We had just got the server running in its final configuration and had left it connected to the internet for testing when the first crude hacking attempts were made, almost certainly as a result of a port scanner running across the internet. When first seen, it was just an odd robot blindly password guessing, but after a couple of days escalated into multiple bandwidth hogging attacks, all of which in the short space of time were resisted by the Windows setup but real intelligence would sooner or later be applied and we would be pwned.
The initial installation had renamed the default accounts, set complex passwords and the connection to the internet had been arranged via port forwarding from the low cost ISP router provided. A DNS entry had been created using a name not associated with the charity for use in locating the server on the internet. It wasn't a name for public use so association wasn't necessary.
The first measure was to switch off the router, effectively making the server only accessible from within the premises and immune to immediate further external attack.
The RDP port on the server was changed to a five digit port and the router updated to reflect this port.
An electronic power switch timer was attached to the router to only power the router during the hours when the charity needed to use the facility. This had two benefits.
A free piece of software was modified to:
Again, this isn't a commercial enterprise, reliant on internet traffic for it's income, the server is there to provide an internal service to aid run the charity in an efficient and compliant manner. It doesn't store personal details and ultimately could be restored within a few hours.