How to Harden a VPS Windows Server

[WAQT]

I am new to this, most of the stuff I have is hosted on regular hosting, but since a task required an .EXE to be executed - I had purchased a VPS Windows server (Windows Server 2008 R2) on Godaddy. The .EXE is a key generator from Software Passport.

 

The server hosts the following:

• WAMP
• 2 .PHP files
• An EXE file
• A .DLL file

So everything was going fine until I got an email from Godaddy saying "Your XXXXX server has been found to have become compromised at the root/administrator-level and ultimately exploited by a third party." and that I had to  re-provision the server to get it back, which I did.

 

Now I want to make sure that this does not happen again.

Sample of malicious connections: 
C:\Windows\system32>netstat -ano 
Active Connections 
Proto Local Address Foreign Address State PID 
TCP MY.SR.VR.IP:50202 88.198.102.195:81 FIN_WAIT_1 59072 
TCP MY.SR.VR.IP:50203 88.198.102.195:8080 FIN_WAIT_1 59072 
TCP MY.SR.VR.IP:50204 88.198.102.195:8081 FIN_WAIT_1 59072 
TCP MY.SR.VR.IP:50205 88.198.102.195:8180 FIN_WAIT_1 59072 
TCP MY.SR.VR.IP:50206 88.198.102.195:8181 FIN_WAIT_1 59072 
TCP MY.SR.VR.IP:50207 88.198.102.195:9090 FIN_WAIT_1 59072 
TCP MY.SR.VR.IP:52637 193.174.65.44:9090 SYN_SENT 64256 
TCP MY.SR.VR.IP:52638 193.174.65.45:80 SYN_SENT 64256 
TCP MY.SR.VR.IP:52639 193.174.65.45:81 SYN_SENT 64256 
TCP MY.SR.VR.IP:52640 193.174.65.45:8080 SYN_SENT 64256 
TCP MY.SR.VR.IP:52641 193.174.65.45:8081 SYN_SENT 64256 
TCP MY.SR.VR.IP:52642 193.174.65.45:8180 SYN_SENT 64256 
TCP MY.SR.VR.IP:52643 193.174.65.45:8181 SYN_SENT 64256 
TCP MY.SR.VR.IP:52644 193.174.65.45:9090 SYN_SENT 64256 
TCP MY.SR.VR.IP:52645 193.174.65.46:80 SYN_SENT 64256 
TCP MY.SR.VR.IP:52646 193.174.65.46:81 SYN_SENT 64256 
TCP MY.SR.VR.IP:52647 193.174.65.46:8080 SYN_SENT 64256 
TCP MY.SR.VR.IP:52648 193.174.65.46:8081 SYN_SENT 64256 
TCP MY.SR.VR.IP:52649 193.174.65.46:8180 SYN_SENT 64256 
TCP MY.SR.VR.IP:52650 193.174.65.46:8181 SYN_SENT 64256 
TCP MY.SR.VR.IP:52651 193.174.65.46:9090 SYN_SENT 64256 
TCP MY.SR.VR.IP:52652 193.174.65.47:80 SYN_SENT 64256 
TCP MY.SR.VR.IP:52653 193.174.65.47:81 SYN_SENT 64256 
TCP MY.SR.VR.IP:52654 193.174.65.47:8080 SYN_SENT 64256 
TCP MY.SR.VR.IP:52655 193.174.65.47:8081 SYN_SENT 64256 
TCP MY.SR.VR.IP:52656 193.174.65.47:8180 SYN_SENT 64256 
TCP MY.SR.VR.IP:52657 193.174.65.47:8181 SYN_SENT 64256 
TCP MY.SR.VR.IP:52658 193.174.65.47:9090 SYN_SENT 64256 

Sample of malicious process: 
win32.dll*32 SYSTEM 

Can someone please guide me what steps I should take to harden the server so that it does not happen again? To add, my original website that has a dedicated IP - is the only connection that I want to make to the WAMP/host other than that ability to remote connect (RDC) via 4 specific IP addresses.

[+InsaneNutter MVC]

I don't believe WAMP is intended to be used on a production server, it's more for development purposes therefore not really configured to be that secure. I know XAMPP used to run everything with admin rights when I had it on Windows 7, which would be a big no on a production server, I don't know if that is the case with WAMP though.

As you have Windows Server why not add the IIS role and use IIS? You can easily add PHP support with Microsoft's Web Platform Installer. Even out the box IIS should be a lot more locked down than Apache running on Windows.

