Securing Windows servers is a relatively simple task these days, compared with the effort it required just a few years ago. Microsoft has made notable progress in delivering Windows servers that are reasonably secure as long as you keep the system patched and use a firewall. However, many other companies haven't made the effort to deliver applications in secure default configurations or even offer documentation about how to secure that software. I often see third-party Web, FTP, mail, or messaging server applications that put otherwise secure environments at risk because of poor default configurations.
The most common mistake is that many third-party services run under the context of the built-in System account, although the services rarely need this elevated level of access. If the application were ever compromised, an attacker might use the full system access to wreak havoc. Other common problems are that applications install with lax NTFS permissions or don't make enough effort to protect sensitive data. For example, many third-party applications store their configuration data or even account passwords in the registry or local configuration file but don't adjust permissions to prevent regular users from reading these files. If the software doesn't use strong encryption or other methods to protect sensitive data, that data could end up in the wrong hands. . . .
