On the Windows Servers I use for development, I like to keep things simple. That means security should be in place, but at the same time should be workable and flexible enough for me to install and download things, without getting nagged by obnoxious over-active security mechanisms. In order to do so, I execute the following steps on every Windows development server I install.

Install RDP Defender

If your Windows server is publicly available from the internet, then there is a 100% chance that hackers, network scanners and brute force robots are trying to guess your Administator login and password as we speak.

Using password dictionaries, they will automatically try to login to your server hundreds to thousands times every minute. Not only this is bad for your server’s security, but it also wastes a lot of resources, such as CPU and bandwidth.

RDP Defender will block these attacks, by monitoring failed login attempts and automatically blacklisting the offending IP addresses after several failures. You can of course configure it to suit your needs, but it pretty much take care of itself. It takes just 30 seconds to download and install: https://www.terminalserviceplus.com/rdp-defender.php

Increase RDP Security

Start –> Run –> gpedit.msc
Go to Computer Configuration à Administrative Templates à Windows Components à Remote Desktop Services à Remote Desktop Session Host à Security

Set client connection encryption level – Set this to High Level so your Remote Desktop sessions are secured with 128-bit encryption.

Require secure RPC communication – Set this to Enabled.

Require use of specific security layer for remote (RDP) connections – Set this to SSL (TLS 1.0).

Require user authentication for remote connections by using Network Level Authentication – Set this to Enabled.

Disable Remote Management, unless specifically needed.

I’m not a fan of having stuff enabled that I don’t use or need, so even tough this probably isn’t a security risk, I’m going to disable it anyway.

Go to Server Manager à Local Server à Remote Management and click ‘Enabled’.
In the window that opens, untick ‘Enable Remote management of this server from other computers’ and hit apply.

Do not start Server Manager automatically at logon

Go to Server Manager à Manage à Server Manager Properties
Check ‘Do not start Server Manager automatically at logon’.

Disable Password Expiration

Like I said, this is a development server. There’s no need for me to have top notch security, as I’ll probably spin up a new machine in a couple of months again and delete this one.

Start à Run à gpedit.msc
Go to Computer Configuration à Windows Settings à Security Settings à Password Policy.

Change ‘Maximum password age’ to 0. Hit apply and ‘Password will not expire’ should now be shown.

Schedule automatic update restarts

Windows Server 2012 and 2016 use ‘active hours’ to determine whether or not it’s safe to reboot the machine for updates. Moreover, the maximum time frame of the ‘active hours’ cannot be greater than 12 consecutive hours. To be honest, I don’t know who came up with this brilliant idea, since a server is usually designed to be on 24/7. Therefore, I prefer choose when Windows reboots for updates by scheduling a specific time, instead of playing Russian roulette whether or not the thing is going to reboot while I’m running any jobs/tests.

Start à Run à gpedit.msc
Go to Computer Configuration à Policies à Administrative Templates à Windows Components à Windows Update.

Tick ‘Enabled’, choose option 4 and tick ‘Install during automatic maintenance’

Note: When ticking ‘Install during automatic maintenance’ the schedule you define in gpedit, i.e. ‘Every day’ and the scheduled install time of 03:00 as in the screenshot above, have no effect! The automatic maintenance option overrides this schedule. Automatic maintenance is performed daily, but you are free to change at which time it takes place via Control Panel à System and Security à Security and Maintenance à Automatic Maintenance

Disable Internet Explorer Enhanced Security Configuration

On a development server, downloading new tools and utilities is common practice. Instead of whitelisting every domain, which are a lot nowadays, I simply turn off the Internet Explorer Enhanced Security Configuration. Yes, I know this is a potential security risk, especially on production servers, but like I said, this is a development server. In addition, use your common sense when pointing and clicking at stuff on the interwebz and you should come a long way

Go to Server Manager à Local Server à IE Enhanced Security Configuration and tick ‘Off’

Privacy settings

Windows Server 2012, and especially Windows Server 2016, are quite intrusive when it comes to privacy. I don’t like the automatic sharing of ‘diagnostic and usage data’ (whatever that may be), so I switch off these options as far as possible (hoping they actually do something instead of being bogus buttons/placeholders).

