How to ensure a long life WInServ2008R2?

In General there is a cloud server on Windosw Server 2008 R2. There's just configured remote desktops. Then people just connect to their accounts, open soy labels 1C enter into it and work. The main question is how to protect the server from attacks from outside? And how not to be stuck with?
5 answers
March 19th 20 at 09:32
Solution
A closed firewall will help you (i.e. default to block all, open only what you need, and the need to limit the minimum required).
To access the server use a VPN with authentication certificates. The users on the server must be restricted and not know the admin password. If you still don't allow users to go from the server to the Internet, instant messengers and email, it will be quite good.
Configure RemoteApp, then users will not have to go to the desktop of the server, and this further reduces the chances of the user to harm the system.
How difficult it is. I'll need time to digest it. - Alize86 commented on March 19th 20 at 09:35
@Alize86, It is common practice in network administration. - marquis commented on March 19th 20 at 09:38
March 19th 20 at 09:34
Solution
1. in your cloud there are opportunities to pile up a firewall outside of Windows server? If there is, it is necessary to fence. If not, you will have to make do with regular by Windows firewall om.

2. Start - administrative tools - remote desktop Services desktop host Configuration remote desktop session - RDP-Tcp - Properties - General - check kryzhyk "Allow... authenticated at the network level". Should stand this kryzhyk, without it breaking down faster. (but without it
you can go with Windows XP).

3. Update.
Not impossible to fence outside the niche. What is this crazyk this? - Alize86 commented on March 19th 20 at 09:37
@Lilly_Hintz, I understand that I'll find it. I would understand that he does what can I expect after it is pressed. I understand that I could Google it.. And just by name to guess. I just think that you will be able to explain simply and quickly. And without any problems. - Alize86 commented on March 19th 20 at 09:40
@Alize86, this is kryzhyk authentication at a different level than without it. If you are trying to crack by brute force (i.e. by stupid brute force, until you guess), this attack is slowed down repeatedly. Roughly speaking, if the password is not very complex, it could guess a month of too much, and now the same password guess in 10 years. But Windows XP does not know how this method, so if there is at least one client on XP, you have to sacrifice safety. - Lilly_Hintz commented on March 19th 20 at 09:43
March 19th 20 at 09:36
Solution
Standard-
Configuring firewall - disable traffic on all ports except RDP.
Outbound allow only desired applications.
Users with limited accounts.
Policy software restriction.

how to protect your server from attacks from outside?
What attacks are you afraid of?
And how not to be stuck with?
The meaning of the question unclear.
I'm a jellyfish. - Alize86 commented on March 19th 20 at 09:39
March 19th 20 at 09:38
Solution
Here is the article https://habr.com/ru/company/pc-administrator/blog/...
SRP in the first place. Update. RDP Guard or analogs. Backups. Configuring a firewall or, even better, put before the wind to the router like Mikrotik. Again, if you can - go through the tunnel.
March 19th 20 at 09:40
Solution
Windows connected to the Internet and with hanging on its interface network white ip the address is already in itself a huge hole. So, when it will be hacked - just a matter of time. And hacked clear.
I wonder how?
If unnecessary ports are closed, the user with limited rights, are all updates and passwords difficult to iterate. - Karolann51 commented on March 19th 20 at 09:43
@Karolann51, You know I wouldn't be so sure. - Alize86 commented on March 19th 20 at 09:46
@Alize86, and I'm not sure, but years of experience with such servers shows that virtually no one is hacking. And asked, because really, how can it be feasible to understand what else needs to be closed. - Karolann51 commented on March 19th 20 at 09:49
Don't worry, Microsoft many yet undiscovered by hackers holes and scope for action is huge. It all depends on what turns on that server and how important it is for potential attackers. Well, from your vision, afraid you will and loss if data is stolen\erase. If we break the big servers on Linux specially protected, what we do in the case, by definition, leaky Windows, though the server version? - Camren commented on March 19th 20 at 09:52
@Alize86,
pretty decent protection if to configure firewall e access by white list addresses. It is easiest if all users are connecting from one or more offices with a static external addresses.

If required connect home computers, and even on dynamic addresses, then you will have to Tinker, adding the rules might be a few dozen subnets providers in the city. But it's worth it. Even if they bother kulkhatskery, they are from our hometown, it will be rare, they can be seen by the logs and you can potentially complain to the provider (call, write a letter): "I bruteforced your subscriber with an ip of this fact, take action".
The interaction between administrator and users will look like this: first, once a week, then once a month, and then only once a year (in process of refinement white list) will call someone from users: "can't go home RDP". Therefore the dynamic address of the user changed. Just look in the firewall logs and from what address in the past few minutes had been banned trying to connect to, penetration via whois this address to determine the subnet and add that subnet to the white list. Tell the user to try again. - Lilly_Hintz commented on March 19th 20 at 09:55
@Lilly_Hintz, Yes, this is the right decision not only for this case but in General it is recommended to use white lists where possible. - Camren commented on March 19th 20 at 09:58
@Lilly_Hintz, of blet, I'm a jellyfish. Speak very good. But I need to order. I don't know how to do it in firewall, for example. - Alize86 commented on March 19th 20 at 10:01
@Alize86, Then why are you here? Asking pointless questions and get equally incomprehensible answers. The basics of the settings of the firewall it is necessary to learn not here. And no one here for you in order not to paint over the letters click there, poke here and there will be happiness. Wrong online you. Hire a sysadmin who knows, it will come set up and be done with it. - Camren commented on March 19th 20 at 10:04
@Camren, Logical. Well. Information quite the Internet. Will understand! Thank you. Yes, and it is hemorrhagic with the addition of IP, etc And I realized that I have a big hole in my knowledge which need filling. Like to see who is connect to this server, etc. - Alize86 commented on March 19th 20 at 10:07
@Alize86, detail will not tell, because I'm not a fan of Windows firewall (whether it iptables - there are significantly more opportunities), but the direction prompt. In the office a static ip address?
In the beginning adds a rule "allow inbound from the office."
From home have to be involved? See home address, add a rule "allow inbound from home."
In the end add the rule "deny all incoming".
Rules are processed in order. If it worked the first rule, then it doesn't matter what the rest of the rules, the permission has already been obtained. So at the end - "we don't know who you are, go nafig", ie, ban everything else. This scheme is called "white list". In the white list explicitly all who. The opposite scheme - the "black list" - when clearly indicated, to deny access, and all the other noise.
If faced with the fact that the address is dynamic, then do so. Look, what's the address at the moment. Punch this address in the whois, there are looking for the subnet. The white list adding a non-specific address and the whole subnet. - Lilly_Hintz commented on March 19th 20 at 10:10

Find more questions by tags Windows ServerNetwork administrationSystem administrationComputer networks