How do I secure a file server?

the only secure server is one that is turn-off / de-powered and buried in a mountain

all else are vulnerable, usually from unlocked door or fail to use SHA for pw's w/ some form of [ encipherment / conditional access ]

Data protection is vitally important to any organization. The file server is the nexus of a network, and usually it’s the most visible server. As a result, it is a high value target for cyber attacks. The first step in securing your file server is to restrict your network, folders, and consoles.

You’ll want to set the rule: “Fileserver > any > any > deny” if you have a Windows server on the network. In this instance there’s no reason to have your file server connected to the internet – this just opens you up to a wide world of malware and cyber criminals. You’ll also want to enable Internet Explorer Enhanced Security using the Windows components wizard. Older versions of the Internet Explorer browser are some of the most common mediums for cyber attacks because they have numerous security holes. In the options, set the security to high for all zones.

For folders, restrict NTFS and don’t share permissions. Restrict each desktop at your organization and don’t just put domain users into the remote desktop support group. It’s very important that you only allow access to just the employees that need to use a console. If more people are allowed to use a console, it opens up more possibilities for improper external or internal access. Also, make sure you lock down RDP (Remote Desktop) sessions and for the GPO (Group Policy), allow no printing, drive access, access to the shutdown command, or displaying of the last user’s name.

Since you don’t need to browse the web or read documents on your server, you should also refrain from installing, Adobe Reader, Flash, Microsoft Office, Java, and other related tools. These technologies open your system up to a huge amount of security vulnerabilities that you don’t need to risk having. If you’ve already installed them, there are some residual files that are still exploitable. Frequently checking for operating system patches will keep your security up to date and protect you from malware. Speaking of anti-virus software, make sure you have it installed to protect the file server instead of betting that you’ve secured every node.

Always audit your sensitive file directories. Not all data is created equal, and if you have trade secrets in one area you should put extra focus on securing that data. You can set some operating systems to audit successful or failed reads, writes, and deletes. This automatically informs you and keeps a log when someone is moving or deleting files in a given folder. There’s plenty of free, open source software that can provide monitoring and auditing.

Finally, be sure to disable any services on your servers that are unnecessary. These may open your file server up to vulnerabilities as well.