Web server software configuration and security configuration Scheme

Web server software configuration and security configuration Scheme

From: http://blog.dic123.com/article.asp? Id = 190
1. System Installation
1. Install iis6.0 in the system by default as instructed by Windows2003.
2. Installation of iis6.0
Start Menu-> Control Panel-> add or delete programs-> Add/delete Windows Components
Application --- ASP. NET (optional)
| -- Enable Network COM + Access (required)
| -- Internet Information Service (IIS) --- Internet Information Service Manager (required)
| -- Public file (required)
| -- World Wide Web Service --- Active Server Pages (required)
| -- Internet data connector (optional)
| -- WebDAV release (optional)
| -- World Wide Web Service (required)
| -- Contains files on the server (optional)
Then click OK-> next to install.
3. system patch updates
Choose Start> All Programs> Windows Update.
Install patches as prompted.
4. Backup System
Use ghost to back up the system.
5. Install Common Software
For example, anti-virus software and decompression software. After installation, use ghost to back up the system again.
Ii. system permission settings
1. Disk Permissions
System disks and all disks are only granted full control permissions to the Administrators group and system.
The System Disk/Documents and Settings directory only gives full control permissions to the Administrators group and system.
The System Disk/Documents and Settings/all users directory only gives full control permissions to the Administrators group and system.
The System Disk/inetpub directory and all the following directories and files are only granted full control permissions to the Administrators group and system.
The System Disk/Windows/system32/cacls.exe00000000.exe0000net.exe0000net1.exe file only grants full control permissions to the Administrators group and system.
2. Local Security Policy Settings
Choose Start> Administrative Tools> Local Security Policy
A. Local Policies --> Audit policies
Audit Policy Change failed
Login event review successful failed
An error occurred while accessing the Audit object.
Audit Process Tracking not reviewed
Failed to Audit Directory Service Access
Failed to Audit privilege usage
System Event Review successful failed
Account Logon review successful failed
An error occurred while reviewing account management
B. Local Policies --> User permission allocation
Shut down the system: only the Administrators group and all others are deleted.
Refused to log on through the terminal service: added to the guests and user groups
Allow logon through Terminal Services: only join the Administrators group, and delete all others
C. Local Policies --> Security Options
Interactive login: do not display the Last User Name Enabled
Network Access: do not allow enabling of SAM Accounts and shared Anonymous Enumeration
Network Access: do not enable the storage credential for network Identity Authentication
Network Access: All Shares that can be accessed anonymously are deleted.
Network Access: delete all anonymous access attempts
Network Access: delete all registry paths that can be remotely accessed
Network Access: delete all registry paths and sub-paths that can be remotely accessed.
Account: Rename Guest Account Rename an account
Account: rename a System Administrator Account Rename an account
3. disable unnecessary services
Choose Start> Administrative Tools> services
Print Spooler
Remote Registry
TCP/IP NetBIOS Helper
Server
The preceding settings are disabled in services started by default on Windows Server 2003. do not enable services that are disabled by default if they are not needed.
4. Enable Firewall
Desktop-> network neighbors-> (right-click) properties-> Local Connection-> (right-click) properties-> advanced-> (selected) Internet Connection Firewall-> Settings
Select the service port used on the server
For example, a Web server must provide Web (80), FTP (21) services, and Remote Desktop Management (3389)
Mark "FTP server", "Web Server (HTTP)", and "Remote Desktop"
If the port you want to provide the service is not in it, you can also click the "add" button to add the service. For specific parameters, refer to the original parameters in the system.
Click OK. Note: to remotely manage this server, check whether the Remote Management port is selected or added.
Iii. Windows 2003 Security Configuration

