Securing windows 2003 std server after compromise

Okay, after spending a week or so of trying to track down weird problems with ms-sql-s, among other things, i noticed one of my phpbb has been hacked by some nice fella named Bela *mutters*
I dont think it warrants doing a nuke and pave of the server, but since i only have a few clients, who probably would not notice if the server went down for a few hours, i've decided since im having other problems i might as well go ahead and do it just to be on the safe side.

now my question is this, since the server is hosted on a well known dedicated/virtual/colocation datasite, all on the same domain (secureservers.net) it is constantly scanned by script kiddies looking for vulns, so i would need to be very quick in updating/securing it.

What updates and security fixes should i prioritize, besides windowsupdate.
also since im on a very tight budget, if anyone could suggest a free/cheap software firewall that i could use ?
been hesitant to set one up since it is a remote server, dont really want to install one and suddenly find i cant log into the server :D
also, been currently using AVG free anti virus scan, cheesy i know, but like i said tiny tiny tiny budget :D any suggestions on an AV software would be appreciated as well.

Thanks!
arachnidserviceAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

SoyYopCommented:
Hello,

I have a few suggestions.

First, on the firewall side, you may want to enable the firewall on Windows 2003 itself. Be carefull on locking you out! Is the same as Windowsx XP and was first introduced by SP1. No bells, no great functionality, but performs as it must.

Second, you may want to reapply default security on your server. Look at:

http://technet2.microsoft.com/WindowsServer/en/Library/dd766d48-ed09-45a3-aa5e-cf0a64a7fb881033.mspx

Third, be sure PHP runs on a limited local account, just enough to do the work it has to (Write access only to required directories, and db access as well).

Luck,



0
CoccoBillCommented:
Windows Firewall is a lot better than nothing, but you could also take a look at the free 3rd party products whether they work on W2003, like the free editions of ZoneAlarm and Sygate. For a free AV scanner AVG is decent, another option might be Avast.

SoyYop, I don't quite understand why he should revert to out-of-the-box security configuration? I would rather recommend taking a look at the Windows Server 2003 Security Guide (http://go.microsoft.com/fwlink/?LinkId=14846), Threats and Countermeasures Guide (http://go.microsoft.com/fwlink/?LinkId=15159) and use the Security Configuration Wizard (http://www.microsoft.com/windowsserver2003/technologies/security/configwiz/default.mspx) coming with 2003 SP1 to secure your server. And as already mentioned, make sure you don't lock yourself out.
0
arachnidserviceAuthor Commented:
Well as far as the firewall goes I talked to the company i lease the server from, and bit the bullet and had them add a Cisco PIX hardware firewall, hopefully it'll turn out to be a good investment.
of course still need to secure the server :D

SoyYop mentioned running php on a limited local account, just enough to do the work it needs to... not sure how to go about doing this, could you elaborate ?
0
arachnidserviceAuthor Commented:
locked myself out..... *bangs head into desk* was installing the Security configuration wizard, and it was configuring the MS SQL service, and the connection dropped, now it wont let me log in... lovely. *picks up the phone*
0
SoyYopCommented:
Ups...

After you get into again, try the following.

PHP runs under the default IIS account. This account has some privilegies, restricted on how far the user (IUSR_COMPUTERNAME or something alike) can go. every time you load a PHP script, PHP is executed as IUSR_COMPUTERNAME (You may be using PHP as an ISAPI: Only difference is it loads the DLL once when IIS starts so it is faster).

First thing to check is IUSR_... account group membership. If your computer has been compromised, you may want to check user privilegies, too.

However, you may create a special account (a normal computer account), restrict it to *only" on what it has to access, including directories and databases, and run IIS (or the application on 2003) under this account. You will nead no less than read privilegies on wwwroot/www or whatever your www server is named, plus exec on scripts. Make it an application and configure it on its application pool. Try reading "Configuring Application Pools" on iis help

You may start testing it creating another website. Go to properties, directory security, Auth. and access control, Edit. Chanage the user & password (I asume you are using default anonymous access).

If you are using sql server, give this user the proper privilegies (so you don't store the password in plain text) or, if you use database users, try to encrypt the passwords someway...

Luck,
0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Security

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.