1. Enableautomatic notification of patch availability and install latest service patchesand hot fixes from Microsoft.
This would require checkingwith your POS vendor if this would be an acceptable practice.
2. Scanfor vulnerabilities no less than on a monthly basis.
This can be achieved throughinstalling scanning applications like Nexpose from Rapid7 (http://rapid7.com) or through outsourcing to aspecialist scanning vendor like Qualys (http://www.qualys.com).
3. Services,applications and user accounts that are not being utilised should be disabledor uninstalled.
Numerous tools to analyse andtweak running applications and services exist.
4. Usethe Internet Connection Firewall or other methods (via software or hardware) tolimit connections to the server.
5. Configure event log settings (common methods forServer 2003 & 2008 are available on the web).
Specialattention should be given to the security log. 100mb is a suggested minimum,but high-volume services may require additional storage. Ensure at least 14days of security logs are available to be able to determine the course ofevents in the case of an incident.
6. Configure userrights to be as secure as possible.
Everyattempt should be made to remove Guest, Everyone, and ANONYMOUS LOGON from theuser rights lists.
7. Use full diskencryption to ensure that information resident on stolen/retired serversremains confidential.
Optionssuch as PGP (http://www.pgp.com) and TrueCrypt (http://www.truecrypt.org) are popular options.
8. If the machine isnot physically secured against unauthorised tampering, set a BIOS/firmwarepassword to prevent alterations in system start-up settings.
9. Configure ascreen-saver to lock the screen automatically if the server is left unattended.
10. Disable RemoteDesktop connection (RDP) capabilities if you do not intend on maintaining yourserver with this method.
* For more advice about office computer security, see the November issue of Start-Up, on sale now, or click on Subscribe Now link (top right).