What to check first
A store server needs protection at the level of the operating system, remote access, user accounts, network and backups. The first priority is to close direct RDP access from the internet, install updates, enable multi-factor authentication and test data recovery from an isolated copy.
The server often supports the accounting software, product database, cash registers, warehouse and remote users. Unauthorized access to it can stop sales, change or destroy accounting data, expose personal data and make it possible to attack other computers on the network.
| Time frame | What to do | Responsible person |
|---|---|---|
| Today | Check whether RDP, the router panel, backup tool or another management interface is exposed to the open internet. Review active user accounts and administrators. | System administrator |
| Within 24 hours | Install critical updates, check the status of antivirus protection, firewall, login logs and the latest backups. | System administrator |
| Within 72 hours | Configure VPN or RD Gateway with MFA, create separate user accounts, isolate one backup copy and perform a test recovery in a separate environment. | Administrator and owner |
| Monthly | Review updates, access rights, security events, backup results and configuration changes. | Assigned responsible person |
Why small business servers remain a target
According to the Verizon Data Breach Investigations Report 2026, 31% of confirmed breaches in the sample began with the exploitation of software vulnerabilities, and ransomware was present in 48% of breaches. The report covers incidents from November 1, 2024 to October 31, 2025. These figures do not describe Ukrainian retail separately, but they confirm the priority of updates, remote access control and recovery.
For Ukraine, an additional risk is targeted activity against organizations and the use of familiar support channels. CERT-UA recorded attempts to persuade users to launch AnyDesk allegedly to check security. In its notice about attack attempts using AnyDesk, CERT-UA advises verifying the identity and authority of the person requesting remote access.
A typical scenario for a store begins from one of four sources: an unpatched vulnerability, a stolen password, open RDP or an employee launching a malicious file. After gaining access, an attacker can steal credentials, escalate privileges, disable protection, delete available backups and encrypt the server together with network resources.
20 recommendations for server protection
1. Assign a server owner and keep a system record
A specific person or company must be responsible for the server. In the system record, document the model or virtual machine, operating system, installed programs, port assignments, list of users, backup locations, contractor contacts and date of the last check. The business owner must have access to contracts, licenses, MFA recovery codes and emergency recovery contacts.
Inventory is needed for updates and response. It is impossible to close a vulnerability in time in a component whose existence nobody knows about.
2. Use a supported version of Windows Server
Windows Server 2008 and 2012 should not be used for new deployments: their mainstream support has ended. As of July 2026, Windows Server 2016, 2019, 2022 and 2025 are supported, but extended support for Windows Server 2016 ends on January 12, 2027. Current dates are listed on the Windows Server release information page.
If the server runs Windows Server 2016, a migration plan is already needed. Updates for the operating system, SQL Server, drivers, remote access tools, browser, archiver and router should be included in one schedule. Before installing updates, the administrator creates a usable copy, checks free space and agrees on a maintenance window.
3. Apply a baseline security configuration
Manual server configuration is easy to miss or accidentally reverse. For Windows Server 2025, Microsoft publishes role-based security baselines for a domain controller, a server in a domain and a server in a workgroup. In particular, they enable the firewall for all profiles, block unsafe legacy protocols and strengthen credential protection. The description and verification procedure are provided in the Windows Server 2025 security baseline.
Test firstThe baseline configuration should not be applied to a production server without testing. It can change network protocols, access rules, printing and interaction with old equipment. The administrator must test the changes, document the required exceptions and prepare a procedure for reverting to the previous configuration.
4. Do not expose RDP directly to the internet
The Remote Desktop port must not be accessible from any internet address. For remote work, use a VPN with MFA or Remote Desktop Gateway. Microsoft states that RD Gateway transmits RDP through a protected HTTPS connection without opening the internal RDP port and supports multi-factor authentication and access policies.
If direct access cannot be removed temporarily, restrict it with a firewall to specific trusted IP addresses, enable Network Level Authentication, set a short deadline for eliminating the temporary scheme and monitor every login attempt.
