Process to secure windows server directly connected on the internet without a hardware firewall

I have firewalls in front of my servers, but I still do all of the following:

• Disable IIS if you're not using it
• Remove FTP if it's not required (if it is then restrict access to your authorised IP addresses only)
• Apply latest service packs and hotfixes
• Disable incoming ports that aren't required
• Disable unnecessary services, e.g. Server (if it's not used as file & print server) and RRAS

If using IIS

• Move the inetpub\wwwroot folder
• Change the user account used for anonymous access & set up with appropriate permissions
• Remove any example folders such as IIS Admin, web-based printing etc.
• Remove ISAPI filters you're not using
• Create a dedicated account for FTP transfers - give that account only sufficient permission to do ftp (i.e. read/write the files it puts up, nothing else)

Logins

• Rename the Administrator account
• Create a new account called Administrator, remove all its access and privileges and disable the account (while a hacker will work hard to find out the name of an administrator account many scripts aren't so sophisticated)
• If you have physical access to the server then set "Deny Access to this computer from the network" on the Administrator account
• Check the guest account is disabled (and check all other accounts)

Personally, I wouldn't do it. If you have ever run a PC with ZoneAlarm (I'm thinking back to 2002 on a Windows 2000 box with an ADSL modem) and watched the alerts as all and sundry knocks on your PC's door then you'll understand why. Cisco and Juniper firewalls start from about £300 / $500 new, or you could get a low spec box and install smoothwall or similar. If you are putting the server up at a colo you should be able to get another 1U rack space for the firewall (and a power socket) for a fraction of the 1st U of rackspace.

To kick things off, here is my current list.

1. Disable administrator account, and all non secure accounts

2. Disable ftp

3. Secure the server blocking all unneeded ports and services, using Security Configuration Wizard, I currently leave port 22,80,443

4. Install WinSSHD for file transfer to the server on port 22 (could be higher random port), also did try win open shh, but it got a bit messed up when trying to install keys.

Anyone else got more steps to add?

The first I would do, if possible, is unplug the network cable, do all the secure steps, especially apply all hotfix/server packs, turn on software firewalls, and then plug the network cable back. un-secured boxes only last about half an hour in the wild, especially windows boxes.

By "without a firewall", I'm assuming you mean "without an external firewall" - the firewall on the server should be very definitely on, and set up only to expose the services that you need to be exposed to the Internet - you didn't mention what these are, but from the tags, I'm guessing that SFTP is involved.

Make sure the server's patched as fully as you can get it, and remains so for as long as it's connected to the Internet.

If you absolutely have to have (ordinary) FTP, you should look at securing that further as well - limit IP addresses that can connect to your FTP service, do it over SSL, or use SFTP instead. OpenSSH )as optician mentioned) comes with an SFTP service.

If you're connected directly to the internet without a firewall, you have got to assume that at some stage you will come under attack, and work from there.

As well as security I would also recommend putting some good monitoring in place. At the very least you should be monitoring process activity, CPU and memory usage, and network activity (I'm sure others would add more to the list).