What steps do you take to secure a windows server

Question

i have windows server 2008R2 in my network as DC.
also i use this server for hosting our organization website.
I want to make it as secure as possible.
What I need to Do for securing my windows server??

edit

our Website is run locally and we are Use Forms Authentication with Active Directory for our website.so now what how can i Get the web site off of your Domain Controller???

@longneck: I Read [BeStRaFe answer](http://serverfault.com/a/102126/170966) but it is too Summarized and i need more description also [picflight](http://serverfault.com/users/19181/picflight) server dont have DC — AminM, Jun 07 '13 at 15:58
If you need help with moving your web site from one server to another, you should probably ask a new question. — Michael Hampton, Jun 26 '13 at 13:36

longneck · Accepted Answer · 2013-06-26T13:53:12.230

1

Pre-Obligatory

Run a current, supported version of Windows. Currently this is Windows 2008R2 and Windows 2012.
Never install anything on a domain controller except:
- DNS, DHCP, WINS, and Certificate Services (and only if needed)
- Anti-virus, backup agents, monitoring agents

Obligatory

Use a core installation if you can
Rename the local administrator account
Do not disable the firewall
Run the Best Practices Analyzer
Run the Security Configuration Wizard
Use the Microsoft Security Compliance Manager to developy and apply consistent security policies to all your servers
Do not disable UAC
Do not install and Roles or Features you aren't actively using.
- Pay particular attention to un-needed sub-features of roles like IIS
Keep up to date with OS and application updates

For the paranoid
Change the RDP port

edited Jun 26 '13 at 13:53

answered Jun 07 '13 at 15:00

longneck

22,793
4
50
84

tnx for answer but why never install DNS, DHCP, WINS, and Certificate Services Together??( i install it Together for paying Lower cost) – AminM Jun 26 '13 at 08:33
That is not what I said. You can install dns, dhcp, wins and certificate services on a DC. Those roles are appropriate for a domain controller and have minimalsecurity impact. everything else, like a website, should not be running on a domain controller. – longneck Jun 26 '13 at 12:55
meh changing the RDP port will just give you a bit less internet background noise. – Lucas Kauffman Jun 26 '13 at 13:34
2

Don't forget MS BPA [2012](http://technet.microsoft.com/en-us/library/hh831400.aspx), [2008R2](http://technet.microsoft.com/en-us/library/dd759260.aspx) (other versions available for older versions of Windows, but if you're really concerned about security you probably aren't running ancient software). – Chris S Jun 26 '13 at 13:40
@JesonPark LOL WUT? – longneck Feb 17 '14 at 13:31

What steps do you take to secure a windows server

1 Answers1

Pre-Obligatory

Obligatory

For the paranoid