How do I best secure my home based server?

[The Lurker]

I have a server at home. Up until last week the only way for me to gain access to it from outside the network was through a VPN connection. I decided to setup seafile on it so I can get us off dropbox. Seafile works great but I am cautious about who I share links to files with. Its behind a router based firewall, windows firewall is enabled on it as well and only the necessary ports are open. I have done some light reading into setting up SSL but have not actually done it yet. I was thinking of setting up a dedicated machine with PFsense, but that may be overkill and added complexity.

It's running Windows 8.1 right now, but I can change that if necessary.

What can I do to make sure nothing heinous happens?

 

[iroc409]

The only thing you really can do is to make sure everything is patched and up to date, as many exploits come through outdated software and machines get hijacked from the most unlikely places. Firewall rules, good account names and passwords, etc. I have started to go to mildly complex user names to maybe give a small extra layer of security... instead of "admin" I would use "iroc409-Admin" or something similar. It probably doesn't help, but it might. Social engineering is a major way into a network as well, so be mindful of that.

 

[Deleted member 12106]

Is it living in IIS? If not some of below may not apply, and you may want to pursue you native web server's best practices guides.
You will want to go to https but will need a cert. If you have a domain you can get a free ssl cert from startssl after doing some domain validation.
Then apply URL rewrite rule to auto rewrite http to https, this would ensure even access to the default site is re-written, or just simply only allow 443.
Update ciphers for best practices: Nartac Software - IIS Crypto
Within IIS and your local file system, refrain from using "everyone" as much as you can.
Only grant the required permissions for the application to function, meaning if only one user needs rw and others are ro, don't give all users rw perms.
If you do not have a domain, namecheap and such typically have sales/promos. I use namecheap and they have a dyndns feature which would be helpful as well if you have a dynamic IP.
Windows firewall should be set to allow traffic ONLY on your web services port(s), 80/443, and set this for all firewall profiles. The last thing you want is NLA to change it from home/private to public and close up shop.
On your router, only fwd 80/443 to the web server.
From there you can take a look at hardening guides, Microsoft also provides SCM, or Security Compliance Manager which would have their "best practices baselines", which could work as is or be tweaked for your use case even more so. I do not see any web server baselines for win8.1 but do see one for 2012, you could probably compare and create your own GPO/Baseline or move to server 2012r2 which would probably be overkill, but could provide other functionality.
Use strong passwords on this machine and a password expiration policy.
Do not use the default Administrator account. Create another admin user with a strong PW for management/admin. Disable default administrator account.
You may also wish to deploy monitoring tools to observe machine resource utilization, traffic, etc.
Get familiar with logging/event viewer on the box. Understand what is normal and what is not.
PFSense would be good if you wanted to use spam lists, geoblocking via pfblocker, etc. If you know that you will always connect from specific IPs, you could create rules to allow traffic to the web server from these IPs. I would suggest to have a method to update your fw rules remotely to prevent lockout which could be via https on non standard port and using your cert from above.
ALWAYS keep the machine up to date. I would also suggest the use of a decent antivirus and password protect the settings to prevent changes.


My suggestion would be to break it down and go piece by piece, take notes on what you do, should something "stop" working you can essentially role back, esp with GPO.

 

[The Lurker]

The application does not live in IIS, but a brief search shows that it is possible to configure it that way. Right now I just have a port forwarding directly to the application. Setting it up in IIS would only need me to forward port 80/443 instead of 8000. I should be able to setup IIS on 8.1. I just need to look into the SSL certificate.

Seafile HTTPS Install on Windows Server 2012 R2; Step-by-Step – MDW

You bring up a good point about the GPO, I could probably tweak 8.1 to behave almost like 2012, combined with everything else you recommended I should be safer. Otherwise, I am not sure what added features I could use from 2012, but i'll have to give it some thought.

 

[diizzy]

You probably want to sandbox it somehow, best would probably running it as VM with your current configuration.

 

[The Lurker]

You probably want to sandbox it somehow, best would probably running it as VM with your current configuration.

I have been planning to do this or some time, one VM for each application I run but I have been so lazy about it. I also dont want to setup a separate box for my raid array and passing a raid controller to a VM is a bit of a PITA. That has been preventing me from sitting down and just hammering it out. But you are absolutely right, practically, that is an ideal thing to do.

 

[Robin2017]

You can use Bitdefender to keep secure your server

 

[Vengance_01]

If you go the ssl route look into let's encrypt. Free ssl certs.

 

[Dead Parrot]

Ask yourself what will happen WHEN the machine gets compromised. (Risk to other network machines, lost data, changed data, do you have backups?, have you done restore with the backup?, Identity theft, etc).
If possible, put the server in a DMZ that cannot initiate connection to the rest of your network. That way, only that machine is at immediate risk. Limit the stuff on that server to just what you need access to from outside.
Are you accessing data, applications or both?
Machines are cheap. Consider making the DMZ server a replica of the real server.
Create a unique User ID that you only use to access that server from outside. Limits the damage when it get compromised.
If others need access, create secondary User IDs for them.

 

[Cmustang87]

Also, if you want to keep it contained in an unsecured zone, setup a DMZ and place this public machine in that zone.

 

[Biznatch]

Put a WAP (Web Application proxy) behind the firewall that does pre-auth and passes the credentials to the seafile server. If seafile doesn't support delegated credentials from the WAP, you can set it to passthrough mode, but only for the specific URLs required. That way, it's not all of port 80/443 being allowed in (Should be only 443 allowed, with all port 80 traffic being redirected to 443), it's just the specific requests to 'yourdomain.com/whateverSeafileAPI ' that would pass the WAP and be allowed to your DMZ box.