Securing windows 2003 std server after compromise

Posted on 2006-03-20
Last Modified: 2010-04-11
Okay, after spending a week or so of trying to track down weird problems with ms-sql-s, among other things, i noticed one of my phpbb has been hacked by some nice fella named Bela *mutters*
I dont think it warrants doing a nuke and pave of the server, but since i only have a few clients, who probably would not notice if the server went down for a few hours, i've decided since im having other problems i might as well go ahead and do it just to be on the safe side.

now my question is this, since the server is hosted on a well known dedicated/virtual/colocation datasite, all on the same domain ( it is constantly scanned by script kiddies looking for vulns, so i would need to be very quick in updating/securing it.

What updates and security fixes should i prioritize, besides windowsupdate.
also since im on a very tight budget, if anyone could suggest a free/cheap software firewall that i could use ?
been hesitant to set one up since it is a remote server, dont really want to install one and suddenly find i cant log into the server :D
also, been currently using AVG free anti virus scan, cheesy i know, but like i said tiny tiny tiny budget :D any suggestions on an AV software would be appreciated as well.

Question by:arachnidservice
    LVL 7

    Expert Comment


    I have a few suggestions.

    First, on the firewall side, you may want to enable the firewall on Windows 2003 itself. Be carefull on locking you out! Is the same as Windowsx XP and was first introduced by SP1. No bells, no great functionality, but performs as it must.

    Second, you may want to reapply default security on your server. Look at:

    Third, be sure PHP runs on a limited local account, just enough to do the work it has to (Write access only to required directories, and db access as well).


    LVL 19

    Expert Comment

    Windows Firewall is a lot better than nothing, but you could also take a look at the free 3rd party products whether they work on W2003, like the free editions of ZoneAlarm and Sygate. For a free AV scanner AVG is decent, another option might be Avast.

    SoyYop, I don't quite understand why he should revert to out-of-the-box security configuration? I would rather recommend taking a look at the Windows Server 2003 Security Guide (, Threats and Countermeasures Guide ( and use the Security Configuration Wizard ( coming with 2003 SP1 to secure your server. And as already mentioned, make sure you don't lock yourself out.

    Author Comment

    Well as far as the firewall goes I talked to the company i lease the server from, and bit the bullet and had them add a Cisco PIX hardware firewall, hopefully it'll turn out to be a good investment.
    of course still need to secure the server :D

    SoyYop mentioned running php on a limited local account, just enough to do the work it needs to... not sure how to go about doing this, could you elaborate ?

    Author Comment

    locked myself out..... *bangs head into desk* was installing the Security configuration wizard, and it was configuring the MS SQL service, and the connection dropped, now it wont let me log in... lovely. *picks up the phone*
    LVL 7

    Accepted Solution


    After you get into again, try the following.

    PHP runs under the default IIS account. This account has some privilegies, restricted on how far the user (IUSR_COMPUTERNAME or something alike) can go. every time you load a PHP script, PHP is executed as IUSR_COMPUTERNAME (You may be using PHP as an ISAPI: Only difference is it loads the DLL once when IIS starts so it is faster).

    First thing to check is IUSR_... account group membership. If your computer has been compromised, you may want to check user privilegies, too.

    However, you may create a special account (a normal computer account), restrict it to *only" on what it has to access, including directories and databases, and run IIS (or the application on 2003) under this account. You will nead no less than read privilegies on wwwroot/www or whatever your www server is named, plus exec on scripts. Make it an application and configure it on its application pool. Try reading "Configuring Application Pools" on iis help

    You may start testing it creating another website. Go to properties, directory security, Auth. and access control, Edit. Chanage the user & password (I asume you are using default anonymous access).

    If you are using sql server, give this user the proper privilegies (so you don't store the password in plain text) or, if you use database users, try to encrypt the passwords someway...


    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    IT, Stop Being Called Into Every Meeting

    Highfive is so simple that setting up every meeting room takes just minutes and every employee will be able to start or join a call from any room with ease. Never be called into a meeting just to get it started again. This is how video conferencing should work!

    This is a short article about OS X KeRanger, and what people can do to get rid of it.
    This paper addresses the security of Sennheiser DECT Contact Center and Office (CC&O) headsets. It describes the DECT security chain comprised of “Pairing”, “Per Call Authentication” and “Encryption”, which are all part of the standard DECT protocol.
    Hi everyone! This is Experts Exchange customer support.  This quick video will show you how to change your primary email address.  If you have any questions, then please Write a Comment below!
    Sending a Secure fax is easy with eFax Corporate ( First, Just open a new email message.  In the To field, type your recipient's fax number You can even send a secure international fax — just include t…

    760 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    6 Experts available now in Live!

    Get 1:1 Help Now