanently or for a specified amount of time. You can install Fail2ban by typing:
$ sudo apt install fail2ban -y
Then copy the included configuration file:
$ sudo cp /etc/fail2ban/jail.conf /etc/fail2ban/jail.local
And restart Fail2ban:
$ sudo service fail2ban restart
That's all there is to it. The software will continuously examine the log files looking for attacks. After a while, the app will build up quite a list of banned IP addresses. You can view this list by requesting the current status of the SSH service with:
$ sudo fail2ban-client status ssh

7. Remove unused network-facing services

Almost all Linux server operating systems come with a few network-facing services enabled. You'll want to keep most of them. However, there are a few that you might want to remove. You can see all running network services by using the ss command:
$ sudo ss -atpu
The output from ss will differ depending on your operating system. This is an example of what you might see. It shows that the SSH (sshd) and Ngnix (nginx) services are listening and ready for connection:
tcp LISTEN 0 128 *:http *:* users:(("nginx",pid=22563,fd=7)) tcp LISTEN 0 128 *:ssh *:* users:(("sshd",pid=685,fd=3))
How you go about removing an unused service ("") will differ depending on your operating system and the package manager it uses. To remove an unused service on Debian/Ubuntu:
$ sudo apt purge <service_name>
To remove an unused service on Red Hat/CentOS:
$ sudo yum remove <service_name>
  Run ss -atup again to verify that the unused services are no longer installed and running.
Follow these tips and best practices to secure your Windows Server against cyber attacks.

1. Keep Your Windows Server Up To Date

Update Windows Server
While it may look like an obvious thing to do, most servers installed with Windows Server images are without the latest security and performance updates. Installing the latest security patches is crucial in protecting your system from malicious attacks. If you have set up a new Windows server or received credentials to one, make sure to download and install all the latest updates available for your computer. You can defer the feature update for some time, but you should install security updates as it becomes available.

2. Install Only Essential OS Components via Windows Server Core

On Windows Server 2012 and above, you can use the operating system in its core mode. The Windows Server Code Mode is a minimal installation option that installs Windows Server without the GUI, which means reduced features. Installing Windows Server Core has many benefits. The obvious one being the performance advantage. You can use the same hardware to gain performance improvements through unutilized OS components resulting in lesser RAM and CPU requirements, better uptime and boot time, and fewer patches.
While the performance benefits are nice, the security benefits are even better. Attacking a system with fewer tools and attack vectors is harder than hacking a fully GUI-based operating system. Windows Server Core reduces the attack surface, offers Windows Server RSAT (Remote Server Administration) tools and the ability to switch from Core to GUI.

3. Protect the Admin Account

The default user account in Windows Server is named Administrator. As a result, most of the brute force attacks are targeted at this account. To protect the account, you can rename it to something else. Alternatively, you can also disable the local administrator account altogether and create a new admin account. Once you have the local admin account disabled, check if a local guest account is available. Local guest accounts are the least secure, so it is best to get them out of the way wherever possible. Use the same treatment for unused user accounts. A good password policy that requires regular password changes, complex and lengthy passwords with numbers, characters, and special characters can help you secure user accounts against brute force attacks.

4. NTP Configuration

It is important to configure your server to sync time with NTP (Network Time Synchronization) servers to prevent a clock drift. This is essential as even a difference of few minutes can break various functions, including Windows login. Organizations use network devices that use internal clocks or rely on a Public Internet Time Server for synchronization. Servers that are domain members usually have their time synced with a domain controller. However, stand-alone servers will require you to set up NTP to an external source to prevent replay attacks.

5. Enable and Configure Windows Firewall and Antivirus

Windows Defender Firewall Windows Server
Windows Servers come with a built-in firewall and antivirus tool. On servers that do not have hardware firewalls, Windows Firewall can reduce the attack surface and provide decent protection against cyber attacks by limiting the traffic to necessary pathways. That said, a hardware-based or Cloud-based firewall will offer more protection and take the load off of your server. Configuring the firewall can be a messy task and hard to master at first. However, if not configured correctly, open ports accessible to unauthorized clients can pose a huge security risk to servers. Also, keep a note of the rules created for its use and other attributes for future references.

6. Secure Remote Desktop (RDP)

If you use RDP (Remote Desktop Protocol), make sure it is not open to the internet. To prevent unauthorized access, change the default port, and restrict the RDP access to a specific IP address if you have access to a dedicated IP address. You may also want to decide who can access and use RDP, as it is enabled by default for all the users on the server. Also, adopt all the other basic security measures to secure RDP, including using a strong password, enabling two-factor authentication, keeping the software up to date, restricting access through advanced firewall settings, enabling network-level authentication, and setting an account lockout policy.

7. Enable BitLocker Drive Encryption

BitLocker Windows Server Enable
Similar to Windows 10 Pro, the server edition of the operating system comes with a built-in drive encryption tool called BitLocker. It's considered to be among the best encryption tools by the security pros as it allows you to encrypt your entire hard drive even if the physical security of your server is breached. During encryption, BitLocker captures information about your computer and uses it to verify the authenticity of the computer. Once verified, you can log in to your computer using the password. When suspicious activity is detected, BitLocker will ask you to enter the recovery key. Unless the decryption key is provided, the data will remain locked. If you are new to hard drive encryption, check out this detailed guide on how to use BitLocker in Windows 10.

8. Use Microsoft Baseline Security Analyzer

Microsoft Baseline Security Analyzer (MBSA) is a free security tool used by IT professionals to help manage the security of their servers. It can find security issues and missing updates with the server and recommend remediation guidance in accordance with Microsoft's security recommendations. When used, MBSA will check for Windows administrative vulnerabilities such as weak passwords, the presence of SQL and IIS vulnerabilities, and the missing security updates on individual systems. It can also scan an individual or group of computers by IP address, domain, and other attributes. Finally, a detailed security report will be prepared and shown on the graphical user interface in HTML.

9. Configure Log Monitoring and Disable Unnecessary Network Ports

Any services or protocols that are not needed or used by the Windows Server and installed components must be disabled. You can run a port scan to check which network services are exposed to the internet. Monitoring login attempts is useful to prevent intrusion and protect your server against brute force attacks. Dedicated intrusion prevention tools can help you view and review all log files and send alerts if suspicious activities are detected. Based on the alerts, you can take appropriate action to block the IP addresses from connecting to your servers.

Windows Server Hardening Can Reduce the Risk of Cyber-Attacks!

When it comes to your Windows Server security, it is always good to be on top of things by auditing the system for security risks regularly. You can start by installing the latest updates, protect the admin account, use the Windows Server Core mode whenever possible, and enable drive encryption through BitLocker. While Windows Server may share the same code as the consumer edition of Windows 10 and look identical, the way it is configured and used is vastly different.

National Cyber Security

FREE
VIEW