English | 简体中文 | 繁體中文 | Русский язык | Français | Español | Português | Deutsch | 日本語 | 한국어 | Italiano | بالعربية
Meituan Cloud (MOS) provides Windows Server 2008 R2and Windows Server 2012 R2Data center version of cloud host server. Due to the high market share of Windows servers, there are more viruses, trojans, and other malicious software for Windows servers, and they are easy to obtain and have a low technical threshold. Therefore, the security issues of Windows servers need to be paid special attention to. In order to safely use Windows cloud hosts, it is recommended to apply the following several simple security enhancement measures. Although simple, they are enough to defend against most common security risks.
First, set a strong password
Meituan Cloud Windows servers will automatically generate an administrator (Administrator) account after creation.12bits of random password, it is recommended to change the password immediately after the first login to the Windows server. The password should be as random as possible, including numbers, uppercase and lowercase letters, and special symbols, with a minimum length of12bits. You can use some tools, such as: https://identitysafe.norton.com/password-generator to generate a strong random password. And at least every3month to change the password.
The method to change the password is: after the administrator successfully logs in to the host, press the "Ctrl"-Alt-Delete", select "Change Password" (Tip: You can log in to Meituan Cloud Web Terminal, click the upper right corner of the "Ctrl"-Al-Enter the key combination after clicking the "Delete" button)
Second, enable automatic system updates
All Meituan Cloud Windows servers have obtained the original factory authorization, and can enable the Windows Update service to automatically update system vulnerabilities to avoid being exploited by malicious attackers to infiltrate the server. Please check the following process to see if automatic updates are enabled. If not, it is recommended to enable it.
Windows Server 2008
Click the "Server Manager" icon on the taskbar, click "Configure Updates" on the right panel, in the dialog box that appears, select "Automatically install updates".
Windows Server 2012
Click the "Server Manager" icon on the taskbar to open the Server Manager dashboard, click "Configure this local server", click the link after "Windows Update", in the pop-up window, if automatic updates are not enabled, a warning as shown in the figure will be displayed, click "Enable automatic updates".
3. Enable the firewall
Meituan Cloud has provided firewall services. If you are using a Meituan Cloud host, you can use the firewall service provided by Meituan Cloud on the Meituan Cloud control panel to set up the firewall. The firewall provided by the Meituan Cloud platform is a firewall function provided by the cloud platform outside the virtual machine, which is relatively simple and easy to use. If its functions meet your needs, it is recommended to disable the built-in firewall of the Windows system. Otherwise, you can refer to the following content to set up the built-in firewall of Windows.
(Tip: To avoid conflicts between the built-in firewall of Windows and the firewall function of the cloud platform, after enabling the built-in firewall of Windows, please set the firewall of the cloud platform to "Open").
If the Windows server has purchased public network bandwidth, there will be a network card with a public network IP address connected to the public network. Users can access this IP address to access the services deployed on the host. However, at the same time, malicious attackers may also exploit system vulnerabilities to invade your server through this public network IP. At this time, in addition to enabling automatic updates to timely repair system vulnerabilities, it is also recommended to enable the Windows server firewall to reduce the exposure of ports directly exposed to the public network, reducing the risk of exposure of dangerous ports to the public network. And, for remote desktop (TCP 3389) and other service ports used for management purposes, it is best to set up an IP whitelist that allows access to minimize the risk of being scanned maliciously.
(Tip: It is recommended to configure the firewall through the Web Terminal of the Meituan Cloud console to prevent误operation during the configuration process, which may cause the remote desktop connection to be closed.)
The steps to enable Windows Firewall are as follows:
Windows server 2008
Click the "Server Manager" icon on the taskbar, click "Go to Windows Firewall" on the right panel, right-click "Advanced Security Windows Firewall" on the tree-like list on the left, select the "Public Configuration File" tab in the pop-up dialog box, confirm that the "Firewall State" is "On", and click "OK" to close the dialog box
After enabling the firewall, to ensure that the remote desktop access is not affected, it is necessary to ensure that remote desktop access is allowed, the method is:
In the tree-like list on the left, expand "Advanced Security Windows Firewall", click "Inbound Rules", and check the "Remote Desktop (TCP)-In) whether it is turned on. If it is not turned on, select the rule and click the "Enable Rule" on the right to turn it on
Windows server 2012
Click the "Server Manager" icon on the taskbar to open the Server Manager dashboard, click "Configure this local server", click the link after "Windows Firewall". In the pop-up window, click the "Turn Windows Firewall on or off" on the left panel. In the pop-up dialog box, make sure that "Public network settings" has the "Turn on Windows Firewall" option selected, and do not check the two checkboxes below. Click "OK" to close the dialog box.
