Securing your Virtual Private Server is of utmost importance: it is part of your Internet life, and may well be part of your infrastructure that is absolutely mission-critical, and if it were to be compromised the ramifications could be anything from minor irritation to complete disaster.
We are not claiming that this post is a full-proof defence and will render you impervious to hacker attack, but anything you can do will certainly help, and these are useful steps.
Brute force attacks on password are extremely common throughout the Internet, yet still, a large number of users use passwords that are easy to guess. are dictionary words, or are the same passwords that they use for every other location. Quite often, brute force attacks will have a huge dictionary of words - everything in the English language to start with, then common password combinations like "qwerty", "asdfgh", almost all names or people, cats, dogs and pets. If your password is one of those sorts of things, you're really asking for trouble and it's really just a matter of time! These attacks are automated, and computers are really good a doing repetitive tasks at a fantastic speed. So, make sure that you use passwords which have the following characteristics:
Remember that the more complex the password, the less likely it can be guessed or brute forced. It may be a slight inconvenience for you, but your business may depend upon it. It's worth the hassle.
Changing your administrator password
Passwords for your VPS can be changed easily; below is screenshot of a of the Server Manager with the right-click menu shown for the Administrator account. Click the Set Password link from that menu and enter the new, secure password. Be aware that if your server run any services under the Administrator account (this is not the default setup) the you will need to change the password on each of those services too.
Additional tips for password security
Limit users and user privileges
Having administrator access to the server is great when you need to get things done, but being the administrator, you can do anything you want on there. That includes deleting everything! If you must have a number of people accessing the server via Remote Desktop Connection, do they need to be administrators? It's unlikely. It's actually more likely that they need to do day-to-day tasks and for that they need not be administrators; normally non-administrative users will be just fine for the most part, and they cannot cause too much damage. In the Server Manager (pictured above), add new users as required, then limit their privileges as required - that includes setting the relevant privileges at the folder - and possibly file - level, so that only some users can access certain areas of your server. Remember this: The more users there are on the server, the more likely a password will be compromised. The more a user is able to do on the server, the more damage that user can cause in the wrong hands.
Lock down access to the desktop via the firewall
By default, if you know the IP address of the server, and the administrator password, you can get access to the desktop. Obviously, that could be secured far better. If you only connect to the server from the office, and you have a fixed IP address for the office, lock down the firewall so that only that IP address can access the server via remote desktop. The more locked down the firewall is, the more secure your server is. You should only then open IP addresses as required.
WARNING: If you lock down the access to remote desktop to a fixed IP address, and your IP address changes, you will lock yourself out of the server and you will need to contact us to reset the firewall for you
Do you need desktop access at all? It's not always necessary to have access to the desktop; there are control panel software packages available - some free, some charged - which abstract all of that configuration work into a server that you access via the web, thereby avoiding the need for desktop access completely. Talk to us about control panel integration as we have solutions which may help.
Keep your server up-to-date
Security updates, hot-fixes and patches are released quite regularly for Windows Server and you should make sure that your server is kept up-to-date. If a patch has been released for a security issue, that means that a bug has been found in one or more applications which could be exploited to be a security threat. News about security exploits travel fast around the communities that try to exploit them, so an un-patched system is a gold mine to them. Updates are done for Windows Server in the same way that they are for Windows 7 or Windows Vista ... you use the Windows Update tool. It is advisable to log into your server every so often to make sure that there are no patches outstanding that need to be installed.
Pay attention to what is happening on your server
This may sound obvious, but many people fail to notice things are are staring them in the face when it comes to computers. Let's look at what you can do in order to keep on top of things, or in the worst case, notice quickly when something has happened if indeed it has:
Security is generally overlooked on a server, that is, right up until the time that an Administrator password is compromised and your world falls apart. You may be able to put everything back together again, but at the very least, it is going to cost you time to fix - quite a lot of it generally, money often - quite a lot of that too, and then there is the unmeasurable costs of loss of reputation and so forth. Don't put yourself in a position where you are having to recover from a security breach; stay ahead of the game. It only takes a little bit of time to keep the bad guys out of your server and from potentially ruining your business but it makes life harder for those bad guys. The harder it is for them, the more likely they are to leave you alone. These steps will not make you immune from a hacker attack, and they will not mean that your server will never be compromised, but they reduce the risks considerably. If you are ever in any doubt about how to proceed with security matters, always consultant a qualified professional.