Blog

Securing your Virtual Private Server is of utmost importance: it is part of your Internet life, and may well be part of your infrastructure that is absolutely mission-critical, and if it were to be compromised the ramifications could be anything from minor irritation to complete disaster.

We are not claiming that this post is a full-proof defence and will render you impervious to hacker attack, but anything you can do will certainly help, and these are useful steps.

Password security

Brute force attacks on password are extremely common throughout the Internet, yet still, a large number of users use passwords that are easy to guess. are dictionary words, or are the same passwords that they use for every other location. Quite often, brute force attacks will have a huge dictionary of words - everything in the English language to start with, then common password combinations like  "qwerty", "asdfgh", almost all names or people, cats, dogs and pets. If your password is one of those sorts of things, you're really asking for trouble and it's really just a matter of time! These attacks are automated, and computers are really good a doing repetitive tasks at a fantastic speed. So, make sure that you use passwords which have the following characteristics:

  • Make it long. Anything less that 8 characters should be considered as completely unacceptable. 10 characters or more is recommended. Each additional character increases the potential password possibilities exponentially.
  • Don't use a password that you would find in the dictionary - doesn't matter how long the word it
  • Use a mixture of upper and lower case letters, numbers and importantly symbols
  • Avoid "leet" passwords: p4ssw0rd or l3tm31n .... these are all well known and take no time to crack

Remember that the more complex the password, the less likely it can be guessed or brute forced. It may be a slight inconvenience for you, but your business may depend upon it. It's worth the hassle.

Changing your administrator password

Passwords for your VPS can be changed easily; below is screenshot of a of the Server Manager with the right-click menu shown for the Administrator account. Click the Set Password link from that menu and enter the new, secure password. Be aware that if your server run any services under the Administrator account (this is not the default setup) the you will need to change the password on each of those services too.

Additional tips for password security

  • Just because your password is set, the job isn't quite done; for the best type of security, it is very wise to change the password on a regular basis ... maybe once a month or once every three months or so. The longer you have a password in place, the more people who get to learn it and the more likely it is to become compromised. If you keep the password changing then it makes life difficult for the bad guys.
  • Don't write your password down if you can help it. If you have to write it down, KEEP IT SECURE. A post-it note on the screen you use is not secure by the way!
  • Limit the number of people to whom you divulge the password; the fewer the number of people who know the password, the  less likely it is to leak out
  • Don't store your passwords in a plain text file on the desktop called Passwords.txt. Instead, use a password manager application - there are lots of great ones available and lots of them are free, consider maybe: https://lastpass.com/http://keepass.info/ or search the web for others
  • Avoid sending your passwords around by e-mail wherever possible. E-mail is an insecure method of delivery and not recommended.

Limit users and user privileges

Having administrator access to the server is great when you need to get things done, but being the administrator, you can do anything you want on there. That includes deleting everything! If you must have a number of people accessing the server via Remote Desktop Connection, do they need to be administrators? It's unlikely. It's actually more likely that they need to do day-to-day tasks and for that they need not be administrators; normally non-administrative users will be just fine for the most part, and they cannot cause too much damage. In the Server Manager (pictured above), add new users as required, then limit their privileges as required - that includes setting the relevant privileges at the folder - and possibly file - level, so that only some users can access certain areas of your server. Remember this: The more users there are on the server, the more likely a password will be compromised. The more a user is able to do on the server, the more damage that user can cause in the wrong hands.

Lock down access to the desktop via the firewall

By default, if you know the IP address of the server, and the administrator password, you can get access to the desktop. Obviously, that could be secured far better. If you only connect to the server from the office, and you have a fixed IP address for the office, lock down the firewall so that only that IP address can access the server via remote desktop. The more locked down the firewall is, the more secure your server is. You should only then open IP addresses as required.

WARNING: If you lock down the access to remote desktop to a fixed IP address, and your IP address changes, you will lock yourself out of the server and you will need to contact us to reset the firewall for you

Do you need desktop access at all? It's not always necessary to have access to the desktop; there are control panel software packages available - some free, some charged - which abstract all of that configuration work into a server that you access via the web, thereby avoiding the need for desktop access completely. Talk to us about control panel integration as we have solutions which may help.

Keep your server up-to-date

Security updates, hot-fixes and patches are released quite regularly for Windows Server and you should make sure that your server is kept up-to-date. If a patch has been released for a security issue, that means that a bug has been found in one or more applications which could be exploited to be a security threat. News about security exploits travel fast around the communities that try to exploit them, so an un-patched system is a gold mine to them. Updates are done for Windows Server in the same way that they are for Windows 7 or Windows Vista ... you use the Windows Update tool. It is advisable to log into your server every so often to make sure that there are no patches outstanding that need to be installed.

Pay attention to what is happening on your server

This may sound obvious, but many people fail to notice things are are staring them in the face when it comes to computers. Let's look at what you can do in order to keep on top of things, or in the worst case, notice quickly when something has happened if indeed it has:

  • Don't ignore e-mails: If your website processes orders and you get e-mail notifications, and all of a sudden you notice an increase in those e-mails but they look strange - check it out. Are you getting a number of bounced e-mail notifications? It could be an indication that your server is being used to send out SPAM or other messages. Check them out early if you suddenly notice something strange, and tell your staff to report their suspicions if they are raised.
  • Log in using Remote Desktop Connection regularly - once a fortnight at least, look for signs that something is amiss
  • Are there icons on the desktop that you don't recognise? Are there new programs installed that you don't know?
  • Has the date and/or time been changed, or the time zone information?
  • Are new language packs installed?
  • Look through the Event Logs using Event Viewer (available from Administrative Tools on the start menu) and ready through the Security log. Look for Login Failures and other notifications that look out of place

Conclusion

Security is generally overlooked on a server, that is, right up until the time that an Administrator password is compromised and your world falls apart. You may be able to put everything back together again, but at the very least, it is going to cost you time to fix - quite a lot of it generally, money often - quite a lot of that too, and then there is the unmeasurable costs of loss of reputation and so forth. Don't put yourself in a position where you are having to recover from a security breach; stay ahead of the game. It only takes a little bit of time to keep the bad guys out of your server and from potentially ruining your business but it makes life harder for those bad guys. The harder it is for them, the more likely they are to leave you alone. These steps will not make you immune from a hacker attack, and they will not mean that your server will never be compromised, but they reduce the risks considerably. If you are ever in any doubt about how to proceed with security matters, always consultant a qualified professional.