Similarly, after enabling the firewall, it is also necessary to ensure that remote desktop access is allowed, the method is:
In the "Windows Firewall" interface, click "Advanced Settings", open the "Advanced Security Windows Firewall" window, select "Inbound Rules" in the left pane, and find "Remote Desktop" in the middle rule list-User mode (TCP-In)"and the "Configuration File" is "Public" rules. If not enabled, select the rule and click "Enable Rule" on the right to enable
If the IIS service is installed, the system will automatically install and enable rules to allow80(HTTP) and443The inbound rules of (HTTPS) services do not require special configuration. However, if a third-party web server is installed, such as LAMP, it is necessary to manually install rules to allow access80 and443The inbound rules. 2008/2012The configuration method is the same as follows:
In the firewall "Inbound Rules" interface, click "New Rule..." on the right, in the pop-up dialog box, select "Port", click "Next" "Does this rule apply to TCP or UDP"63;"Select "TCP";"Does this rule apply to all local ports or specific ports": select "Specific local port", and enter " in the input box80, 443"Click "Next", select "Allow connection", click "Next", select all checkboxes, click "Next", enter "Web service" in the name, and click "Finish"
4. Enable IE Enhanced Security Configuration
After the IE Enhanced Security Configuration is enabled, the IE browser on the server can only access websites on the whitelist. This can effectively prevent administrators from accidentally visiting malicious sites on the server, causing the server to be infected with viruses or trojans. This configuration is enabled by default. If not enabled, it is recommended to enable it. The method of enabling it is:
Windows server 2008
Click the "Server Manager" icon on the taskbar, click "Configure IE ESC" on the right panel of the pop-up window, and open it in the dialog box/Disable this feature
Windows server 2012
Click the "Server Manager" icon on the taskbar to open the Server Manager dashboard, click "Configure this local server", click the link after "IE Enhanced Security Configuration", and open it in the dialog box/Disable this feature
5. Install and enable antivirus software
Furthermore, you can install and enable real-time antivirus software to further enhance the security of the server. Once malicious software breaks through the four steps of defense built in front, and enters the cloud host, the real-time antivirus software can prevent the malicious software from running on the cloud host, ensuring the security of the cloud host.
Windows Security Essentials is a security software provided by Microsoft for Windows 7/Free antivirus software developed for Vista, which can be used to protect Windows Server 2008 R2Data Center Edition.
The installation of Windows Security Essentials is relatively simple, just download and run the installation file from the above link, and complete the wizard step by step to successfully complete it.
Windows Server 2012There are not many antivirus software available for the data center edition (free). Currently, you can apply for a trial of System Center 2012 R2 Configuration Manager, and install the antivirus client System Center Endpoint Protection that comes with it.
The installation method is:
After downloading the software package, unzip (currently for SC2012_R2_SCCM_SCEP.exe), enter SMSSETUP/CLIENT directory
Double-click to execute scepinstall, follow the prompts to install System Center Endpoint Protection step by step.
Screaming Tutorial Editor recommends independent server installation: mcafee 8.8
Sixth, reasonable service deployment architecture
Finally, a reasonable service deployment architecture can reduce the risk points exposed to the outside of the entire Windows server site, and improve the security threshold. The principles to be followed are:
Principle of Single Role: A cloud server host only does one thing, and only provides one service. For example, database services are on one server, and web servers are deployed on another. This can more accurately assess whether this server needs a public network address, whether it needs to open which ports, so as to minimize the exposure of public network addresses and ports, and thus reduce risk points. For example, database services generally do not need a public network address, so there is no need to purchase public network bandwidth, which saves costs and is also more secure. Web servers generally only open80/443Port, other ports can be closed through the firewall.
Principle of Minimality: Do not enable services and features that can be disabled, do not install software as much as possible, ensure that ports that can be enabled are not enabled, and do not purchase public network bandwidth if the public network host is not used. Adhere to the principle of minimalism, which is both energy-saving and environmentally friendly, and also reduces security risks.