On the Windows Servers I use for development, I like to keep things simple. That means security should be in place, but at the same time should be workable and flexible enough for me to install and download things, without getting nagged by obnoxious over-active security mechanisms. In order to do so, I execute the following steps on every Windows development server I install.
Install RDP Defender
If your Windows server is publicly available from the internet, then there is a 100% chance that hackers, network scanners and brute force robots are trying to guess your Administator login and password as we speak.
Using password dictionaries, they will automatically try to login to your server hundreds to thousands times every minute. Not only this is bad for your server’s security, but it also wastes a lot of resources, such as CPU and bandwidth.
RDP Defender will block these attacks, by monitoring failed login attempts and automatically blacklisting the offending IP addresses after several failures. You can of course configure it to suit your needs, but it pretty much take care of itself. It takes just 30 seconds to download and install: https://www.terminalserviceplus.com/rdp-defender.php
Increase RDP Security
Start –> Run –> gpedit.msc
Go to Computer Configuration à Administrative Templates à Windows Components à Remote Desktop Services à Remote Desktop Session Host à Security
Set client connection encryption level – Set this to High Level so your Remote Desktop sessions are secured with 128-bit encryption.
Require secure RPC communication – Set this to Enabled.
Require use of specific security layer for remote (RDP) connections – Set this to SSL (TLS 1.0).
Require user authentication for remote connections by using Network Level Authentication – Set this to Enabled.
Disable Remote Management, unless specifically needed.
I’m not a fan of having stuff enabled that I don’t use or need, so even tough this probably isn’t a security risk, I’m going to disable it anyway.
Go to Server Manager à Local Server à Remote Management and click ‘Enabled’.
In the window that opens, untick ‘Enable Remote management of this server from other computers’ and hit apply.
Do not start Server Manager automatically at logon
Go to Server Manager à Manage à Server Manager Properties
Check ‘Do not start Server Manager automatically at logon’.
Disable Password Expiration
Like I said, this is a development server. There’s no need for me to have top notch security, as I’ll probably spin up a new machine in a couple of months again and delete this one.
Start à Run à gpedit.msc
Go to Computer Configuration à Windows Settings à Security Settings à Password Policy.
Change ‘Maximum password age’ to 0. Hit apply and ‘Password will not expire’ should now be shown.
Schedule automatic update restarts
Windows Server 2012 and 2016 use ‘active hours’ to determine whether or not it’s safe to reboot the machine for updates. Moreover, the maximum time frame of the ‘active hours’ cannot be greater than 12 consecutive hours. To be honest, I don’t know who came up with this brilliant idea, since a server is usually designed to be on 24/7. Therefore, I prefer choose when Windows reboots for updates by scheduling a specific time, instead of playing Russian roulette whether or not the thing is going to reboot while I’m running any jobs/tests.
Start à Run à gpedit.msc
Go to Computer Configuration à Policies à Administrative Templates à Windows Components à Windows Update.
Tick ‘Enabled’, choose option 4 and tick ‘Install during automatic maintenance’
Note: When ticking ‘Install during automatic maintenance’ the schedule you define in gpedit, i.e. ‘Every day’ and the scheduled install time of 03:00 as in the screenshot above, have no effect! The automatic maintenance option overrides this schedule. Automatic maintenance is performed daily, but you are free to change at which time it takes place via Control Panel à System and Security à Security and Maintenance à Automatic Maintenance
Disable Internet Explorer Enhanced Security Configuration
On a development server, downloading new tools and utilities is common practice. Instead of whitelisting every domain, which are a lot nowadays, I simply turn off the Internet Explorer Enhanced Security Configuration. Yes, I know this is a potential security risk, especially on production servers, but like I said, this is a development server. In addition, use your common sense when pointing and clicking at stuff on the interwebz and you should come a long way
Go to Server Manager à Local Server à IE Enhanced Security Configuration and tick ‘Off’
Windows Server 2012, and especially Windows Server 2016, are quite intrusive when it comes to privacy. I don’t like the automatic sharing of ‘diagnostic and usage data’ (whatever that may be), so I switch off these options as far as possible (hoping they actually do something instead of being bogus buttons/placeholders).
Go to Server Manager à Local Server à Feedback & Diagnostics and click ‘Settings’
In the window that opens, choose ‘Never’ and ‘Basic’:
Do the same for Windows Defender, by switching off ‘Cloud Protection’ and ‘Automatic Sample Submission’:
Show extensions & hidden files, folders and drives
It’s always handy to know whether or not you’re opening invoice.pdf.exe or an actual invoice.pdf, isn’t it ?
Open a random folder, go to File à Change folder and search options
Tick ‘Show hidden files, folders and drives’ and untick ‘Hide extensions for known file types. Hit apply and OK.
Change Power Plan to High Performance
I hate waiting for my disks to spin-up and since this is a server, I always choose the High Performance Power Plan in order to get maximum performance.
Go to Control Panel à Hardware à Power Options and tick ‘High performance’.
Last but not least, install 7Zip & Notepad++
These two tools belong in every developer’s toolkit, so install them while you’re at it!
That’s all for now. Comments or questions? Let me know down below. Cheers!
2 thoughts on “My first 10 minutes on a Windows development server”
Can you set the RDP security to something higher than TLS 1.0? It is considered unsafe and not PCI compliant.
Sorry for this blast of the past, but I seem to have totally missed your comment. Sorry about that!
With regards to your question; Yes, it’s possible to set RDP security to something higher than TLS 1.0, for example TLS 1.2.
For this to work, you need at least Windows Server 2012 (or Windows Server 2008 R2 with this patch: https://support.microsoft.com/en-us/kb/3080079)
First, download IIS Crypto and remove all legacy protocols (I recommend using the ‘Best Practices’ button): https://www.nartac.com/Products/IISCrypto/
Next, and I know this is confusing, but leave the RDP security set to SSL (TLS 1.0). This is a display bug; even though it says TLS 1.0, TLS 1.2 is now applied. You don’t have to take my word for it, here’s an official support article from Microsoft: https://support.microsoft.com/en-us/help/3097192/incorrect-tls-is-displayed-when-you-use-rdp-with-ssl-encryption
To verify if TLS 1.2 is now enforced, check the SCHANNEL logging in Event Viewer.