?
Solved

Securing windows 2003 std server after compromise

Posted on 2006-03-20
5
Medium Priority
?
226 Views
Last Modified: 2010-04-11
Okay, after spending a week or so of trying to track down weird problems with ms-sql-s, among other things, i noticed one of my phpbb has been hacked by some nice fella named Bela *mutters*
I dont think it warrants doing a nuke and pave of the server, but since i only have a few clients, who probably would not notice if the server went down for a few hours, i've decided since im having other problems i might as well go ahead and do it just to be on the safe side.

now my question is this, since the server is hosted on a well known dedicated/virtual/colocation datasite, all on the same domain (secureservers.net) it is constantly scanned by script kiddies looking for vulns, so i would need to be very quick in updating/securing it.

What updates and security fixes should i prioritize, besides windowsupdate.
also since im on a very tight budget, if anyone could suggest a free/cheap software firewall that i could use ?
been hesitant to set one up since it is a remote server, dont really want to install one and suddenly find i cant log into the server :D
also, been currently using AVG free anti virus scan, cheesy i know, but like i said tiny tiny tiny budget :D any suggestions on an AV software would be appreciated as well.

Thanks!
0
Comment
Question by:arachnidservice
  • 2
  • 2
5 Comments
 
LVL 7

Expert Comment

by:SoyYop
ID: 16241340
Hello,

I have a few suggestions.

First, on the firewall side, you may want to enable the firewall on Windows 2003 itself. Be carefull on locking you out! Is the same as Windowsx XP and was first introduced by SP1. No bells, no great functionality, but performs as it must.

Second, you may want to reapply default security on your server. Look at:

http://technet2.microsoft.com/WindowsServer/en/Library/dd766d48-ed09-45a3-aa5e-cf0a64a7fb881033.mspx

Third, be sure PHP runs on a limited local account, just enough to do the work it has to (Write access only to required directories, and db access as well).

Luck,



0
 
LVL 19

Expert Comment

by:CoccoBill
ID: 16244877
Windows Firewall is a lot better than nothing, but you could also take a look at the free 3rd party products whether they work on W2003, like the free editions of ZoneAlarm and Sygate. For a free AV scanner AVG is decent, another option might be Avast.

SoyYop, I don't quite understand why he should revert to out-of-the-box security configuration? I would rather recommend taking a look at the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=14846), Threats and Countermeasures Guide (http://go.microsoft.com/fwlink/?LinkId=15159) and use the Security Configuration Wizard (http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx) coming with 2003 SP1 to secure your server. And as already mentioned, make sure you don't lock yourself out.
0
 

Author Comment

by:arachnidservice
ID: 16254214
Well as far as the firewall goes I talked to the company i lease the server from, and bit the bullet and had them add a Cisco PIX hardware firewall, hopefully it'll turn out to be a good investment.
of course still need to secure the server :D

SoyYop mentioned running php on a limited local account, just enough to do the work it needs to... not sure how to go about doing this, could you elaborate ?
0
 

Author Comment

by:arachnidservice
ID: 16254291
locked myself out..... *bangs head into desk* was installing the Security configuration wizard, and it was configuring the MS SQL service, and the connection dropped, now it wont let me log in... lovely. *picks up the phone*
0
 
LVL 7

Accepted Solution

by:
SoyYop earned 2000 total points
ID: 16259961
Ups...

After you get into again, try the following.

PHP runs under the default IIS account. This account has some privilegies, restricted on how far the user (IUSR_COMPUTERNAME or something alike) can go. every time you load a PHP script, PHP is executed as IUSR_COMPUTERNAME (You may be using PHP as an ISAPI: Only difference is it loads the DLL once when IIS starts so it is faster).

First thing to check is IUSR_... account group membership. If your computer has been compromised, you may want to check user privilegies, too.

However, you may create a special account (a normal computer account), restrict it to *only" on what it has to access, including directories and databases, and run IIS (or the application on 2003) under this account. You will nead no less than read privilegies on wwwroot/www or whatever your www server is named, plus exec on scripts. Make it an application and configure it on its application pool. Try reading "Configuring Application Pools" on iis help

You may start testing it creating another website. Go to properties, directory security, Auth. and access control, Edit. Chanage the user & password (I asume you are using default anonymous access).

If you are using sql server, give this user the proper privilegies (so you don't store the password in plain text) or, if you use database users, try to encrypt the passwords someway...

Luck,
0

Featured Post

Upgrade your Question Security!

Add Premium security features to your question to ensure its privacy or anonymity. Learn more about your ability to control Question Security today.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

What monsters are hiding in your child's room? In this article I will share with you a tech horror story that could happen to anyone, along with some tips on how you can prevent it from happening to you.
Ransomware - Defeated! Client opened the wrong email and was attacked by Ransomware. I was able to use file recovery utilities to find shadow copies of the encrypted files and make a complete recovery.
Nobody understands Phishing better than an anti-spam company. That’s why we are providing Phishing Awareness Training to our customers. According to a report by Verizon, only 3% of targeted users report malicious emails to management. With compan…
Is your data getting by on basic protection measures? In today’s climate of debilitating malware and ransomware—like WannaCry—that may not be enough. You need to establish more than basics, like a recovery plan that protects both data and endpoints.…
Suggested Courses

840 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question