Changing the port does not protect RDPMoving RDP from port 3389 can reduce the number of automated attempts in the log, but scanning detects the service on another port. This is an auxiliary change that does not replace VPN or RD Gateway, MFA, address restrictions and logging.
5. Enable secure authentication for remote access
Network Level Authentication must be enabled for RDP: the user is verified before a full remote session is created. Microsoft recommends NLA for most environments.
MFA should be enabled on VPN, RD Gateway, the cloud account, hosting panel, backup tool and remote support system. For administrators, phishing-resistant methods are preferable: FIDO2 keys, certificates or passkeys, if the service supports them. A one-time code in an app is better than a password alone, but it is not phishing-resistant; this distinction is made directly in NIST SP 800-63B-4.
6. Create a separate account for each person
A shared login for sellers or administrators does not make it possible to determine who logged in to the server and what they changed. Every employee and every contractor specialist must have their own account. Unused accounts are blocked immediately after dismissal, completion of work or a change of role.
An account must contain the minimum set of rights and an expiration date if access is temporary. In its cyber hygiene rules, CERT-UA recommends separating administrative accounts from regular ones and blocking accounts that are no longer used.
7. Separate everyday work from administration
A seller, operator, accountant and owner work without local administrator rights. The system administrator uses a regular account to view documents and a separate administrative account only for configuration. This limits the consequences of launching a dangerous file or stealing a regular password.
For a network with several Windows computers, Windows LAPS is worth using. It automatically creates and changes a unique local administrator password for each device. The settings are described in the Windows LAPS documentation.
8. Replace the old password policy
For an account protected only by a password, set a unique passphrase of at least 15 characters. If the password is used together with MFA, the NIST minimum is 8 characters, but a longer unique phrase remains appropriate. Store passwords in a corporate password manager and prohibit reuse.
NIST SP 800-63B-4 does not recommend requiring an arbitrary mix of uppercase letters, numbers and symbols or periodically changing a password without signs of compromise. The service must block common passwords and passwords known from breaches. For Windows, 10 failed attempts and a 15-minute lockout can be used as an initial reference point, but the administrator must assess the risk of intentional account lockouts.
9. Leave only necessary ports open
Windows Firewall and the network firewall must work by the rule: inbound connections are blocked except those explicitly allowed. By default, Windows Firewall blocks unwanted inbound traffic if it does not match an allowed rule; this is described in the Windows Firewall documentation.
Do not open port ranges “just in case”. For each rule, document the program, protocol, port, allowed sources and responsible person. Access to SQL Server, shared folders, the backup console and the control panel must be limited to the local service network or VPN.
10. Separate the server, cash registers, office devices and guest Wi-Fi
One network for the server, cash registers, personal phones, cameras, TVs and visitors makes an attack easier to spread. Create separate segments or VLANs: server, cash register, office, equipment and guest. Allow only the necessary connections between them.
For Wi-Fi, use WPA3 or WPA2-AES if old equipment does not support WPA3. Disable WPS, change the default router administrator password, update its firmware and disable management from the internet. Hiding the Wi-Fi name is not a security measure: the network name can be detected from service traffic. The main encryption settings are provided in the CISA Wi-Fi recommendations.
11. Do not disable antivirus, firewall and UAC
The server needs antivirus with real-time protection. For an important server, EDR-class protection is advisable, as it stores events and detects suspicious behavior. User Account Control UAC and protection against changes to antivirus settings must also remain enabled.
Do not exclude the entire Torgsoft directory or the entire disk from scanning. Microsoft notes that custom exclusions are usually not needed, and an excluded infected file will not be detected by antivirus. If a conflict or significant performance drop is confirmed, create the narrowest possible exclusion for a specific process or file, agree it with the software provider, document the reason and review period. See the Microsoft Defender exclusion rules.
