Server Security Hardening

1. Update system Patches

Updating patches is the most important step in security hardening.

2. Disable services that you do not need

The following services must be disabled: Server, Workstation, Print Spooler, Remote Registry, Routing and remote Access, TCP/IP NetBIOS Helper, computer Browser

3. System Permission settings

Because there are so many places to set up the system permissions, we can only publish the common ones.

Some of the files are hidden by the system and are not easy to set up, so we will show all the files first.

• Change the system disk owner to Administrators
• All packing directories retain only Administrators and system permissions.
• The system disk plus the users "Read Permissions", only the current directory
· C:\WINDOWS, C:\WINDOWS\system32, C:\Windows\SysWOW64 only retain administrators and system, as well as user Read and Execute
· C:\Program files, C:\Program files (x86) Retain only Administrators and system
· C:\Program Files\Common Files, C:\Program files (x86) \common files retain only Administrators and system, as well as user Read and Execute
· C:\ProgramData only retains administrators and system, as well as user Read and Execute
· C:\Users only retains administrators and system
· C:\inetpub only retains administrators and system
· C:\inetpub\custerr only retains administrators and system, as well as user read
· C:\inetpub\temp only retains administrators and system, as well as user read-write delete and Iis_iusrs read-write Delete
· C:\Windows\Temp only retains administrators and system, as well as user read-write delete and Iis_iusrs read-write Delete
· C:\Windows\tracing only retains administrators and system, as well as user read and network service read
· C:\WINDOWS\VSS only retains administrators and system, as well as user read and network service read and write deletions
· C:\ProgramData\Microsoft\DeviceSync only retains administrators and system, as well as user read
· Some EXE software under C:\WINDOWS\ only retains administrators and system, such as Regedit.exe, Regedt32.exe, Cmd.exe, Net.exe, Net1.exe, Netstat.exe, At.exe, Attrib.exe, Cacls.exe, Format.com, ActiveDS.tlb, Shell32.dll, Wshom.ocx

Note: If you have SQL Server software installed, you also need to add NT Service\mssqlserver permissions to the SQL Server related directory on the system disk.

If the site cannot be accessed after Setup, try the site Directory plus users ' read and write delete permissions.

4. Unloading Dangerous components

regsvr32/u%systemroot%\system32\shell32.dll
Regsvr32/u%systemroot%\system32\wshom.ocx

5. Turn on the firewall

It is recommended to open only the ports you need, such as: 80, 3389

Note: Before opening the firewall, you must first confirm that the current remote port is already in the release rule

I am currently using the 33699 port, so the firewall needs to add 33699 ports

6. Change the remote port

There are a number of brute force tools dedicated to remote logins, which can prevent scanning by changing the port.

After changing the port notice that the firewall adds new port release rules, we recommend the use of our free software changes, will automatically add good rules.

7. Software drop right setting

Common serv-u, SQL Server, MySQL, Apache, Tomcat and so on have security risks.

Because the setting method is different, please refer to the corresponding course of my station.

8. Installation of Safety Assistant software

There is no absolute security, only as far as possible to improve security, manual + software collocation, in order to maximize security.

Server Security Hardening