■. Make sure all disk partitions are NTFS partitions.
■ The operating system, Web main directory, and logs are installed in different partitions.
■. Do not install unnecessary protocols, such as IPX/SPX and NetBIOS?
■. Do not install any other operating system
■ Install all patches (scan and download with rising security vulnerabilities)
■. Disable all unnecessary services
* Alerter (disable)
* ClipBook server (disable)
* Computer Browser (disable)
* DHCP Client (disable)
* Directory replicator (disable)
* FTP Publishing Service (disable)
* License Logging Service (disable)
* Messenger (disable)
* Netlogon (disable)
* Network DDE (disable)
* Network dde dsdm (disable)
* Network Monitor (disable)
* Plug and Play (disable after all hardware configuration)
* Remote access server (disable)
* Remote Procedure Call (RPC) locater (disable)
* Schedule (disable)
* Server (disable)
* Simple services (disable)
* Spooler (disable)
* TCP/IP NetBIOS Helper (disable)
* Telephone service (disable)
■. Account and password policies
1) Ensure that the Guest account is disabled
2) Rename Administrator to an account that is difficult to guess
3) Password Uniqueness: records the last six passwords
4) Minimum Password Duration: 2
5) Maximum Password Duration: 42
6) Minimum Password Length: 8
7) password complexity (passfilt. dll): Enabled
8) the user must log on to change the password: Enabled
9) Account Logon Failure lock time limit: 6
10) Time Interval for re-enabling after locking: 720 minutes
■. Protect files and directories
Restrict the access permission of directories such as C:/WINNT, C:/winnt/config, C:/winnt/system32, C:/winnt/system, and restrict the write permission of everyone, restrict the read and write permissions of the Users Group
■ Modify some entries in the Registry
1) Remove the shutdown button in the logon dialog box
Set HKEY_LOCAL_MACHINE/software
/Microsoft/Windows NT/current version/Winlogon/
The value of shutdownwithoutlogon REG_SZ is set to 0.
2) cashing function for removing logon information
Set HKEY_LOCAL_MACHINE/software
/Microsoft/Windows NT/current version/Winlogon/
The value of cachedlogonscount REG_SZ is set to 0.
4) Restrict Anonymous LSA access
Set HKEY_LOCAL_MACHINE/System
/CurrentControlSet/control/LSA
Restricanonymous REG_DWORD value is set to 1
5) Remove all network sharing
Set HKEY_LOCAL_MACHINE/System
/CurrentControlSet/services/LanmanServer/parameters/
AutoShareServer REG_DWORD value is set to 0

Iv. IIS Security Configuration

■. Disable and delete the default site:
Default FTP site
Default web site
Manage Web Sites
■. Create your own site, which is not in the same partition as the system, such
D:/wwwroot3. create the E:/logfiles directory. log files will be located in this directory when the site is created later. Make sure that the access control permission on this directory is: Administrators (full control) system (full control)
■. Delete some directories of IIS:
IISHelp C:/winnt/help/IISHelp
Iisadmin c:/system32/inetsrv/IISADMIN
Msadc c:/program files/common files/system/MSADC/
Delete C: // inetpub
■. Delete unnecessary IIS mappings and extensions:
IIS is pre-configured to support common file name extensions such as. asp and. shtm files. When IIS receives these types of file requests, this call is processed by the DLL. If you do not use some of these extensions or functions, delete
Perform the following steps:
Right-click a computer name and select Properties:
Select Edit
Select the home directory and click Configure
Select the extension/. HTW/,/. HTR/,/. IDC/,/. IDA/,/. idq/AND/. Printer/, and click Delete.
If Server Side Include is not used, delete/. shtm/. STM/AND/. shtml/
■. Disable parent path:
The "parent path" option allows you to use "..." In calls to functions such as mappath. By default, this option
It is enabled and should be disabled.
To disable this option, follow these steps:
Right-click the root of the web site and select "properties" from the context menu ".
Click the Home Directory tab.
Click Configure ".
Click the application options tab.
Deselect the Enable parent path check box.
■. Set the access control permission on the virtual directory
The files used on the home page should use different access control lists according to the file type:
CGI (.exe,. dll,. cmd,. pl)
Everyone (X)
Administrators (full control)
System (full control)
Script file (. asp)
Everyone (X)
Administrators (full control)
System (full control)
Include file (. Inc,. shtm,. shtml)
Everyone (X)
Administrators (full control)
System (full control)
Static content (.txt,. GIF,. jpg,. html)
Everyone (r)
Administrators (full control)
System (full control)
When creating a web site, you do not need to set access control permissions for each file. You should create a new directory for each file type, set the access control permission on each directory and grant the access control permission to each file.
For example, the directory structure can be in the following format:
D:/wwwroot/myserver/static (.html)
D:/wwwroot/myserver/include (. Inc)
D:/wwwroot/myserver/script (. asp)
D:/wwwroot/myserver/executable (. dll)
D:/wwwroot/myserver/images (.gif,. JPEG)
■. Enable Logging
When determining whether the server is under attack, logging is extremely important.
The W3C log format should be extended as follows:
Open Internet Service Manager:
Right-click the site and select "properties" from the context menu ".
Click the web site tab.
Select the Enable Logging check box.
Select W3C extended log file format from the activity log format drop-down list ".
Click properties ".
Click the extended attributes tab and set the following attributes:
* Customer IP Address
* User Name
* Method
* URI Resource
* Http status
* Win32 status
* User Agent
* Server IP Address
* Server port

