5

I'm in the process of re-configuring and securing a server for the small company that I work for. We use it to store design files and other data with Autodesk Vault. It's running on a VPS from a server provider close by.

The reason I'm doing this is that we've been notified by our server provider that they receive complaints about our server misbehaving on the internet, indicating it is compromised to some extent. We haven't noticed any problems other than that. The server was originally set up before I came to the company, and I could not find any documentation about its configuration. It was also running Windows Server 2012, so I decided to start afresh with a new VPS running Windows Server 2019. This is the first time I'm working with Windows as a server OS, but I have some experience of managing Ubuntu servers.

Looking in Event Viewer on the old server, there are endless "4625 Audit Failure" logon attempts to the server, but also quite a few successful logins that do not originate from me or our organization. Example of a 4624 Audit Success:

An account was successfully logged on.

Subject:
    Security ID:        NULL SID
    Account Name:       -
    Account Domain:     -
    Logon ID:       0x0

Logon Type:         3

Impersonation Level:        Impersonation

New Logon:
    Security ID:        ANONYMOUS LOGON
    Account Name:       ANONYMOUS LOGON
    Account Domain:     NT AUTHORITY
    Logon ID:       0x9ABEAB7
    Logon GUID:     {00000000-0000-0000-0000-000000000000}

Process Information:
    Process ID:     0x0
    Process Name:       -

Network Information:
    Workstation Name:   
    Source Network Address: 117.45.167.129
    Source Port:        11949

Detailed Authentication Information:
    Logon Process:      NtLmSsp 
    Authentication Package: NTLM
    Transited Services: -
    Package Name (NTLM only):   NTLM V1
    Key Length:     0

So, to harden the new server I've done the following

  • Chosen a much more secure password than before
  • Installed IPBan (https://github.com/DigitalRuby/IPBan) which blocks IPs that fail login attempts using various services
  • Disabled NTLM login, as per the recommendations from IPBan installation guide

I would like to block all possible routes of access by only allowing Autodesk Vault, which communicates over HTTP(S) at port 80/443 (I'll likely configure it so that only HTTPS is allowed), and remote desktop, which I need to manage the server. But looking at the Windows Defender Firewall default rules, there are tons of open ports as default configuration. I find this a bit strange on a server OS - I want it to block everything that I don't explicitly allow. Can I safely disable all of these except RDP and HTTPS? Does it help? Have I missed something else obvious in my server hardening procedure? Screenshot of allowed services in Windows Defender Firewall

Have a good weekend!

Improve this question

2 Answers 2

Reset to default
7

First of all, reinstall the server, because :

  1. This one might be compromised and can't be trusted anymore.
  2. Windows is secure by default, and maybe someone lowered the security settings of your server, hard to tell if there are no documentation.

You can take a look at this canonical question: How do I deal with a compromised server?

Check the Windows Security Baselines too, Microsoft updates them regularly.

About the firewall rules, you can export them first :

Export firewall policy

If you don't need RDP, remote management, remote powershell,... it's safe to disable or delete the default rules (ensure you can access the VM console first, if you remove everything you won't be able to connect using RDP) and create the rules that you need.

Improve this answer
3
  • 3
    I must concur. I checked the IP address in question on abuseipdb.com, and it's definitely a malicious player with a nice Confidence of Abuse is 92% level. This server is compromised. Please reinstall and check all data to be migrated/restored for viruses, malware and other nasty software.
    – OnkelJ
    May 15, 2020 at 19:47
  • Thanks a lot for your reply! I wasn't fully clear in the question, I did reinstall the server, or rather I set up a new VPS at our hosting provider. RDP would be nice to keep, but maybe not strictly necessary as I can access the server through our hosting provider's online portal, with a browser client. But about the firewall exceptions, can/should I block all the other services except HTTPS? That they're allowed by default makes me think that there's good reason to, but maybe that reason is convenience for the user.
    – Felix Eriksson
    May 17, 2020 at 5:55
  • @FelixEriksson A lot of servers are managed remotely, and the default rules allows that. You can remove them if you don't want to manage Windows remotely,etc... Additionally, when you install a new role, like IIS for example, Windows will create corresponding rules in the firewall to allow the webserver to be reachable, for example.
    – Swisstone
    May 17, 2020 at 10:16
0

It is possible to disable quite many of the services that are allowed through the firewall by default, without affecting the capability of hosting an Autodesk Vault server. I disabled those that I was sure that I didn't need - it's probably possible to disable quite a few more, with some research and/or trial-and-error.

Referring to the list of services allowed through the firewall by default, at the end of the question, here's a list of services that I didn't disable. All the others from the original list are disabled, without any noticable side effects. I also disable remote desktop, and temporarily re-enable it when I want to work with the server.

List of services allowed on Autodesk Vault server

Improve this answer

You must log in to answer this question.

Not the answer you're looking for? Browse other questions tagged .