Go to Server Manager à Local Server à Feedback & Diagnostics and click ‘Settings’
In the window that opens, choose ‘Never’ and ‘Basic’:

Do the same for Windows Defender, by switching off ‘Cloud Protection’ and ‘Automatic Sample Submission’:

Show extensions & hidden files, folders and drives

It’s always handy to know whether or not you’re opening invoice.pdf.exe or an actual invoice.pdf, isn’t it ?

Open a random folder, go to File à Change folder and search options

Tick ‘Show hidden files, folders and drives’ and untick ‘Hide extensions for known file types. Hit apply and OK.

Change Power Plan to High Performance

I hate waiting for my disks to spin-up and since this is a server, I always choose the High Performance Power Plan in order to get maximum performance.

Go to Control Panel à Hardware à Power Options and tick ‘High performance’.

Last but not least, install 7Zip & Notepad++

These two tools belong in every developer’s toolkit, so install them while you’re at it!

That’s all for now. Comments or questions? Let me know down below. Cheers!

Recently I bought a Synology DS216j to replace my Synology DS214se. The DS214se is a good entry-level NAS for personal use, but it was struggling to keep up with my 3 HD IP-cameras as well as acting as a Mail Server, mainly because of the single-core CPU. Since I didn’t want to lose my data, I had to perform a migration from the DS214se to the DS216j in order to retain the data. A quick Google search lead me into this Synology knowledge base article: https://www.synology.com/en-us/knowledgebase/DSM/tutorial/General/How_to_migrate_between_Synology_NAS_DSM_5_0_and_later

The title of the knowledge article above says that it’s intended for Synology NAS running DSM 5.0 and later. At the point of writing, DSM 6.1 is the latest available DSM version, so I had a suspicion that the knowledge base article might be out of date. Because my NAS models were not identical to each other, I had to follow section 2.2. of the article linked above; Migrating between different Synology NAS models. After doing so, I can confirm that my suspicions were right; the knowledge base article is out of date, the migration process between two Synology NAS just got easier!

Here’s a small writeup about what has changed in migrating between Synology NAS between DSM 5.0 and DSM 6.0:

Section 2.2. Migrating between different Synology NAS models starts with a word of caution, telling you that all packages on the target Synology NAS (i.e. your new NAS) will have to be reinstalled, which results into in losing the following data (…) Mail Server and Mail Station settings & Surveillance Station settings. This was applicable to my Synology NAS, as I had these packages installed and were actively used. However, after performing the migration to my new NAS as described in Section 2.2. (which basically comes down to update your old NAS to the latest DSM, switch it off, swap the drives to the new NAS and turn it on) my new Synology said the packages had to be repaired instead of being reinstalled. After clicking the repair button, all my packages came back to life on the new NAS, without any data loss; all my settings and files, including from Mail Server, Mail Station and Surveillance Station (emails as well as recordings), were still there! Needless to say, it’s still good practice to backup you data before performing the migration, as described in section 1 of the knowledge base article linked above.

However, what did change was the IP address of my NAS. I assumed that my new NAS would be using the same IP as my old NAS, as Synology instructs you to turn off your old NAS before powering up your new NAS, but that was not the case. So after the migration, use the Synology finder to find the new IP of your NAS and change it to your old IP after the migration, which can be in the Control Panel à Network.

Also, lastly, I had to re-register my DDNS hostname by re-logging into my Synology account, which can be done in the Control Panel à External Access.

That’s all folks!

PS. Should you have bought any additional Surveillance Station license keys in the past, don’t forget them down and to deactivate them on your old NAS before the migration, since the license keys can only be active on one Synology product at a time. Also, as an FYI, each license key can only be migrated just once.

Nowadays it’s dead easy to schedule a PHP script as a cronjob/crontab in Plesk Onyx for Windows. However, in the previous versions, Plesk did not supply a sample syntax for scheduled tasks. Most examples found on the interwebs assume that you’re running Plesk on Linux, but if you are like me and run Plesk on Windows, that syntax is just plain wrong.

This small ‘note to self post’ shows how to correctly schedule a PHP script in Plesk for Windows for those of you who are still running an older version of Plesk :)

Step 1. Open Plesk and search for Scheduled Tasks

Step 2. Create a new cronjob/crontab as shown above. Adjust the parameters to your liking. In this example, I’ve scheduled the particular .php script to run every 5 minutes of each day of the week.

Step 3. You’re done! In the end, your finished cronjob/crontab should look like in the image above. If desired, you can also run it on demand by clicking Run Now.