I just thought we could share standard things we do to secure our machines in this topic.

There's the obvious optional hardware firewall.

For those not doing it, I think many use a program like ZoneAlarm (I'm considering it).

Relaying off and SMTP authentication to prevent spam.

As I don't have many services running yet, I don't have much else going, but would like to hear what others are doing. Please share.

It's usually a good idea to rename the default Admin and Guest accounts. I like to set auditing on account logins and failures, too, just to be safe.

I have found the IPSec features of Windows 2000+ to be a hidden blessing. You can use them for all sorts of neat things, including a fairly configurable firewall!

AnalogX has a good writeup on it, as well as a sample script to get you going. By default, it leaves windows networking and RDP on, so it SHOULD be safe for you to play with! (I installed it remotely if that makes you feel better)

http://www.analogx.com/contents/articles/ipsec.htm

Also, make sure you use the Microsoft Baseline Security Analyzer at least once a week. It scans for patches that windowsupdate doesn't.

Every so often, check your administrators group and make sure there aren't any mystery accounts in there.

Change your administrator password once a month

Try to use secure protocols as much as possible (SSL) - Try not to send sensitive accounts in cleartext, like FTP. THe IPsec might help you in this regard too, but I haven't attempted it.

Check your task manager for any programs. You should be able to identify all running processes.

Some might disagree, but I enjoy the comfort of running a virus scanner on the server. If it's for non-commercial purposes you can grab one from www.grisoft.com -- The norton AV works too, but make sure you don't enable the script blocking features, which will mess up certain ASP pages. Someone else might have a recommendation for a no-frills virus package that doesn't dig into your OS like norton does.

2000 and especially 2k3 come with pretty tight permissions out of the box, but you might be able to get away with restricting access to your root C: and program files directory to only system + administrator FULL and everyone else Read+execute (be careful if you don't know what you're doing)

Boy, there are just so many things you can do

The biggest hassle is that there isn't a surefire checklist that you can follow. You need to have an understanding of how NTFS security works, and what people need access to what files.

Each website should run under its own anonymous user account. Each anonymous user account should not have access to other websites on the server, to prevent people from snooping around.

I'll stop now.

I usually set the following permissions:

C: [Administrators, SYSTEM]: Full. Remove all other accounts from the list. Click OK (don't choose replace permissions)

D: [Administrators, SYSTEM]: Full. Remove all other accounts from the list. Drive D settings I usually set, before I put data or create any directories.

Check this thread: http://forums.servermatrix.com/viewtopic.h...=854&highlight= for more.

I agree with Matt2k, I used IPSEC on my last server and found it to be the single most effective security measure on the system.

Regards,
Paul Sneddon