Important security information for your Windows Server (part 1 of 2)

Valid for Cloud Servers, VPS, VPS+, Virtual Servers, Dedicated Servers, and Value Servers.

A server offers you many interesting possibilities. However, when you purchase a server with administration access, you are also responsible for its security. This responsibility includes all actions performed by your server. For this reason, it is very important that you secure your server as early as possible and increase the level of security against cyber attacks in order to minimise the attack surface for potential attackers.

This series of articles explains some important security recommendations and security measures that will help to increase the security level of your Windows server.

In this article, you will find general security recommendations and tips for the secure configuration and operation of your Windows server. These recommendations apply to Microsoft Windows Server 2019, 2022, and 2025.

Install security patches and updates regularly and in good time

As a rule, vulnerabilities that become known are closed again within a very short time with the help of published updates. However, this only works if you regularly check for security patches and updates for the operating system and installed programs and install them promptly. Also make sure that security patches and updates for the applications and extensions you use are installed.

Almost all operating systems offer the option of automatically downloading and installing important security updates in the background. If you are using Microsoft Windows Server 2019, Microsoft Windows Server 2022, or Microsoft Windows Server 2025, you can configure automatic installation in the Windows update settings.

Note

Pre-test application and plug-in updates to ensure compatibility with your environment before deployment. Please note, however, that you will need a second server for such a test.

Always use a strong password

Protecting user accounts, especially the administrator account, is crucial. If you use weak passwords, it is easier for potential cyber criminals to gain access to your server. If such an attack is successful, the cybercriminal can, for example, use your server for malicious activities, use your server's resources or take over the server and lock you out.

You should therefore always use secure and complex passwords. Change them regularly. Please note the following criteria to create a strong and secure password:

Use a separate and unique password for each server and for each database running on the server.
Use a password that is not found in dictionaries.
Always use a password that is significantly different from previous passwords.
Do not use any personal data from your personal environment, such as birthdays, names, etc.
Do not use a password that contains the user name or company name.
Do not share your password with third parties.
Combine different types of characters, e.g. letters, numbers and special characters.
Do not use identical passwords for different services.

A secure password contains:

At least 12 characters
Upper and lower case letters: a-z, A-Z
Numbers: 0 - 9
Special characters

Only change passwords if you suspect that they have been compromised. Modern security guidelines (e.g. from Microsoft and NIST) advise against enforced, regular changes, as this often leads to weaker, predictable password patterns.

Only install required applications

Only install applications that you really need. The more applications you install on the server, the greater the risk of vulnerabilities.

Note

If possible, only install applications from official sources. Applications from unofficial sources may contain malware and/or viruses.

Deactivate services that are not required

Depending on the operating system used and the type of installation, various additional programs and services are also installed. Many of these additional programs and services are often not required.

By switching off these unnecessary additional programs and services, you can reduce the security risks with this measure. Therefore, identify the services and tasks that are not critical to the management of your network and then disable the associated system policy rules.

Alternatively, Microsoft's security baselines can systematically take over this task for you by automatically deactivating known, non-essential services.

Only open ports that you really need

Open ports represent a security risk in rare cases. If you use a small number of third-party applications, the number of ports required is manageable. These open interfaces only become a risk if the responding programs have security vulnerabilities and cyber criminals take advantage of this. This potential risk increases with the number of applications you install on the server.

You should therefore configure the firewall so that only the ports that are absolutely necessary for your applications are open.

Harden the operating system with basic security plans from Microsoft

Hardening the operating system is a fundamental step in minimising the attack surface of your server. Microsoft Windows offers a variety of settings that have different effects. Although Microsoft offers comprehensive instructions, the correct configuration of these settings can still take a lot of time. This applies in particular to the configuration of group policies. Group policies are used to configure various settings of the operating system. This also includes security settings. For example, you can use group policies to define how often a password must be renewed.

Improper configuration of these policies can lead to vulnerabilities and/or malfunctions.

To support faster deployment and further simplify the management of Windows, Microsoft offers security baselines in formats that you can use directly. For example, security baselines are available for securing Group Policy Objects.

Caution

Before you apply a security baseline to a production server, you should always check the effects in a test environment. Test all critical applications after applying the security baselines to ensure that everything works as expected.

