Hi guys, at work we have an unmanaged Windows Server 2k8 Standard VPS from poundhost which is going to be used as a host for 3 websites. The server is currently configured with a single IP and I'm accessing it via RDP which is completely open. I want to ensure that the server is secure especially due to the fact that it's going to be public and a simple ping will resolve the server's IP, but I'm really not sure what lengths I should go to and what I should deploy and secure, any advice chaps?
Unmanaged VPS security
- Thread starter EvilGrin
- Start date
Soldato
- Joined
- 18 Oct 2002
- Posts
- 16,035
- Location
- The land of milk & beans
I'm hoping there's login credentials!
If you're that worried you could ask for the firewall protecting your server to have a rule set to deny access to port 3389 except from any IP you use. This could obviously be a problem if you're on a dynamic IP though.
Also would be a problem if your hoster aren't using port 3389, as many don't to make RDP sniffing harder.
If you're that worried you could ask for the firewall protecting your server to have a rule set to deny access to port 3389 except from any IP you use. This could obviously be a problem if you're on a dynamic IP though.
Also would be a problem if your hoster aren't using port 3389, as many don't to make RDP sniffing harder.
I would recommend a firewall for a Windows VPS. I remember having a dedicated server running Windows with no firewall. It was hacked fairly nicely (I was young in my career 
).
You may want to put antivirus software on it, disable any services you don't need, disable user accounts that are not used, use complex passwords, you can limit IIS connections and transfer rates so the box doesn't get smashed.
There's tonnes more depending on how detailed you want to go into it.
If you don't want to look after security etc then a managed VPS may be for you. Personally I'd never use a unmanaged service for business again, just isn't worth the hassle when I could be doing better things with my time.
). You may want to put antivirus software on it, disable any services you don't need, disable user accounts that are not used, use complex passwords, you can limit IIS connections and transfer rates so the box doesn't get smashed.
There's tonnes more depending on how detailed you want to go into it.
If you don't want to look after security etc then a managed VPS may be for you. Personally I'd never use a unmanaged service for business again, just isn't worth the hassle when I could be doing better things with my time.
Ah sorry didn't quite make myself clear, RDP is secured by a fairly hefty password on the only Administrator account, but if someone typed in ourwebsite.com into mstsc, it'd bring up the login splash screen - I'd prefer for that not to happen. So I wanted to secure it to our network, however I didn't want to lock myself out at the same time by getting it wrong! lol. I don't believe that poundhost have any firewalls, it's a completely open network, so the port on which RDP operates is really down to the config on the server, it seems from the firewall that it's definitely port 3389, and i've now locked down remote IP ranges to our own network only, didn't lock myself out, so that's good news! 
I'm more than happy to manage the server myself - I'm the sole IT admin for this company, and I manage 15 or so other servers on-site, so adding another to my maintenance routine isn't going to break my balls too much. Of course, my only concern is getting it right, and the difference in security between my network and this external VPS is that my on-site servers are sitting behind a nice little Cisco ASA5505 firewall. A managed service isn't really an option either due to budget restrictions for now, but as ever this may change in the future...
Anyway, this is my first W2k8 server to manage, combine this with the fact that for the last 3 years I've sat behind a hardware firewall makes the software firewall with advanced services installed on here somewhat alien as I generally haven't had to mess with anything other than configure the odd port forward. Is there anything in particular that I should lock down? The server is going to be used for HTTP, HTTPS, POP3, SMTP and that's it, I've uploaded a few pics of the default firewall settings below, could you guys cast your eyes over them and let me know if I should make any changes please?
Thanks a lot guys.
I'm more than happy to manage the server myself - I'm the sole IT admin for this company, and I manage 15 or so other servers on-site, so adding another to my maintenance routine isn't going to break my balls too much. Of course, my only concern is getting it right, and the difference in security between my network and this external VPS is that my on-site servers are sitting behind a nice little Cisco ASA5505 firewall. A managed service isn't really an option either due to budget restrictions for now, but as ever this may change in the future...
Anyway, this is my first W2k8 server to manage, combine this with the fact that for the last 3 years I've sat behind a hardware firewall makes the software firewall with advanced services installed on here somewhat alien as I generally haven't had to mess with anything other than configure the odd port forward. Is there anything in particular that I should lock down? The server is going to be used for HTTP, HTTPS, POP3, SMTP and that's it, I've uploaded a few pics of the default firewall settings below, could you guys cast your eyes over them and let me know if I should make any changes please?
Thanks a lot guys.
Last edited:
I think you can restrict remote desktop connections to an IP / IP Range with the firewall. Perhaps pop some of your work / home static IP addresses into a rule and exclude anything else?
Are you using IPv6, SMTP, DNS Server, POP server? If the server is just for websites then disable anything extra you don't need (you may need outgoing SMTP though if you website emails stuff). If you have a console through Poundhost you can get a little adventurous without the risk of locking yourself out..
Are you using IPv6, SMTP, DNS Server, POP server? If the server is just for websites then disable anything extra you don't need (you may need outgoing SMTP though if you website emails stuff). If you have a console through Poundhost you can get a little adventurous without the risk of locking yourself out.
.