How to setup a server safe from hacking and viruses

[Net]

it seems like my server always gets backdoored, etc... (using Windows XP pro currently)

virus and malware scanners are know not to pick up all viruses and malware.

If your running a windows environment and download a lot of file online then its difficult to protect yourself.

i'm thinking of setting up windows server 2003 but how can i keep myself protected while its running 24/7 and i'm downloading files?

current stats:

Latest updated version of Windows XP Pro
free Antivir (updates and scans every night)
Ad-aware
COMODO Firewall

 

[bsobel]

Simple, stop doing all of these things from an admin account.

 

[mechBgon]

And don't download and run Trojan Horse programs either. All that glitters is not gold...

If you want some more suggestions, here's some more, including how to use non-Administrator accounts.

 

[imported_snikt]

If you aren't already using one get a good SOHO router.

Maybe use dual NICs on your server. (Maybe overkill though)

 

[Red Squirrel]

1: Use Linux, not windows XP (or at least use windows 2003 if you have to use Windows)
2: Enable the firewall, only allow the ports you want outside access to
3: Don't do daily tasks on this machine such as surfing the internet

These 3 steps alone, along with reading up on secure practicses, should secure your server decently. It gets more complicated if you want even more security, but this is at least a good start.

If you want a 100% secure server, install Linux, then use the "ifdown eth0" command where eth0 is the nic.

 

[Crusty]

Originally posted by: RedSquirrel
1: Use Linux, not windows XP (or at least use windows 2003 if you have to use Windows)
2: Enable the firewall, only allow the ports you want outside access to
3: Don't do daily tasks on this machine such as surfing the internet

These 3 steps alone, along with reading up on secure practicses, should secure your server decently. It gets more complicated if you want even more security, but this is at least a good start.


If you want a 100% secure server, install Linux, then use the "ifdown eth0" command where eth0 is the nic.

What's the point of a server if it has no network access? You are also missing the whole physical security aspect if you really want 100% security(which is impossible really).

 

[Red Squirrel]

Originally posted by: Crusty

Originally posted by: RedSquirrel
1: Use Linux, not windows XP (or at least use windows 2003 if you have to use Windows)
2: Enable the firewall, only allow the ports you want outside access to
3: Don't do daily tasks on this machine such as surfing the internet

These 3 steps alone, along with reading up on secure practicses, should secure your server decently. It gets more complicated if you want even more security, but this is at least a good start.


If you want a 100% secure server, install Linux, then use the "ifdown eth0" command where eth0 is the nic.

What's the point of a server if it has no network access? You are also missing the whole physical security aspect if you really want 100% security(which is impossible really).

That was meant as a little humor and to say that 100% security is impossible.

Also I did not mean to say Linux is more secure, but I find it's less obscure when it comes to security. You have better control and knowledge of what's going on the server, then in Windows. (better logging, and what not)

 

[Net]

3: Don't do daily tasks on this machine such as surfing the internet

i need to be able to login and do things just as downloading, etc... from remote locations.

 

[Red Squirrel]

Originally posted by: net

3: Don't do daily tasks on this machine such as surfing the internet

i need to be able to login and do things just as downloading, etc... from remote locations.

Is this a dedicated p2p server? If that's the case, what I'd do is just lock down the local account big time. Only allow the p2p app binaries to execute (you can set GPOs for this I think) and use a restricted account. You may want to even go a step further and add a special deny group and deny that group access to most system folders. Be careful though as it might mess things up. I usually don't like deny groups as it gets really confusing down the line, but for a single user setup it's not so bad.

If downloading is only a portion of what you do, setup a VM that is locked down, for that use.

 

[Net]

Is this a dedicated p2p server?

the entire setup is for me, so i can do stuff on my home computer while i'm not home. like start downloading files, programming, etc...

however i want the ability to easily share with family and friends.

and so all those files can then be shared with my other computers later on, by streaming or transfering the files.

If downloading is only a portion of what you do, setup a VM that is locked down, for that use.

that's an interesting idea. can you remote login to a virtual machine? maybe it would be a good idea to download all my music and video clip files while remote logged into the virtual machine.

then if viruses run rampid in that virtual machine it wouldn't matter as much. now if i stream those video's / music is there a chance for the receving comptuer to get infected?

 

[mechBgon]

Also, use a very strong password for remote log-in. Upper-case, lower-case, numerals and symbols, the longer the better. Or a passphrase, such as Cats have 9 lives. which has all four elements. Bonus points for using ALT characters like ? (hold down ALT and type 0153 on the keypad for that one).