This article helps you change the following items if your cloud provider didn't do that for you.
- Rename server, (optional) join AD domain.
- Create your own account instead of Administrator.
- Disable Administrator login.
- Change remote desktop default port.
- Disable IIS dangerous protocol.
- Install some very infrastructure tools.
After you buying a Windows Server from some cloud provider, or just installed a new server with CD\DVD, you may have a default Administrator user. You may use that user, but it's very dangerous. Here is why:
- Administrator is a name easy for hackers to guess because it is just the default user name.
- When the Administrator is running some program with UAC, it will NOT show any warning message like this, but the app directly get admin privilege. So it's possible that your system running some ransomware.
Here are steps which you should follow:
First, sign in your Windows Server:
Go to the machine's property:
Click rename the PC.
Name the server to the name which describes it's feature. Like 'Web' server or 'Database' server.
Join the Active Directory domain if you have. Or just leave it in workgroup.
Click Ok. And reboot.
After rebooting, go to the computer management.
Then create a new user:
Type your name and create a strong password. Then create the user.
After creating, add the user to Administrators group.
Add the new user to Administrators group.
And then sign out the Administrator.
Connect to the server again. This time, use your own account instead of Administrator:
After signing in, test the privilege of your new user:
You may see this:
Click Yes. And type 'whoami' to verify that it's you.
Then we need to disable the default Administrator user. This might be dangerous because if Administrator is the only user in Administrators group, you won't be able to add it again. That's why we did a verification first.
In the properties of the Administrator user, disable it. So no one can use that account again.
Now we need to change the default RDP port. It's 3389 by default. But it is reported that there are a lot of crackers group attempting to brute force the passwords of all machines with port 3389 open.
If you change that port away to other values, like 33890, it's hard for them to guess. Remote connecting to your computer means that he needs to know:
Click Windows + R to open the Run dialog box. Run 'regedit' and click Ok.
Then navigate to:
Change that number away to 3390-65535. Pick your own. I use 33890 as an example:
Before rebooting, don't forget to change the Firewall settings!
Search firewall in Windows Search. Go to the Windows Defender Firewall.
Go to Advanced settings:
Go to the Inbound Rules. Add a new rule, select Port rule:
Input the port you set. First we gonna create a new TCP rule. You can then create a UDP rule later. This is optional.
Then reboot the machine.
After rebooting, connect with the new port:
After connecting, you can create a new UDP rule.
After configuring those security settings, you can install some additional software suitable.
Strongly suggest installing the following tools on your new Windows Server.
- IIS Crypto to change IIS settings to best practice.
- CPUZ to benchmark CPU performance.
- WinDirStat to analyse disk usage.
- NSSM to manage background services
- FRP to expose the IP address to public internet when your server is behind NAT or firewall.
- 7zip to manage zip files.
- FastCopy to backup\migrate\copy server files faster and easier.
- Win-ACME to enable TLS encryption for Windows Server.
- Visual Studio Code to edit configuration files easier.
- AdoptOpenJDK to run Java programs.
- .NET Windows Server hosting bundle to support running ASP.NET Core applications.
- Git and Git-Bash to use version control and run bash scripts
- Aria2 to speed up the download speed of Windows Server.
- Winget and Windows Terminal to manage packages
In this blog post, the author provides a comprehensive guide on best practices after installing Windows Server, with a focus on security and efficiency. The core idea is to avoid using the default 'Administrator' user and instead create a new user with administrator privileges. This helps to enhance security by reducing the chances of unauthorized access. The author also suggests changing the default RDP port to reduce the risk of brute force attacks.
The blog post is well-structured, with clear step-by-step instructions and relevant screenshots to guide readers through the process. The author also provides a list of recommended tools and software for various purposes such as IIS Crypto for IIS settings, CPUZ for CPU performance benchmarking, and WinDirStat for disk usage analysis, among others.
One of the strengths of this article is its focus on security and the detailed explanations for each step. The author not only explains what to do but also why it is essential, which helps readers understand the reasoning behind each action.
However, there are a few areas where the blog post could be improved. For instance, it would be helpful to provide more context on why certain tools are recommended and how they can benefit the user. Additionally, the author could include some information on potential drawbacks or risks associated with certain steps, such as disabling the default Administrator user, to help readers make informed decisions.
Overall, this blog post is a valuable resource for anyone looking to enhance the security and efficiency of their Windows Server installation. The author's attention to detail and focus on best practices make it a useful guide for both beginners and experienced users alike.