1

I've recently switched from using a linux server for private hosting (things like a WebServer, Teamspeak, Gameservers etc.) to a Windows Server 2012 R2 machine. Under Debian I installed my services with apt-get and started them under their own user. Now under Windows I'll probably need to rely on a mix between manual installation and the Roles and Features I guess, but is executing the different services under different users a good idea as well? Is it ill-advised to install services not provided by the Roles and Features dialog, or is there even a possibility to integrate external software into this dialog? Also, should all software be managed as Windows services or is using "normal" software in the autostart ok as well?

If there are no specific best practices in this area, are there any important Dos and Don'ts of Windows Server administration?

RikuXan
  • 217
  • 1
  • 3
  • 11
  • You've already got two close votes as "too broad," and since I agree I'll simply comment rather than answer that the principle of least necessary privilege applies in Windows administration, just like in linux administration. In other words, if the service doesn't require logging on as an administrator, you don't need to grant those privileges. And you can certainly install any services you want, including ones not built into Windows (that's where the Roles and Features dialog comes in). – Katherine Villyard Aug 29 '15 at 22:51
  • 1
    Thanks for your answer, I agree that the question might be too broad, but I feel like someone will always jump in and give a great overview that really helps as a beginner (see Ryan's answer) – RikuXan Aug 30 '15 at 06:29

1 Answers1

3

There are a lot of questions in this...question.

"Roles and Features" exists to install roles and features that are part of the base Windows Server OS rather than having everything pre-installed for you. It's not meant for 3rd party or open source software.

Installing 3rd party and open source software is perfectly fine even if it replaces a feature provided in the OS like a web server. There are also a lot of different ways to automate software installation in Windows but that is too broad a topic for this question. If you need more help in this area, make a separate question with more specifics.

Yes, running each service as a dedicated "least privilege" account is highly recommended. You may need to install things as an admin user, but you should never need to run them as an admin user unless the software is very poorly written.

If this is a server intended to be running in a "headless" fashion, yes. You should make every attempt to get things running as native Windows services. Even software that doesn't natively support running as a service can be made to run as a service. Though again, specifics will require a separate question.

The most important "Do" of Windows server administration is to keep it patched. The nature of security patches these days is that they are often being exploited in the wild by the time they hit Windows update. And patches often require reboots. Design your services to expect reboots and be able to recover from them automatically. There are multiple ways to make patch reboots predictable such that you can warn users in advance about a maintenance window.

Some good practice "Don't"s. Don't turn off UAC. Don't turn off the firewall. Don't use your server for casual web browsing. Modern Windows servers do a pretty good job at being secure by default. But there are a lot of ways you can choose to make yourself less secure.

Ryan Bolger
  • 16,755
  • 4
  • 42
  • 64
  • Thank you so much for your answer, it's exactly what I hoped to receive, even though I agree I probably worded my question to broadly. – RikuXan Aug 30 '15 at 06:21