Ten steps to build a secure personal Web Server (1)

The security of Win2003 Server is indeed greatly improved compared with that of Win2K, but is it really safe to use Win2003 Server as a Server? How can we create a secure personal Web server? The following is a brief introduction.

I. Installation of Windows Server2003

1. The installation system requires at least two partitions. The partition format adopts the NTFS format.

2. Install the 2003 system when the network is disconnected

3. Install IIS and only install necessary IIS components to disable unnecessary FTP and SMTP services ). By default, the IIS service is not installed. In the Add/delete Win component, select "Application Server", click "details", and double-click Internet Information Service (iis ), select the following options:

Internet Information Service Manager;

Public files;

Backend smart Transmission Service (BITS) server expansion;

World Wide Web service.

If you use the FrontPage extension Web site, check: FrontPage 2002 Server Extensions.

4. Install MSSQL and other required software and then Update the software.

5. Use the MBSAMicrosoft Baseline Security Analyzer provided by Microsoft to analyze computer Security configurations and identify missing patches and updates. : See the link at the end of the page.

Ii. Set and manage accounts

1. It is best to create less system Administrator accounts, change the default Administrator Account Name Administrator) and description. It is best to use a combination of numbers, lowercase letters, and numbers, with a maximum length of 14 characters.

2. Create a new trap account named "Administrator", set the minimum permissions for it, and enter a password of no less than 20 characters in the combination.

3. Disable the Guest account, change the name and description, and enter a complicated password. Of course, there is also a DelGuest tool, and you may also use it to delete the Guest account, but I have not tried it.

4. Enter gpedit in the running process. msc press enter to open the Group Policy Editor. Choose Computer Configuration> Windows Settings> Security Settings> Account Policy> account lock policy to set the account to "invalid three-time Logon ", "Lock time is 30 minutes", "Reset lock count is set to 30 minutes ".

5. In Security Settings-local policy-security options, set "Last User Name Not Displayed" to enable

6. In "Security Settings"-"Local Policy"-"User Rights Assignment", "access to this computer from the network" will only retain the Internet Guest Account and start the IIS process account. If you use Asp.net, you must keep your Aspnet account.

7. Create a User account and run the system. Use the Runas command to run privileged commands.

Iii. Network Service Security Management

1. Do not share C $, D $, or ADMIN $ by default.

Open the registry, HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lanmanserver \ parameters, create a Dword Value in the window on the right, and set the name to AutoShareServer to 0

2. Unbind NetBios from TCP/IP protocol

Right-click Network Neighbor-properties-right-click Local Connection-properties-double-click Internet protocol-advanced-Wins-Disable NETBIOS on TCP/IP

3. disable unnecessary services. The following are recommended options:

Computer Browser: maintain and disable network Computer updates.

Distributed File System: allows you to manage shared files on a LAN. You do not need to disable this function.

Distributed linktracking client: used to update the connection information on the LAN. It does not need to be disabled.

Error reporting service: forbidden to send Error reports

Microsoft Serch: provides quick word search and does not need to be disabled.

NTLMSecuritysupportprovide: used by the telnet service and Microsoft Serch. It does not need to be disabled.

PrintSpooler: Disable it if no printer is available

Remote Registry: Disable Remote Registry Modification

Remote Desktop Help Session Manager: Disable Remote Assistance

4. Open the corresponding audit policy

Enter gpedit. msc press enter, open the Group Policy Editor, select computer configuration-Windows Settings-Security Settings-Audit Policy when creating audit projects, note that if there are too many audit projects, the more events are generated, the more difficult it is to find serious events. Of course, if too few events are reviewed, the more serious events you find will be affected, you need to make a choice between the two based on the situation.