5. Delete Windows Server 2003 to share and disable IPC connections by default

IPC $ (Internet process connection) is a resource that shares the named pipe. It is a named pipe open for inter-process communication. It provides a trusted user name and password, connect to the computers of both parties to establish a secure channel and exchange encrypted data through this channel, so as to achieve access to the remote computer. It is a feature unique to Windows NT/2000/XP/2003, but it has a feature that only one connection can be established between two IP addresses at the same time. NT/2000/XP/2003 provides the IPC $ function while enabling default sharing when installing the system for the first time, that is, all logical sharing (C $, d $, e $ ......) Shared with the system directory winnt or Windows (ADMIN $. All of these, Microsoft's original intention is to facilitate administrator management, but it also provides convenience conditions for the easy-to-use IPC intruders, resulting in a reduction in system security performance. You do not need any hacker tools to establish an IPC connection. You can simply enter the corresponding commands in the command line. However, there are some prerequisites, that is, you need to know the user name and password of the remote host. Open CMD and enter the following command to connect: net use/ipipc $ password/User: usernqme. We can disable the IPC connection by modifying the registry. Open Registry Editor. Find the restrictanonymous sub-key in hkey_local_machinesystemcurrentcontrolsetcontrollsa and change its value to 1 to disable the IPC connection.

6. Clear the remote accessible registry path

As we all know, the Windows 2003 operating system provides remote access to the registry. You only need to set the remote accessible registry path to null, this effectively prevents hackers from using a scanner to read computer system information and other information through the Remote Registry.
Open the Group Policy Editor, expand "Computer Configuration> Windows Settings> Security Settings> Local Policies> Security Options", and find "network access: remote access to the registry path ", and then in the window that opens, set all the remote access to the registry path and sub-path content to null (7 ).

7. disable unnecessary ports

For personal users, some default ports in the installation are indeed unnecessary. Turning off the ports is useless services. Port 139 is the port used by the NetBIOS protocol. When the TCP/IP protocol is installed, NetBIOS will also be installed to the system as the default setting. Opening port 139 means that the hard disk may be shared in the network. Online hackers can also use netbios to know everything on your computer! In earlier Windows versions, port 139 can be disabled as long as Microsoft Network files and print sharing protocols are not installed. However, in Windows Server 2003, this is not the case. To completely disable port 139, follow these steps:

Right-click "Network Neighbor" and select "properties" to go to "network and dial-up connections". Right-click "Local Connection" and select "properties ", open the "Local Connection Properties" Page (8 ),
Remove "√" (9) before "Microsoft network file and print sharing ),
Next, select "Internet Protocol (TCP/IP)", click "properties"> "advanced"> "wins", and select "Disable NetBIOS on TCP/IP, task completed (10 )!
For individual users, you can set it to "disabled" in the service attribute settings to avoid restarting the service next time and opening the port.

If IIS is installed on your computer, you 'd better reset port filtering. Follow these steps: select the NIC attribute, double-click "Internet Protocol (TCP/IP)", and click "advanced" in the displayed window, the "Advanced TCP/IP Settings" window is displayed. Next, select "TCP/IP filtering" under the "options" tab and click "properties, in the "TCP/IP filtering" window, click "√" in front of "enable TCP/IP filtering (all adapters)", and configure as needed. If you only want to browse the Web page, only TCP port 80 is available. Therefore, you can select "allow only" at the top of "TCP port" and click "add, enter 80 and click OK.

8. prevent unauthorized access to applications

Windows Server 2003 is a server operating system. To prevent users from logging on to the server, you can start applications on the server at will, which brings unnecessary trouble to the normal operation of the server, we need to restrict the access permissions of different users.

