Mikael Grondahl

File Server security (Part 2) – Securing your Windows File Servers

In the first part of File Server security we covered the importance of physically protecting our file servers, preventing evil predators from putting their filthy hands on our physical hardware, trying to get access to sensitive data.

If someone would simply walk into a server room, or datacenters, grab one of the file servers and make a run for it, that would surely make physical security look a bit sloppy, don’t you think?

But now that we hopefully have that area under control, let’s look at a few more ways to make it harder for the evil forces to get access to our data.

# Avoid Internet Access
Unless you have very good reasons to connect your file server directly to the internet, avoid it completely, or use a firewall to restrict access from outside your LAN.

Protect file servers from unnecessary internet access and make it more difficult for potential attackers to access the server.

# Firewall
Enable and configure your server firewall to protect and log incoming and outgoing traffic, detecting and stopping connections from unauthorized ports or addresses, stopping incoming and outgoing attacks even if you’re not aware of them.

Make sure the firewall is running all the time, keep detailed notes of which ports are open, and the reason for being open. Best practice is to only have necessary ports open and, if possible, restrict access to those ports to necessary IP addresses.

In case of a security breach, logging details on successful connections and dropped packets could help you with troubleshooting and monitoring the certain events that took place.

# Keep up to date with the latest service packs, patches & updates
As an ongoing response to the latest threats and vulnerabilities, OS and software vendors regularly release security patches, updates and service packs, make sure to stay up to date with these new patches and releases on a regular basis, you should always be running the most recent stable version.

Use a dedicated server on your network that has internet access and run Windows Server Update Services (WSUS).

WSUS allows you to manage the distribution of updates and patches released for Microsoft products to computers in a corporate environment. WSUS downloads these updates from the Microsoft Update website and then distributes them to computers on a network.

# Anti-Malware Protection
When it comes to protecting your business and servers, malware protection needs to be a priority.

Install anti-malware software to protect your server from viruses, trojans, rootkits, ransomware and other malicious software, and continuously update the software with the latest signatures and patches as they become available.

Anti-malware software scans your server for malicious programs and suspicious code, and quarantines and removes any threats. Updates protecting against new malware and threats can be automatically downloaded from the anti-malware software vendors database of known malware signatures, a database continuously updated with new threats.

If your file servers are isolated from the internet and thus prevented from downloading signature updates, most enterprise anti-malware products give you the option to download new signature files to a local update server connected to the internet and distribute signature files from that server to the internal servers.

# Lock down and get rid of unnecessary software
Limit potential exposure to hackers by removing installed software that you don’t have a need for, reducing the number of attack surfaces.

Make sure to lock down all applications according to the software vendors best practices and recommendations, and revisit these regularly to see if there are any updates or changes to their recommendations.

As an additional safeguard use change management and version control procedures for your software, so you document all changes to your applications.

# Stop unnecessary services
Stop and disable unnecessary services running on your file server, could be services such as – Messenger, IIS Admin, SMTP, Task Scheduler, Telnet, Terminal Services, and so on, unless you specifically need any of them.

This was the second blog in the 3 part “File Server Security” blog series, I hope you found it informative and helpful.

Stay tuned for blog #3