Securing a Windows Server 2008 R2 Public Web Server

Posted by Denny Ferrassoli on Server Fault See other posts from Server Fault or by Denny Ferrassoli
Published on 2010-02-05T02:33:22Z Indexed on 2010/05/17 2:10 UTC
Read the original article Hit count: 501

I'm setting up a public web server: Windows Server 2008 R2, IIS7.5. Does anyone have a tutorial / walkthrough / tips on properly securing a public web server? I've seen a few tutorials but mostly focused on Windows Server 2003.

What I've done so far:

  • Created a specific user account for the website / app pool,
  • Renamed Admin account,
  • Installed FTPS,
  • Configured firewall to block any non-public service (web / https),
  • Configured firewall to allow access to management interfaces only from specific IP addresses (rdp, IIS management, ftp)

Maybe a few other things but can't remember at the moment...

ICMP is allowed... Should I disable all except ping?

Port scan reveals only web and https ports.

Any other suggestions?

Thanks

© Server Fault or respective owner

Related posts about windows-server-2008-r2

Related posts about security