Hardening the Security on your Windows VPS

Although Windows Server is one of the most secure operating systems out of the box, you may want to implement additional security measures in order to deflect attacks on your virtual private server.

Hardening the security on your Windows Server should be one of the first projects you undertake when you buy a VPS. By securing your server, you can build web apps and websites with confidence knowing that your data is at less of a risk.

Entire books have been written on methods used to strengthen the security of Windows Servers. Our guide will help you mitigate some of the most commonly used attacks on Windows Server VPS.

Install Microsoft’s EMET 5.1

At the time of this writing, the latest version of EMET is 5.1. EMET is an acronym for Enhanced Mitigation Experience Toolkit. Microsoft has provided a download for this tool that can be installed on your server.

EMET works by reducing the attack surface on your server. For example, if you use EMET to completely disable Java, your box won’t be susceptible to an attack that originates through the Java plugin.

Those who use their VPS to browse the web are at the greatest risk of acquiring malicious code. EMET 5.1 protects machines by giving administrators granular access over the types of files and programs that can execute code on a particular server.

Evaluate the Security Compliance Manager

If you are running Windows Server 2012, you may find value in installing the latest version of the Security Compliance Manager. This free Microsoft tool establishes a security baseline for your server that complies with Microsoft’s best practices. Like EMET, the SCM helps reduce the attack surface of your Windows Server.

With Security Compliance Manager, you can configure a group of key security settings and easily export these settings to other Windows VPS machines that you decide to spin up. Once you’ve setup SCM, it’s easy to create a template and use that template on other machines.

Bonus: If you run a SQL Server on top of your Windows Server, there is also a Security Compliance Manager that is custom tailored to SQL Server. You will need to check Microsoft’s downloads port in order to find the appropriate version for your SQL installation.

Don’t Forget About Windows Updates

When you launch your Windows VPS, many administrators disable the Windows Updates entirely. Administrators are also known to select the setting that allows them to pick and choose the updates they’d like to install. This process often delays critical updates from being installed on the server. The upside is that it gives administrators the ability to manage the downtime required for the server to reboot and finish installing the updates.

This tip may seem obvious, however, you’d be surprised at the amount of administrators that disable Windows Updates and forget to go back and actually install the updates. Other administrators may have updates waiting to install, yet they push the task off and decide to do it another day. By postponing the installation of Windows Updates, you potentially leave your server vulnerable to the latest attacks.

Establish a Baseline: Run a Free Scan

There are heaps of free tools available online that will scan your server for common vulnerabilities. Establishing a baseline of your server’s security is pivotal to securing your server for the long term. If your server cannot pass the tests offered by free online services, your Windows Server could become vulnerable to unsophisticated attack perpetrated by someone who is scanning blocks of IP addresses looking for unpatched servers.

We recommend Qualys’ Free Scan as a starting point. You may also want to research other free Windows security scanning tools that are offered by other vendors.