Top 10 Ways to Secure a Windows File Server
Have you hardened your file servers yet? Follow these steps to make sure your sensitive files are adequately protected against unauthorized access.
It's a pretty safe bet that your company is storing valuable and confidential information on one or more Windows file servers right now. What may be less obvious is to what extent those servers have been appropriately hardened and locked down to protect the data from unauthorized access.
If you're not sure where to begin, just follow these ten tips and best practices:
Tip # 1. Make sure your server is physically secure. If an intruder can gain physical access to your server, then you're at risk for having the entire machine or one of its hard drives walk out the door. In addition to ensuring physical security, you should also configure your system so that it is only bootable from an internal hard drive to prevent an intruder from starting your system from removable media. The BIOS and boot loader should then be protected with a strong password.
Tip # 2. Encrypt your drives. Using a system like BitLocker to encrypt your drives ensures that your files remain secure even if your hard drive is stolen or is discarded insecurely after being replaced. Using the drive on a server with a Trusted Platform Module (TPM) ensures that the use of BitLocker is transparent to administrators and users.
Tip # 3. Keep the server off the Internet if possible. There is little reason for most file servers to be connected to the Internet, so use a firewall to restrict access from outside your LAN.
Tip # 4. Ensure the server is fully patched and up to date. Even if your Windows server is isolated from the Internet, you can still keep its software up to date by running Windows Server Update Services (WSUS) on another server on your network. If keeping your file server off the Internet is not practical, then you should ensure that Windows Update is set to automatically download and apply patches – unless you have a process in place for downloading and testing patches manually before applying them.
It's also worth checking that Internet Explorer Enhanced Security Configuration is enabled on your server, since it's unlikely you will be using the browser. You can do this from the control panel by checking the Internet Enhanced Security Configuration option via the Add Windows Components section.
Tip # 5. Don't forget anti-virus software. Even if you have gateway security protection and anti-virus software running on clients, you should still run suitable enterprise-grade anti-virus software on your file server. Most enterprise products allow you to update virus signatures from a local update server (or even from other clients running the software on your network), but if you isolate your file server from the Internet then you may not be able take advantage of network-based reputation systems for additional protection.
Tip # 6. Get rid of unnecessary software. There is almost certainly no need for software such as Flash, Silverlight, or Java on your server, and having them installed merely increases the attack surface that hackers can address. You can remove unnecessary from your server using the control panel applet.
Tip # 7. Stop unnecessary services. In Windows you should stop Fax Service, Messenger, IIS Admin, SMTP, Task Scheduler, Telnet, Terminal Services, and World Wide Web Publishing Services unless you specifically need any of them (e.g. for remote administration).
Tip # 8. Control file access. You can use NTFS security to restrict file and folder access to specific groups or individual users. You can do this by viewing a file or folder's properties, choosing the Security tab, then selecting Change Permissions under Advanced.
Tip # 9. Use the auditing function. Make sure that you set up auditing so that you can see who is attempting to read, write, or delete your confidential files and folders. You can set this up by viewing a file or folder's properties, choosing the Security tab and then selecting the Auditing tab under Advanced.
Tip # 10. Perform administration tasks using the least amount of privileges. Steer clear of using administrator privileges when possible. In the same vein, ensure that all accounts with administrator rights are protected by strong passwords enforced though password policies.
BONUS TIP: Use the Security Configuration Wizard. Since Windows Server 2003 SP2, this wizard has been available to help you configure your server securely based on the File Server role. You'll find it in the Administrative Tools folder.
Paul Rubens is an award-winning technology journalist who has been covering IT security for over 20 years. He has written for leading international publications including The Economist, The Times, The Financial Times, The Guardian, the BBC, and Computing.