All three of the C-I-A triad properties of data security depend on the positive identification of an authorized user. Your servers inside your organization’s secure network should require specific user accounts to use any service. You may allow anonymous users or shared user accounts to access some resources, such as generic webpages or public file downloads, but these servers should reside in the DMZ and not in your secure network.

Inside the secure network, you should authenticate all computers and users before processing resource access requests. Windows uses Kerberos by default to provide a secure method to establish two-way authentication. This level of authentication assurance provides protection from eavesdropping or certain types of replay attacks. A replay attack is one where an attacker intercepts authentication messages. Unless the attacker is working with a protected network, it is possible to replay the authentication messages and log on again. It is similar to your web browser storing your password to a website. But in this case, the attacker is storing someone else’s password. Kerberos gives both sides of a network conversation the assurance that the other party is who he or she claims to be.

Carefully examine each server’s role to ensure that no unnecessary services are running. For the services you are running, make sure you have defined access control lists (ACLs) for all authorized users and all protected resources. Apply the principle of least privilege for all users. Use Group Policy Objects (GPOs) as much as possible to standardize security settings.

Servers are vulnerable to malware just like workstations. You must install antivirus and anti-spyware software on each Windows server on your network. As with workstations, be sure to update both the software and signature databases frequently. Check for updated software and signature databases daily for server computers.

Use Group Policy to enforce this requirement on servers as well as for workstations. You should also create a schedule to scan each server for malicious software. Your scan schedule depends on the services and data on any server, but weekly scans should be the minimum frequency. Scheduled scans, along with active anti-malware software, will help you to maintain as clean an environment as possible for your servers.

Firewalls protect services running on servers by filtering out suspicious traffic that attackers could use to compromise servers. The success of your firewall depends on its rules and location. Stand-alone firewalls can be used to filter traffic before it reaches a server or you can implement firewalls on your servers.

Either option has advantages and disadvantages. Stand-alone firewalls relieve some of the workload from your servers. The firewall device processes firewall rules and forwards only approved traffic. The server never sees traffic that does not match your firewall rules. The disadvantages of stand-alone firewalls include additional administrative workload, since stand-alone firewalls are separate devices, and additional hardware cost.

Firewalls that are integrated with servers have advantages and disadvantages. First, Microsoft’s firewall uses the familiar MMC interface for administration. You can also use GPOs to enforce standard rules across multiple servers. Microsoft’s firewall also comes with Windows Server operating systems and does not require an additional license or hardware purchase. The main disadvantage is that an embedded firewall adds to the server’s workload. The server must examine all network traffic to apply its filtering rules. Another disadvantage is that since a firewall is a program, it can have vulnerabilities that attackers may be able to exploit. An attacker who compromises a server firewall may be able to gain access to protected resources on that server.

Regardless of the type of firewall, set up rules to allow only valid traffic for the specific server functions you define. Deny, and potentially log, all other traffic.