They call the application. In fact, we only need to use the Group Policy Editor for further settings. The specific steps are as follows:

To open the "Group Policy Editor", click "Start> Run" and type "gpedit" in the "run" dialog box. run the MSC command and press enter to open the "Group Policy Editor" window. Choose "Group Policy console> User Configuration> management template> System"> "run only licensed Windows Applications" and enable this policy.

Click the "show" button next to the "List of allowed applications" to bring up a "show content" dialog box. Click the "add" button to add applications that are allowed to run.

9. Set and manage accounts

1. You are advised to create fewer system administrator accounts, change the default Administrator Account Name and description, and use the upper-case key combination of numbers and lower-case letters and numbers, with a maximum length of 14 characters.
2. Create a new trap account named "Administrator", set the minimum permissions for it, and enter a password of no less than 20 characters in the combination.
3. Disable the Guest account, change the name and description, and enter a complicated password. Of course, there is also a delguest tool, and you may also use it to delete the Guest account, but I have not tried it.
4. Enter gpedit in the running process. MSC press enter to open the Group Policy Editor. Choose Computer Configuration> Windows Settings> Security Settings> Account Policy> account lock policy to set the account to "invalid three-time Logon ", the "lock interval is 60 Minutes", and the "Reset lock count is set to 30 minutes ".
5. In Security Settings-local policy-security options, set "Last User Name Not Displayed" to enable
6. In "Security Settings"-"Local Policy"-"User Rights Assignment", "access to this computer from the network" will only retain the Internet Guest Account and start the IIS process account. If you use Asp.net, you must keep your ASPNET account.
7. Create a user account and run the system. Use the RunAs command to run privileged commands.

10. Network Service Security Management

1. Do not share C $, d $, or ADMIN $ by default.
2. Unbind NetBIOS from TCP/IP protocol
3. disable unnecessary services. The following are recommended options:
Computer Browser: maintain and disable network computer updates.
Distributed File System: allows you to manage shared files on a LAN. You do not need to disable this function.
Distributed linktracking client: used to update the connection information on the LAN. It does not need to be disabled.
Error Reporting Service: forbidden to send error reports
Microsoft serch: provides quick word search and does not need to be disabled.
Ntlmsecuritysupportprovide: used by the telnet service and Microsoft serch. It does not need to be disabled.
Printspooler: Disable it if no printer is available
Remote Registry: Disable Remote Registry Modification
Remote Desktop Help Session Manager: Disable Remote Assistance

11. Open the corresponding audit policy

Enter gpedit. MSC press enter, open the Group Policy Editor, select computer configuration-Windows Settings-Security Settings-Audit Policy when creating audit projects, note that if there are too many audit projects, the more events are generated, the more difficult it is to find serious events. Of course, if too few events are reviewed, the more serious events you find will be affected, you need to make a choice between the two based on the situation.
The recommended items to be reviewed are:
Logon Event successful failed
Account Logon event failed
System Event success/failure
Policy Change failed
Object Access failed
Directory Service Access failed
Failed to use privilege

12. Other Security Settings

1. hide important files/Directories
2. Start the built-in Internet Connection Firewall and check the web server in the set service options.
3. Prevent SYN flood attacks
4. Disable response to ICMP route notification packets

5. Prevent ICMP redirection packet attacks
6. IGMP protocol not supported
7. Disable DCOM:

13. Configure the IIS service:

1. If you do not use the default web site, you must separate the IIS directory from the system disk.
2. Delete the default inetpub directory created by IIS (on the disk where the system is installed ).
3. Delete virtual directories on the system disk, such as _ vti_bin, iissamples, scripts, IISHelp, IISADMIN, IISHelp, and MSADC.
4. Delete unnecessary IIS extension mappings.
Right-click "Default web site> Properties> Home directory> Configuration" to open the application window and remove unnecessary application mappings. The main idea is .shtml,. shtm,. stm
5. Change the IIS Log Path
Right-click "Default web site> properties-website-click Properties under Enable Logging
6. If 2000 is used, iislockdown can be used to protect IIS, which is not required for ie6.0 running in 2003.
7. Use URLScan
However, if you are running ASP. NET programs on the server and want to debug them, you need to open % WINDIR %/system32/inetsrv/URLScan
The URLScan. ini file in the folder, and then add the debug predicate in the userallowverbs section. Note that this section is case sensitive.
If your webpage is A. ASP Webpage, You need to delete the content related to. asp in DenyExtensions.
If your webpage uses non-ASCII code, you need to set allowhighbitcharacters to 1 in the option section.
After changing the URLScan. ini file, you need to restart the IIS service to make it take effect.
If you have any problems after configuration, you can delete URLScan by adding/deleting programs.
8. WIS (Web injection vulnerability) tool is used to scan the SQL injection vulnerability of the entire website.

