Server computers exist on your network to provide one or more specific services. You have two main areas to address when hardening servers. First, ensure that your server computers don’t do anything they’re not supposed to do, such as run extra services that aren’t needed. If a server should provide database services only, then it probably shouldn’t have IIS installed as well. Second, harden the services they are supposed to provide. Start off by installing only the roles you need for any particular server to fulfill its purpose. One of the first steps to take after installing any new server is to use the SCT tools. The SCT tools help identify many of the unneeded services and open ports. Run SCT to disable any roles or services you don’t need and then review the remaining services in the Windows Services window. Disable any services that are still running but you don’t need.

After running SCT and disabling additional services, it is a good idea to scan each server using a port scanner to identify any open ports you may have missed. Use the nmap utility or any other port-scanning software to identify open ports. Your open port scan shouldn’t find any unexpected open ports. If it does locate any ports that are open, find out what service is using them and decide whether to close the ports or add them to your approved open ports list. You should know how every open port is being used.

To make it harder for unauthorized users to connect to your server computers, enable IPSec for all server-to-server connections. IPSec will require that any computer that attempts to connect to your server be authorized to connect. Using IPSec and removing or disabling unnecessary user accounts will make it more difficult for attackers to compromise your server computers.

Once you’ve taken these steps to harden your servers, focus on the services that are still running. Every server will have some services running and some ports open. The second main phase of hardening servers is to focus on these components.