12. Use the server only for its intended purpose
On the accounting system server, you should not read mail, open messengers, browse random websites, download documents, connect personal USB drives or install programs for household needs. A separate workstation is needed for these actions.
The browser on the server is kept only when it is needed for administration or for the operation of an approved service. Programs are downloaded from official websites after checking the digital signature. Program installation is allowed only for the assigned administrator.
13. Control program launch and USB use
For a stable configuration, the administrator can allow only approved programs to run by using App Control for Business or AppLocker. First, the policy is launched in audit mode, logs are analyzed and only then blocking is enabled. Microsoft recommends starting App Control implementation in audit mode.
Autorun from removable media must be disabled. Unknown USB drives are not connected to the server. If removable media is needed for a backup, it is labeled, encrypted, stored in a controlled location and connected only for the time of copying or recovery.
14. Encrypt disks and protect recovery keys
BitLocker reduces the risk of data being read after the theft of a disk or server. Before enabling it, check hardware compatibility, the availability of TPM and the impact on the recovery procedure. The BitLocker key should be stored separately from the server, in a location with controlled access. Without the recovery key, a TPM failure or boot change can block access to the disk. Microsoft describes these scenarios in the BitLocker recovery overview.
Disk encryption does not protect files from ransomware that runs in an already unlocked system. This requires rights restrictions, antivirus control and isolated backups.
15. Build backups according to the 3–2–1 rule
Keep at least three copies of important data, on two different types of media, with one copy — outside the main premises. To protect against ransomware, one copy must be offline or immutable: the server and regular users must not be able to overwrite or delete it. CISA recommends offline copies, encryption and regular recovery testing.
A permanently connected USB drive, a network folder with write permissions and a cloud folder synchronized under the same account can be damaged together with the main data. For cloud storage, enable MFA, a separate administrative account, logging, version history, retention period and protection against mass deletion.
16. Test not the backup file, but full recovery
The presence of an archive does not yet confirm that work can be restored from it. Check the success of the backup task every day, and according to a defined schedule deploy the copy in an isolated test environment. Check the database, product photos, document templates, user rights, program version and launch capability.
The owner determines the acceptable data loss and downtime. For example, if the acceptable loss is one business day, a daily copy may be enough. If sales cannot be lost even for several hours, more frequent copies or another fault-tolerance mechanism are needed. NCSC advises keeping versions for a period and regularly testing the condition of backups.
17. Enable logs and alerts
Store events of successful and failed logins, account lockouts, creation of new administrators, changes to services, firewall settings, antivirus, backups and RDP. For a failed login, Windows creates event 4625. A series of such events, a login at an unusual time or from a new address requires checking.
Logs must be stored long enough for investigation and, if possible, copied to a separate system where the administrator of the attacked server cannot delete them. CISA explains the role of logs in its recommendations for small and medium-sized businesses.
18. Protect the server physically and ensure proper shutdown
The server and network equipment are placed in a locked cabinet or room with restricted access, ventilation and protection from moisture. A list of people who have physical access must be maintained.
The uninterruptible power supply must be sized for the server, storage and network equipment. Configure automatic proper shutdown during a prolonged power outage and test the battery under load. A UPS reduces the risk of database damage due to sudden shutdown, but it does not replace a backup.
19. Manage access for technical support and contractors
Before connecting, check who contacted you, from which company and under which request. Do not send a permanent password in a messenger. A separate temporary account is created for the contractor, minimum rights are granted, the start and end of the session are recorded, and access is blocked after the work is completed.
Remote support tools must not run constantly with uncontrolled access. If a permanent agent is required by contract, enable MFA, permission only for approved accounts, connection notifications and a session log. The owner must know how to revoke access independently.
20. Prepare a response plan and conduct a training test
In the plan, state who makes decisions, how to disconnect the server from the network, where backups are stored, who performs the technical investigation, how cash registers work during downtime and who must be notified. Keep a copy of the plan outside the server.
Once a year, conduct a training scenario: the server is unavailable, the administrator password is compromised, the latest copy is damaged. The check must end with a list of deficiencies, responsible persons and correction deadlines.