14. Configure the SQL Server

1. It is recommended that the role of System Administrators be no more than two
2. It is best to configure authentication as win login on the local machine
3. Do not use the SA account and configure a super complex password for it.
4. Delete the following extended stored procedure format:
Use master
Sp_dropextendedproc 'Extended Stored Procedure name'
Xp_cmdshell: the best way to enter the Operating System. Delete
Access the Registry Stored Procedures, delete
Xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumvalues
Xp_regread xp_regwrite xp_regremovemultistring
OLE Automatic stored procedure, no need to delete
Sp_oacreate sp_oadestroy sp_oageterrorinfo sp_oagetproperty
Sp_oamethod sp_oasetproperty sp_oastop
5. Hide SQL Server and change the default port 1433
Right-click an instance and choose Properties> General-select TCP/IP in network configuration. Select to hide the SQL server instance and change the default port 1433.

15. If only the server is used and no other operations are performed, use IPsec

1. management tools-Local Security Policy-right-click IP Security Policy-manage IP Filter table and Filter Operations-click under manage IP Filter table
Add-set name to Web Filter-click Add-enter web server in description-set source address to any IP Address -- set target address to my IP Address -- SET protocol type to TCP -- the first entry of the IP protocol port is set to any port, the second item goes to port 80-click Finish-click OK.
2. Click Manage IP Filter table
Add-set name to all inbound Filters-click Add-enter all inbound filters in description-set source address to any IP address-set target address to my IP address-protocol type set to arbitrary -- click Next -- finish -- click OK.
3. Click "add" under "manage filter operation options" and enter "Block" in "Next"> "name"> "Next"> "select" Block ">" Next ">" finish ">" close the "manage IP Filter table and filter operation window ".
4. Right-click IP Security Policy-create IP Security Policy-next-name input Packet Filter-next-cancel default activation response principle-next-finish
5. Select Add in the new IP Security Policy attribute window -- next -- do not specify the tunnel -- next -- all network connections -- next -- select the new web filter in the IP Filter list -- next -- select permit in the filter operation -- next -- finish -- select the newly created blocking filter in the IP Filter list -- next -- select block in the filter operation -- next -- finish -- OK
6. In the window on the right of the IP Security Policy, right-click the newly created packet filter and click assign. IPSec takes effect without restarting.

17. How to configure a strong and secure win2003 Server

1) determine what you want to use it for, what services you need to activate, what is unnecessary, and do not install (such as index or something) useless. all unnecessary services can be turned off.
In the control panel => Management => tool, you can do it yourself. The following services must be disabled:
Remote Registry Service
RunAs Service
Task Scheduler
Telnet
Windows Time
Other unnecessary services can be set to manual.
It is best to disable the SNMP service and SNMP Trap service. If you want to use the service, change the management Public word.

2) patch.
Are you sure you have entered Win2k SP2;
3) IIS configuration.
1. In the IIS manager, it is possible to remove all unnecessary extended Associations (except ASP/ASA and other necessary CGI and other ones, you can install secureiis.
2. Check the FTP permission. You can do it yourself. Don't be tagged ~ _*
4) MSSQL.
First, remember to add a password that is difficult to remember, otherwise everything will be done.
Then remember to upgrade SQL 7.0 SP2 and SQL 2 k SP1.
5) Terminal Server.
Basically, if your system does not have a password ..........
Advanced:
1) class firewall restrictions.
In this case, we need to open the IPsec service for MS, and then select Network Settings> Network Interface Properties> TCP/IP> advanced =>.
Simply put, use TCP/IP filtering to determine which ports are open, such as 80 and 1433. (unfortunately, if the FTP service is open, ports are often opened out of order, which is hard to be determined );
If advanced requirements are required, define an IPsec Policy by yourself. You can precisely filter the policies, for example, some ICMP type, and so on. You can leave it alone ~ _*
2) NetBIOS settings.
Ever since, NetBIOS is the most vulnerable to winnt security issues after IIS, and it is simply a backdoor.
Make at least one setting: Registry Editing
LOCAL_MACHINE \ System \ CurrentControlSet \ Control \ LSA-restrictanonymous = 1
The IPC $ empty user connection can be disabled to prevent information leakage and other serious security problems.
3) Strengthen the terminal server.
Registry Editing: hkey_local _ machinesoftwaremicrosoft \ WindowsNT \ CurrentVersion \ Winlogon \ don't Display Last User Name = 1
This allows others to not see the user name you logged on to ts. It is a little bit safer (Remember, the less information others get you, the more secure you will be)

