We're a very small company, about to install a new server at a colocation company. The plan is to install the OS, SQL, and IIS, test it, then courier it to the hosting company. It will then presumably appear online, ready for further set up. We plan to manage it over RDP.
Last time we went through this process, we were using Server 2003, and the IPSEC admin was something of a grind.
Is it any different with Server 2008? Is there a quick way of restricting all access except that originating from a couple of IP addresses?
Would appreciate any pointers, or a good idiot's guide to securing Server 2008 for non-experts.
I would recommend running the Security Configuration Wizard (SCW) and configuring it accordingly for the installed roles and for your remote management needs.
Basics: Updates, Firewall, secured Admin account (renamed, very good password). Then get the Best Practices Analyzers for SQL, IIS, and Server; run them and see what their recommendations are.
I'd really recommend investing in a hardware firewall to provide you with a buffer from the Internet. With that, you can then setup an IPSec tunnel between your office and the colo facility (terminating at the firewall, not on the Windows Server) and only permit "local" (i.e. your HQ's LAN) access to Remote Desktop (tcp 3389).
Windows Firewall is much better than it was, but an Internet-facing Windows Server is kind of frightening in my opinion.
As for Windows OS itself: 2008 (and in particular, IIS 7.x) is much more secure out of the box than Windows 2003 as many of the roles and features are not enabled by default.