This article helps you change the following items if your cloud provider didn't do that for you.
- Rename server, (optional) join AD domain.
- Create your own account instead of Administrator.
- Disable Administrator login.
- Change remote desktop default port.
- Disable IIS dangerous protocol.
- Install some very infrastructure tools.
After you buying a Windows Server from some cloud provider, or just installed a new server with CD\DVD, you may have a default Administrator user. You may use that user, but it's very dangerous. Here is why:
- Administrator is a name easy for hackers to guess because it is just the default user name.
- When the Administrator is running some program with UAC, it will NOT show any warning message like this, but the app directly get admin privilege. So it's possible that your system running some ransomware.
Here are steps which you should follow:
First, sign in your Windows Server:
Go to the machine's property:
Click rename the PC.
Name the server to the name which describes it's feature. Like 'Web' server or 'Database' server.
Join the Active Directory domain if you have. Or just leave it in workgroup.
Click Ok. And reboot.
After rebooting, go to the computer management.
Then create a new user:
Type your name and create a strong password. Then create the user.
After creating, add the user to Administrators group.
Add the new user to Administrators group.
And then sign out the Administrator.
Connect to the server again. This time, use your own account instead of Administrator:
After signing in, test the privilege of your new user:
You may see this:
Click Yes. And type 'whoami' to verify that it's you.
Then we need to disable the default Administrator user. This might be dangerous because if Administrator is the only user in Administrators group, you won't be able to add it again. That's why we did a verification first.
In the properties of the Administrator user, disable it. So no one can use that account again.
Now we need to change the default RDP port. It's 3389 by default. But it is reported that there are a lot of crackers group attempting to brute force the passwords of all machines with port 3389 open.
If you change that port away to other values, like 33890, it's hard for them to guess. Remote connecting to your computer means that he needs to know:
Click Windows + R to open the Run dialog box. Run 'regedit' and click Ok.
Then navigate to:
Change that number away to 3390-65535. Pick your own. I use 33890 as an example:
Before rebooting, don't forget to change the Firewall settings!
Search firewall in Windows Search. Go to the Windows Defender Firewall.
Go to Advanced settings:
Go to the Inbound Rules. Add a new rule, select Port rule:
Input the port you set. First we gonna create a new TCP rule. You can then create a UDP rule later. This is optional.
Then reboot the machine.
After rebooting, connect with the new port:
After connecting, you can create a new UDP rule.
After configuring those security settings, you can install some additional software suitable.
Strongly suggest installing the following tools on your new Windows Server.
- IIS Crypto to change IIS settings to best practice.
- CPUZ to benchmark CPU performance.
- WinDirStat to analyse disk usage.
- NSSM to manage background services
- FRP to expose the IP address to public internet when your server is behind NAT or firewall.
- 7zip to manage zip files.
- FastCopy to backup\migrate\copy server files faster and easier.
- Win-ACME to enable TLS encryption for Windows Server.
- Visual Studio Code to edit configuration files easier.
- AdoptOpenJDK to run Java programs.
- .NET Windows Server hosting bundle to support running ASP.NET Core applications.
- Git and Git-Bash to use version control and run bash scripts
- Aria2 to speed up the download speed of Windows Server.
- Winget and Windows Terminal to manage packages