Hello everyone, I am new to the TechNet forum (so if this is in the wrong spot, I apologize), and a relatively new server renter. I rent a virtual server with Windows 2008 which hosts web, mysql, ftp, and game services, and I need to work on implementing some security because as of now, there is none. I haven't had the server for very long (month or two) and I've been focusing on getting everything set up and running properly and haven't really had time to sit down and really think out a good security plan. Hopefully you guys can help me. The other day I checked the event viewer and found that I was getting about 2000 login failures a day, from different IPs, using different ports, and attempting different user names. This is what really lit a fire under my ____ and motivated me to beef up on security. I assume the first step would be to setup a firewall, can anyone recommend a good free one for me? Is there a way to set up a policy where after x number of failed login attempts, your IP gets blacklisted from all network activity on the server? I was thinking of writing a perl script to go through all of the logs in the event viewer to get all the IPs used and then import them into IPsec somehow, but I'm hoping there is an easier way. And information on any other sort of security methods or techniques would be greatly appreciated. I understand that I am an idiot for having a completely unprotected server, so you don't need to point that out. I just want to take this as a learning experience and get as many suggestions and ideas from you pros as I can. Thanks a ton in advance.

Regarding firewall - Windows Firewal/Windows Firewall with Advanced protection will very good. What also you may do?1) on external interface (yhat is connected to WAN you need to leave TCP/IP v4/v6 only. All other (such client for Microsoft networks, File and Printer sharing) must be disabled (just deselect them on WAN interface2) configure your firewall to allow only necessary ports that are required for external users: 21 for FTP users, 80/443 for WWW users and specified port for game users.3) does your hosted services requires Windows-authentication? If not, disable Windows authentication on IIS console just leaving Anonymous authenticaion only.4) Make sure if you have strong passwords? This may benot so complex, but should be long. For example 20 characters minimum? You can remember it, because it may be a part of your favorite song lyrics, so you don't forget it.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

yes, strong passwords! always include some special character. 80% of world used passwords contain only letters-numbers, so the password cracking attacks are common to try this character set first.o.

you should also implement account lockout, so that the password gets locket out after some number of failed attempts and could unlock for convenience after some short time (say 10 minutes etc.)you have a free firewall in Windows 2008.o.

I don't recommend account lockout implementing in a business environment. I don't know about author's network and business, however in many cases this raises onlyproblems if several accountsbrute forced and people cannot do their work. I don't agree that 20-character length passwodis less secure than '#ewD@$Srd)'. Of course I agree that it should contain some special characters. Also you (author) will need to check Security eventlog on regular basis. [http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

oh,NOT that I would rather use '#ewD@$Srd)' instead of 20 chars long password. The point was only that every password should contain at least one special character to prevent the limited charset attacks. And yes, the lockout may be problematic, but I myself personally prefer it having for example say 40 invalid attempts with 5 minutes timout. This is pretty secure to preventlong random guessing while letting users some amount of peace. On the other hand, I have some deployments where we receive about 10+ cracking attempts a week and most of them are trying only about 10-20 passwords each. I do not know what passwords are they trying, but probably only some common types such as being the same as login, empty or 'password'. And the lockout also gives you a good indication that something incorrect happens if you do not monitor them automatically - when the user complains, you can always check logs and deny the originating IP address in the firewall manually. This always 'depend'o.

Ok, I agree with this point and that it always 'depend'.[http://www.sysadmins.lv] As always enjoy the automation of tools within the Windows-based, .NET aware, WPF accessible, multi-processes on the same IP / Port usage, admin's automation tool, powershell.exe! Flowering Weeds

Hi. I know this is an old thread but I still thought I'd mention a software that automatically blocks the offending IP address and emails sysadm the DNS name, country of origin and username used during the attack that might be useful for you as a sysadmin ha ve look at http://www.syspeace.com