 

I run IIS, only select IP addresses can make any sort of connection to the server. My site also sits behind Cloudflare which is a CDN, however also provides additional protection against common threats and attacks. I have configured the server to only allow Cloudflare's IP addresses to talk to IIS on Port 80 which has worked great over the years.

[blaktron Veteran]

So this is a complex topic, and there are a few things on Windows you can do.  Here are a few general tips that will help, will likely require some searching online for the solution.

 

First, install the EMET!  That's #1.  That will actually likely solve your issues on its own, but in case you are getting owned by a more obscure method, try making RDS require a certificate to log on.  Also, for the Application accounts you use, disallow them from interactive logon.  Run the Security Wizard and get a template and apply it (this is the hardest, most likely to cause issues method, but will complete the circle).

[+John Teacake MVC]

It is a very complex subject. The obvious one is that you should make sure its FULLY patched. Windows Update, PLUS the software you are running on top of Windows. 

[+BudMan MVC]

I would say the best hardening you could do for a windows OS would be to change it to linux ;) hehehe

 

http://technet.microsoft.com/en-us/library/gg236605.aspx

Windows Server 2008 R2 Security Baseline

 

http://web.nvd.nist.gov/view/ncp/repository/checklistDetail?id=377

Checklist Details for Microsoft Windows 2008 R2 STIG Version 1, Release 14

 

The Windows Server 2008 R2 Security Technical Implementation Guide (STIG) is published as a tool to improve the security of Department of Defense (DoD) information systems. The requirements were developed from Federal and DoD consensus, as well as the Windows Server 2008 R2 Security Guide and security templates published by Microsoft Corporation. The vulnerabilities discussed in this document are applicable to Windows Server 2008 R2 (all versions). This STIG is for a Windows Server 2008 R2 baseline. It is meant for use in conjunction with other applicable STIGs and Checklists including such topics as Active Directory, Web Services, Domain Name Service (DNS), Database, Secure Remote Computing, and Desktop Applications. For example, Domain Controller reviews will also need to include the Active Directory STIG.

 

You could then run a scanner against it - couple options is the nessus (free home version) http://www.tenable.com/products/nessus/select-your-operating-system

 

Or OpenVAS - http://www.openvas.org/ forked from nessus, complete opensource option.

[WAQT]

Thank you all, especially @Riva, @blaktron and +BudMan. I will start with installing EMET 5.0, and antivirus with a firewall, then install WAMP using a non admin account, and finally end with a security scan. I appreciate all the help!

[+John Teacake MVC]

Maybe send a few of us in PM's of course your IP Address and WE could do our own security scan.....  :shiftyninja: You know to test your security....

[+BudMan MVC]

Oh forget real easy free scan you can run against your site https://www.qualys.com/forms/freescan/

[Krome]

I think the simplest way is to mmc and load the given lockdown template and apply it.  Quick and easy but be careful.  You might lock yourself from a lot of control if you're not careful.  In short, do:

 

1) mmc snap-ins

2) load hisecweb

3) analyse and apply

4) remove a couple virtual default web sample pages

5) IISLock tool

6) Remove a couple of the registry that allow:

    a) anonymous login

    b) internet printing

    c) Admin share

    d) TCP/IP Syn

    e) Null session

7) Audit a few policy into log

 

That's a short run-down if I were to run a Windows Server OS.  If you want to do some of the Apache lockdown, head over to apachelounge.com

They are very helpful.  You can also get the latest Apache and modsec (web server firewall) there too...

 

EDIT: oh yeah, hide your network

[+John Teacake MVC]

I think the simplest way is to mmc and load the given lockdown template and apply it.  Quick and easy but be careful.  You might lock yourself from a lot of control if you're not careful.  In short, do:

 

1) mmc snap-ins

2) load hisecweb

3) analyse and apply

4) remove a couple virtual default web sample pages

5) IISLock tool

6) Remove a couple of the registry that allow:

    a) anonymous login

    b) internet printing

    c) Admin share

    d) TCP/IP Syn

    e) Null session

7) Audit a few policy into log

 

That's a short run-down if I were to run a Windows Server OS.  If you want to do some of the Apache lockdown, head over to apachelounge.com

They are very helpful.  You can also get the latest Apache and modsec (web server firewall) there too...

 

EDIT: oh yeah, hide your network

 

How do you mean? "Hide your network"....