4) Check System File directory permissions.
The basic policy can be modified in the file attributes to avoid directories fully controlled by everyone. It is best to disable or even read everyone for most files.
For important files and directories of the system, such as system32, you can use xacls, a tool in Win2k resouece kit, to enhance access control in detail.

5) prevent information monitoring and DoS attacks
If necessary, enable RSAs or add an IPSec security policy by yourself to filter out ICMP echo and redrict types, so that the ping by others will not be reflected. If the ping fails, maybe someone else stops ~ _ * By default, many vulnerability scanners will not be able to ping the server. (Of course, it would be better if you have a stronger firewall)
DOS prevention to a certain extent:
Change the following value in the Registry HKLM \ System \ CurrentControlSet \ Services \ Tcpip \ Parameters to help you defend against DoS attacks of a certain intensity.
SynAttackProtect REG_DWORD 2
Enablepmtudiscovery REG_DWORD 0
NoNameReleaseOnDemand REG_DWORD 1
EnableDeadGWDetect REG_DWORD 0
KeepAliveTime REG_DWORD 300,000
Invalid mrouterdiscovery REG_DWORD 0
Enableicmpredirects REG_DWORD 0

Improved FSO security in Win 2003

ASP provides powerful file system access capabilities to operate any files on the server's hard disk, which poses a huge threat to the security of school websites.
ASP provides powerful file system access capabilities to read, write, copy, delete, and rename any files on the server's hard disk, this poses a huge threat to the safety of school websites. At present, many campus hosts have been intruded by FSO Trojans. However, after the FSO component is disabled, the consequence is that all ASP programs that use this component cannot run and cannot meet the customer's needs. How can we allow the FileSystemObject component without affecting the security of the server (that is, users on different virtual hosts cannot use this component to read or write files from other users )? The following are my experiences over the years:
The first step is different from the key of Windows 2000 settings: Right-click drive C, click share and security, select the Security tab in the displayed dialog box, and delete the everyone and users groups, if your website cannot run any ASP program after deletion, add the iis_wpg group (figure 1) and restart your computer.
After this design, the FSO Trojan is no longer running. If you want to set the security level, perform the preceding settings for each disk partition and set different Anonymous Access Users for each site. The following example is used to describe the website abc.com In the ABC folder of the elastic drive on your host ):
1. open "Computer Management → local users and groups → users", create an ABC user, set the password, and remove the check mark before "the user must change the password next time, select "user cannot change password" and "Password Never Expires", and set the user to belong to the guests group.
2. right-click E:/ABC and select the "Properties> Security" tab, at this point, we can see that the default security settings for this folder are "everyone" with full control (the content displayed varies according to different situations), and the full control of everyone is deleted (if it cannot be deleted, click the [advanced] button to remove the check mark before "allow propagation of inherited permissions of the parent item" and delete all), and add all the security permissions of administrators and ABC users to the directory of this website.
3. open the IIS manager, right-click the abc.com host name, select the "Properties> Directory Security" tab in the pop-up menu, and click [edit] for identity authentication and access control. The dialog box shown in Figure 2 is displayed, by default, the anonymous user accesses "IUSR _ machine name". Click [browse]. In the "Select User" dialog box, find the ABC account created earlier, and enter the password again.

19. Suggestions

If you follow this solution, we recommend that you test the server every time you make a change. If there is any problem, you can immediately cancel the change. If a problem is discovered only when there are too many items to be changed, it is difficult to determine which step is the problem.

20. Run the server to record the current program and open ports

1. capture or record the processes on the current server and save them. You can check whether there are unknown programs in the future.
2. capture or record the currently opened ports and save them. You can check whether unknown ports are opened. Of course, if you can tell every process, this step can be omitted from the port.