Remember to use a strong password for all VPS user accounts

**drifter** · #1 (**permalink**) 08-07-2009, 15:55

Just a security note for the benefit of others.

I have a Windows semi-dedicated server with the Plesk control panel.

I always have a strong password on the windows 'Administrator' user that I use for RDP access. However, until recently, I had a fairly weak password on the 'Admin' user, the one you use for logging in to Plesk. This was because we have a number of staff that need to log into Plesk from time to time and I just picked something easy for them to remember.

Problem is, one day when I logged in via RDP with the windows Administrator user, I noticed new software that I knew I didn’t install myself. First it was a german version of Firefox. Then it was various Poker software. And my staff knew nothing about it either.

This puzzled me for a while, and then I came across something interesting in the Documents and Settings folder for the Admin user. There were a bunch of cookies that would only have been created by someone logged in as the Admin user and browsing the web. And sure enough, there were ones there relating to Firefox, various poker sites and other garbage.

So what it looks like, is that someone has been logging in to my server, possibly via RDP or another method, as the Admin user, using the weak password.

I have ran various scans and removed a bunch of infected files. As far as I can tell, there is no damage done to the websites that I have been hosting.

But let this be a cautionary tale for other Windows VPS/semi-dedicated owners. Just because you only use the Admin user for logging into Plesk, doesn’t mean that someone else won’t try to exploit that username for another purpose.

Needless to say, I’ve logged in to Plesk using the Admin login and changed the password to something a lot stronger…

**eUKShane** · #2 (**permalink**) 08-07-2009, 16:39

Hello,

It is always recommended to use following basic securities in windows VPS or a dedicated server :

1) Create a new user as an administrator and then disable Administrator user. Set strong password to all users like Admin, Administrator or any user having Administrator privileges.

2) Change RDP port.

3) Setup IP restrictions to login to RDP using Windows Firewall.

We have already started using Random (strong) passwords to all windows or Linux VPS or dedicate server setups.

We can't implement these securities while server/vps setup because it is necessary to take approval from the client first.

**drifter** · #3 (**permalink**) 08-07-2009, 16:54

Hi Shane,
Thanks for your comments!

About creating a new user as an administrator, sounds like a good idea, but how would I go about doing that? When signed in using RDP, I didn't see any obvious options in the Control Panel or Administrative Tools for adding/managing users.

Thanks

**drifter** · #4 (**permalink**) 08-07-2009, 17:06

Never mind, I did a quick Google search, and it talked about going through the 'Computer Management' menu to add/manage users.

I'll try this tonight...

**eUKShane** · #5 (**permalink**) 08-07-2009, 17:29

Hello,

Right

still I will tell you the exact procedure.

Quote:

Start >> Right Click to My Computer >> Click on Manage >> Local users and Groups >> Users >> Right Click On Administrator User >> and just disable it.

Then, using same path create a new user with Administrators privileges.

Note : Do this on your own risk, because if you will forget the password of the main user (new user) then we will not be able to reset it. Or we will not be able to enable Administrator user from the hardware node.

Let us know if you need any further assistance, we would be glad to assist you.

**vzAddict** · #6 (**permalink**) 09-07-2009, 04:50

Hello,

Disabling the administrator and create new user is a good way to increase security on your VPS and make sure to provide us the details of new user whenever you contact support for any assistance.

Also for better security you can keep changing password on regular intervals like weekly OR monthly basis.

**gregis** · #7 (**permalink**) 09-07-2009, 05:10

It is good to hear that all seems to be safe and sound but it should be a lesson to everyone. Passwords should not be random things like "cat" or "mypassword", people tend to crack these things pretty easy.

**CSRacer** · #8 (**permalink**) 15-07-2009, 11:46

Good stuff - Basic security steps are probably missed by a lot of beginners!

**compserv** · #9 (**permalink**) 15-07-2009, 11:58

Quote:

Originally Posted by gregis

It is good to hear that all seems to be safe and sound but it should be a lesson to everyone. Passwords should not be random things like "cat" or "mypassword", people tend to crack these things pretty easy.

If it's in a dictionary there's a load of software out there that will crack it in seconds. Even something like 'Pa$$w0rd' or 'L1veRp00l' can be cracked in a few minutes. Rule is the more random and the longer the better.