Top 10 Ways to Secure a Windows File Server

Have you hardened your Windows file servers yet? Follow these steps to make sure your sensitive files are adequately protected against unauthorized access.

If an intruder can gain physical access to your server, then you’re at risk for having the entire machine or one of its hard drives walk out the door. In addition to ensuring physical security, you should also configure your system so that it is only bootable from an internal hard drive to prevent an intruder from starting your system from removable media. The BIOS and boot loader should then be protected with a strong password.

Using a system like BitLocker to encrypt your drives ensures that your files remain secure even if your hard drive is stolen or is discarded insecurely after being replaced. Using the drive on a server with a Trusted Platform Module (TPM) ensures that the use of BitLocker is transparent to administrators and users.

There is little reason for most Windows file servers to be connected to the Internet, so use a firewall to restrict access from outside your LAN.

Even if your Windows file server is isolated from the Internet, you can still keep its software up to date by running Windows Server Update Services (WSUS) on another server on your network. If keeping your file server off the Internet is not practical, then you should ensure that Windows Update is set to automatically download and apply patches – unless you have a process in place for downloading and testing patches manually before applying them.

It’s also worth checking that Internet Explorer Enhanced Security Configuration is enabled on your server, since it’s unlikely you will be using the browser. You can do this from the control panel by checking the Internet Enhanced Security Configuration option via the Add Windows Components section.

Even if you have gateway security protection and anti-virus software running on clients, you should still run suitable enterprise-grade anti-virus software on your file server. Most enterprise products allow you to update virus signatures from a local update server (or even from other clients running the software on your network), but if you isolate your file server from the Internet then you may not be able take advantage of network-based reputation systems for additional protection.

There is almost certainly no need for software such as Flash, Silverlight, or Java on your server, and having them installed merely increases the attack surface that hackers can address. You can remove unnecessary from your server using the control panel applet.

In Windows you should stop Fax Service, Messenger, IIS Admin, SMTP, Task Scheduler, Telnet, Terminal Services, and World Wide Web Publishing Services unless you specifically need any of them (e.g. for remote administration).

You can use NTFS security to restrict file and folder access to specific groups or individual users. You can do this by viewing a file or folder’s properties, choosing the Security tab, then selecting Change Permissions under Advanced.

Make sure that you set up auditing so that you can see who is attempting to read, write, or delete your confidential files and folders. You can set this up by viewing a file or folder’s properties, choosing the Security tab and then selecting the Auditing tab under Advanced.

Steer clear of using administrator privileges when possible. In the same vein, ensure that all accounts with administrator rights are protected by strong passwords enforced though password policies.

BONUS TIP: Use the Security Configuration Wizard. Since Windows Server 2003 SP2, this wizard has been available to help you configure your server securely based on the File Server role. You’ll find it in the Administrative Tools folder.