Windows Server Security Rule 10: Security Awareness

Leave your reply

What can you expect from this document:

This document overs some basic security best practices that, if combined with other security measures, will help to increase the overall security of your system.

What is the threat?

A lot of initial attack vectors that lead to damages are induced by non-technical threats. Example: A user executes a malicious attachment of an email or downloads it via his browser. Therefore, it is important to raise security awareness. Always be careful, especially when handling sensitive information.

Useful hints to avoid typical security risks:
1. Only use software from validated / secure sources

To protect your computer, make sure that:

  • you always retrieve software from well known sources, for example the software vendor
  • you validate the software, for example by signature or at least hash sum
2. Don´t use the browser on your server to surf the Internet

Browsers are one of the most complex pieces of software on your system. Though vendors invest a lot of effort in securing it, there exist configuration specific attack vectors. Because of this risk, you should not use a browser on your server to surf the Internet.

3. Be aware of your privileges:

If you execute malicious software by mistake, it will use your permissions. Therefore use high privileged accounts only when needed.

4. Perform administrative tasks only from secure systems

Your security chain of trust can only be as strong as its weakest link, therefore avoid performing administrative tasks on your server from unsecure systems. Example: NEVER login from systems you are not aware of the state of security.

5. Granting access and permissions

Only grant user access to your server on a need-to-use basis.

6. Rules to avoid phishing:
  • Be suspicious of any unsolicited emails that urgently request personal or financial information. For example, the email will claim that your account will be terminated if you fail to confirm your personal information.
  • Look for misspelled words and/or grammatical errors in the message and/or hyperlink. Blatant misspelled words and/or grammatical errors are common in spoof emails.
  • Avoid emailing personal and financial information. Before submitting financial or account information to a website, look for a third-party privacy seal to ensure that the transaction is secure. Also avoid volunteering private information like passwords or a personal social security number.
  • Be watchful of general greetings. Many spoof emails begin with a general greeting rather than directly addressing the registered user by name.
  • Contact the company directly. If you have any doubts about an email or website, open a new browser and visit the company directly to verify the website. Don't be afraid to call the customer service.
Additional Recommendations:

Click here for more information on online safety.

Further Information:

The contribution provided by Microsoft is intended to serve general information purposes and the content is AS IS without any express or implied warranties of any kind with respect to the accuracy, correctness or reliability. The information is provided without any warranty of fitness for a particular purpose. The information is compiled with the necessary care, however no liability is assumed in this respect, in particular with regard to the absence of errors, topicality with regard to the specific state of knowledge or use as the basis for the responsible decisions of the user.