User Manual
5
ChecklistCyber Security Concepts -
How to Secure the System
58
Siemens Application Note
Smart Infrastructure
can talk to the server on other ports, that opens a huge and unnecessary security
risk. If the server has other functions such as remote desktop (RDP) for manage-
ment, they should only be available over a VPN connection, ensuring that unau-
thorized people can’t exploit the port at will from the net.
The Windows firewall is a built-in software firewall that allows configuration of port-
based traffic from within the OS. On a standalone server, or any server without a
hardware firewall in front of it, the Windows firewall will provide some protection
against network based attacks by limiting the attack surface to the allowed ports.
That said, a hardware firewall is always a better choice because it offloads the traf-
fic to another device and offers more options on handling that traffic, leaving the
server to perform its main duty. Whichever method you use, the key point is to re-
strict traffic to only necessary pathways.
Remote Access Configuration
As mentioned above, if you use RDP, be sure it is only accessible via VPN if at all
possible. Leaving it open to the internet doesn’t guarantee you’ll get hacked, but it
does offer potential hackers another inroad into your server.
Make sure RDP is only accessible by authorized users. By default, all administra-
tors can use RDP once it is enabled on the server. Additional people can join the
Remote Desktop Users group for access without becoming administrators.
In addition to RDP, various other remote access mechanisms such as PowerShell
and SSH should be carefully locked down if used and made accessible only within
a VPN environment. Telnet should never be used at all, as it passes information in
plain text and is insecure in several ways. Same goes for FTP. Use SFTP or SSH
(from a VPN) whenever possible and avoid any unencrypted communications alto-
gether.
Service Configuration
Windows server has a set of default services that start automatically and run in the
background. Many of these are required for the OS to function, but some are not
and should be disabled if not in use. Following the same logic as the firewall, we
want to minimize the attack surface of the server by disabling everything other than
primary functionality. Older versions of MS server have more unneeded services
than newer, so carefully check any 2008 or 2003 servers.
Important services should be set to start automatically so that the server can re-
cover without human interaction after failure. For more complex applications, take
advantage of the Automatic (Delayed Start) option to give other services a chance
to get going before launching intensive application services. You can also set up
service dependencies in which a service will wait for another service or set of ser-
vices to successfully start before starting. Dependencies also allow you to stop and
start an entire chain at once, which can be helpful when timing is important.
Further Hardening
Microsoft provides best practices analyzers based on role and server version that
can help you further harden your systems by scanning and making recommenda-
tions.
Although User Account Control (UAC) can get annoying, it serves the important
purpose of abstracting executables from the security context of the logged in user.
This means that even when you’re logged in as an admin, UAC will prevent appli-
cations from running as you without your consent. This prevents malware from
running in the background and malicious websites from launching installers or oth-
er code. Leave UAC on whenever possible.
Logging and Monitoring
Make sure that your logs and monitoring are configured and capturing the data you
want so that in the event of a problem, you can quickly find what you need and re-
mediate it. Logging works differently depending on whether your server is part of a