Further information on the security baselines can be found in the following article from Microsoft:

Security baselines

You can find the security baselines as part of the Microsoft Security Compliance Toolkit. You can download the toolkit on the following page:

Microsoft Security Compliance Toolkit 1.0

Further information on the Microsoft Security Compliance Toolkit can be found in the following article from Microsoft:

Microsoft Security Compliance Toolkit - Usage

Harden your applications

Depending on the installed application, there are different threat risks and threats. To protect yourself against these, you should also harden your applications. Please note the following points:

For information on secure installation and deployment of the application, consult the documentation and the manufacturer's website.
Observe the best practices for installing the respective application.
Look for known vulnerabilities in your application. Common Vulnerabilities and Exposures (CVE®), for example, is a list of known vulnerabilities. You can find more information about CVE® here: https://www.cve.org/
Check your server for vulnerabilities using a program such as Nmap. You can find more information about Nmap on the Nmap website: https://nmap.org/
Carry out a penetration test to identify further vulnerabilities.

Restrict access to the server according to the principle of least privilege

Access to the system should only be permitted to users who need to work with it. In this context, use the principle of least privilege:

Create standard user accounts without administrative rights for everyday tasks.
Use built-in groups such as Remote Desktop Users to control RDP access instead of adding accounts to the Local Administrators group.
Configure NTFS permissions at file and folder level so that users can only access the data they really need.
Restrict RDP access via the Windows Defender Firewall to known, trusted IP addresses.

Develop a suitable backup strategy

The loss of data can lead to profound and costly damage. For this reason, you should develop a suitable backup strategy as early as possible. Developing a backup strategy is a technically very complex issue, as many factors need to be taken into account. Some important factors are, for example

Determining the risk situation: The risk situation depends on the purpose of the server and the dependency on the data stock.
Classification of the data: What type of data is involved? Does system-relevant data or personal data need to be backed up?
Availability of the data: Which applications are dependent on the data and in what form? Will the applications work without the data in question?

You should also consider and answer the following questions when developing your backup strategy:

What level of data loss is acceptable?
How long would it take to reconstruct the data?
How large is the data volume and how will the data stock develop?
How must the data be backed up?
Are there deletion and retention periods?
Is the data confidential? Is special access protection required? Are there any legal requirements?
When can the backup be created without having a negative impact on other processes?
How long do you need to keep the backups?

Another important point to consider when developing your backup strategy is the type of data backup. A basic distinction is made between the following backup types:

Full backup

A full backup is a backup that contains all the data selected for the backup.

Differential backup

In a differential backup, all files that have been changed or added since the last full backup are backed up. The changes are always made in relation to the full backup. Differential backups become larger from day to day until you perform a full backup again. However, they require less storage space than a full backup and can be performed more quickly.

To be able to restore data from an incremental backup, you must also have access to the last full backup. The individual differential backups can be handled independently of each other.

Incremental backup

Incremental backups are very space-saving and can be carried out quickly.
With an incremental backup, only the data that has been created or changed since the last backup is backed up. It does not matter whether it is a full backup or an incremental backup.
To be able to restore an incremental backup, you must therefore also have access to other backups in the backup chain, as the backups are interdependent. If you delete one of the previous incremental backups or a full backup, you will no longer be able to restore the entire group.

In addition to developing a suitable backup strategy and creating regular backups, you should also ensure that the restoration of the backups is tested regularly. Regular tests allow you to ensure the integrity of the backed-up data and gain important experience in restoring your data.

Monitor your server

Monitoring is an important tool for increasing the security of your server. Only by monitoring the server can you recognise a server failure or the failure of individual components or applications in good time. This also applies to certain types of cyber attacks. If you are attacked, a quick response is essential to stop the attack and minimise the damage caused. Therefore, always monitor CPU, RAM and network utilisation. Unusual spikes can indicate malware or a cyberattack.

We also recommend that you regularly check your server's security log entries.

A list of the events to be monitored can be found in the following article from Microsoft:

Appendix L: Events to monitor

Check your server regularly for malware

Malware, viruses, and ransomware can cause considerable damage. Therefore, make sure that up-to-date antivirus and anti-malware software is installed on your server and update the antivirus and anti-malware signatures regularly. Also make sure that the virus scanner is permanently active and monitors data traffic. In addition, regularly carry out a full scan of the hard drives or SSDs.