Specifics of a server with Torgsoft
In the Torgsoft Terminal version, users work with a single database through Remote Desktop. This does not mean that RDP should be opened to the entire internet. Access to the terminal server is configured through VPN or RD Gateway with MFA, separate accounts and limited rights.
The server or main computer with Torgsoft should be used for the operation of the accounting system. Mail, messengers, random websites and third-party programs increase the number of ways to penetrate the system. Before changing Windows policies, firewall, antivirus, SQL Server or network ports, compatibility with the working Torgsoft configuration, cash registers, printers, software cash registers and integrations must be checked.
In Torgsoft, automatic creation of a database archive can be configured. The Cloud Data Archive option creates backups on a schedule and stores them in Google Drive. Such an archive can be one of the backup levels. For resilience against ransomware, separate access rights, MFA, multiple versions, an isolated or immutable copy and test recovery are still required.
Torgsoft technical support can help install the program and deploy a usable database archive. Protection of Windows Server, VPN, RD Gateway, router, user accounts, antivirus and backup infrastructure belongs to the tasks of the system administrator. Program technical support is not a service for decrypting infected files.
What to do if a breach is suspected
- Isolate the server from the network. Disconnect the network cable or block the connection on the switch or firewall. If it is impossible to isolate the server quickly, turn it off to limit the spread of the attack. Do not connect backup disks. This action priority is included in the CISA response checklist.
- Do not delete files or reinstall Windows immediately. Save logs, messages, detection time, the list of connected systems and screen photos. This data is needed to determine the method of penetration.
- Involve an incident response specialist. A regular antivirus scan does not confirm that third-party access has been eliminated.
- Change compromised passwords from a clean device. First protect administrative, mail, cloud, VPN and backup accounts. End active sessions and revoke access keys.
- Check other devices. Find out whether the same password was used and whether there are new administrators, services, scheduled tasks or remote access tools.
- Recover only into a cleaned environment. Reinstall or reliably clean the system, close the penetration method, check the copy for malicious software and only then restore data. This procedure is recommended by NCSC in its guidance on countering malware.
- Report the incident. If there are signs of a cyberattack, contact CERT-UA through the official contacts at cert.gov.ua. If there is extortion, fraud or theft of funds, also submit a report to the Cyber Police and notify the bank.
Do not restore over an infected systemThe copy may be usable, but a compromised server can encrypt it again or send new passwords to the attacker. First, the penetration method must be eliminated and a clean environment prepared.
Owner’s checklist
- A responsible person has been assigned for the server and the system record is up to date.
- The operating system and all internet-accessible components are supported and updated.
- RDP is not open directly to the entire internet.
- VPN, RD Gateway, cloud storage and control panels are protected with MFA.
- Each person has their own account; dismissed employees have no access.
- Employees work without administrative rights.
- The firewall is enabled, and every open port has a justification.
- The server, cash registers, office equipment and guest Wi-Fi are separated.
- Antivirus works in real time; there are no broad permanent exclusions.
- Mail is not read on the server, messengers are not used and third-party programs are not installed.
- There is at least one offline or immutable backup copy.
- Full recovery has been tested on a separate system and documented.
- Login events, rights changes and backup status are monitored.
- Contractor access is personal, time-limited and recorded in a log.
- The response plan is available outside the server and tested with a training scenario.
Sources
- Verizon Data Breach Investigations Report 2026.
- CERT-UA: basic cyber hygiene rules.
- CERT-UA: cyberattack attempts using AnyDesk.
- Microsoft: Windows Server 2025 security baseline.
- Microsoft: Remote Desktop Services and RD Gateway.
- NIST SP 800-63B-4: authentication and passwords.
- CISA StopRansomware Guide.
- NCSC: ransomware-resistant backups.
- Microsoft Defender Antivirus: exclusion rules.
- Microsoft: Windows Firewall.
Go back to the previous step