Win2003 Server Security Configuration complete detailed _win server

I wrote this article when the heart is very not practical, always afraid to say wrong will be mistaken for other people's things. Oh, here we go.

This article is more focused on the prevention of ASP vulnerabilities, so the server black and other aspects of the explanation may be slightly too little.
Basic server security Settings
Install Patches
After installing the operating system, it is best to install the patch before hosting, configure the network, if it is 2000 to determine the installation of the SP4, if it is 2003, it is best to install the SP1, then click Start →windows Update, install all the key updates.
Install antivirus Software
Although anti-virus software sometimes does not solve the problem, but anti-virus software to avoid a lot of problems. I've been using Norton 2004, and it's said that 2005 can kill a Trojan, but I haven't tried it. There are people with rising, rising is determined to kill the Trojan horse. More people say that Kabbah driver is good, but I did not use.
Do not expect anti-virus software to kill all Trojans, because the characteristics of the ASP Trojan Horse can be through a certain means to avoid the killing of anti-virus software.
Set port protection and firewalls, delete default shares
It's all about server protection, and even if you don't have IIS on your server, these security measures are best done. This is the blind area of the arjunolic, probably know the shielding port with local security strategy, but this aspect of things online introduction a lot, we can impressive out to see, later I may copy some to my website.
Permission settings
Arjunolic feel this is the key to preventing an ASP vulnerability attack, and good permissions settings can reduce the damage to an IIS site or even a virtual directory. I am here to talk about the principle and set up ideas, smart friends should read this will be able to solve the problem.
The principle of permission setting
Windows users, most of the time in the Winnt system, divide permissions by User (group). Manage system users and user groups at the start → programs → administration tools → Computer Management → local users and groups.
NTFS permission settings, remember to partition all the hard drives into an NTFS partition, and then we can determine the permissions that each partition opens for each user. The file (folder) right → properties → security "here to manage NTFS file (folder) permissions."
IIS anonymous users, each IIS site or virtual directory, can set an anonymous access user (now call it "IIS anonymous user") when the user visits your site. ASP file, this. The permissions that an ASP file has, that is, the permissions that this "IIS anonymous user" has.
The idea of permission setting
To create a system user for each independent individual to protect (such as a Web site or a virtual directory), the site has the unique ability to set permissions on the system.
In IIS, "Site properties or virtual directory properties → directory security → Anonymous access and authentication control → edit → anonymous access → edit" fill in the user name you just created.
All partitions are set to prohibit this user from accessing, and the folder setting that corresponds to the home directory of the site just now allows this user access (to remove inherited parent permissions and to add the hyper-control and system groups).
This set up after the ASP program in this site only the current folder permissions, from the probe, all the hard drives are red fork.
My Setup method
I created a user group first, and then all of the site's users were built in this group, and then set up the groups in each partition without permissions or outright rejection. Then set the permissions for each IIS user in each folder.
Because more, so I do not want to write, actually know the above principle, most people should understand, unless you do not know how to add system users and groups, do not know how to set folder permissions, do not know the IIS site properties there. Really have that kind of person, you also don't worry, want to slow down slowly, the concrete method actually oneself also can grope out, I am this. Of course, if I am free, I will write my specific settings, I am proud to be able to match the picture.
Renaming or uninstalling unsafe components
Unsafe components not surprising
I've added an unsafe component detection function to the 7I24 probe 1.9 (In fact, this is written in reference to the code of the just to change the interface a bit friendlier, the detection method and he is basically the same), this feature so many webmasters surprised not small, because he found that his server support a lot of unsafe components.
In fact, as long as the above permissions set, then FSO, XML, Strem are no longer unsafe components, because they do not have to cross their own folder or site permissions. That happy time not to fear, there are anti-virus software in the fear of what time ah.
The most dangerous component is WSH and shell, because it can run programs such as the EXE on your hard drive, such as it can run a lifting program to elevate Serv-u permissions and even use SERVU to run higher-privileged system programs.
Carefully decide whether to uninstall a component
Components are intended to be applied, not to be unsafe, and all components are useful, so before uninstalling a component, you must verify that the component is not required by your Web site program, or that it is not roughly the same if removed. Otherwise, you can only keep this component and do the same in your ASP program itself, to prevent others from coming in, rather than preventing others from coming in after the shell.
For example, FSO and XML are one of the most common components, and many programs use them. The WSH component will be used by some host management programs, as well as some packaging programs.
First, operating system configuration
1. Install the operating system (NTFS partition), installed anti-virus software, I chose is Kabbah.
2. Install system patches. Scan vulnerability Full Antivirus
3. Remove Windows Server 2003 default share
Start by writing a batch file with the following contents:
Copy code code as follows:
@echo off
NET share C $/del
NET share d$/del
NET share e$/del
NET share f$/del
NET share admin$/del
The file name is Delshare.bat and is placed in the startup key, and the share is automatically deleted each time it is powered on.
4. Disable IPC connections
Open cmd and enter the following command to connect: NET use\\ip\ipc$ "password"/user: "Usernqme". We can disable the IPC connection by modifying the registry. Open Registry Editor. Locate the RestrictAnonymous subkey in the following build HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, and change its value to 1 to disable the IPC connection.
5. Delete the protocols and services in the "network connection"
In "Network Connections", remove all unwanted protocols and services, only basic Internet Protocol (TCP/IP) is installed, and in Advanced TCP/IP settings-"NetBIOS" settings to disable NetBIOS (S) on TCP/IP.
6. Enable Windows Connection Firewall, open only Web service (80 port).
Note: In 2003 system, do not recommend using TCP/IP filter port filtering function, such as the use of FTP server, if only open 21 ports, due to the specificity of the FTP protocol, FTP transmission, due to FTP-specific port mode and passive mode, In the data transmission, the need to dynamically open the high-end port, so in the case of TCP/IP filtering, often the connection can not be listed after the directory and data transfer problems. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the NIC.
7. Disk Permissions
System disk only gives Administrators and systems permissions
The system disk \documents and Settings directory only gives Administrators and system permissions;
The system disk \documents and Settings\All Users Directory only gives Administrators and system permissions;
The system disk \documents and Settings\All Users\Application Data Directories give only Administrators and system permissions;
The system disk \ Windows directory only gives Administrators, system, and users permissions;
system disk \windows\system32\net.exe;net1.exe;cmd.exe;command.exeftp.exe;netstat.exe;regedit.exe;at.exe;attrib.exe; Cacls.exe file only give Administrators permission (if feel useless to delete it, such as I deleted the Cmd.exe,command.exe, hey. );
Other disks, which are run by the installer (my SQL Server 2000 in D disk) give Administrators and SYSTEM permissions, not just Administrators permissions.
8. Local Security policy settings
Start Menu-> Administration Tools-> Local Security Policy
A, local policy--> Audit policy (optional)
Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed
Audit process Tracking No audit
Audit directory service access failed
Audit privilege usage failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management failed successfully
B, local policy--> user Rights Assignment
Shutdown system: Only Administrators group, all other delete.
Deny login via Terminal Services: Join guests, Users group
Allow login via Terminal Services: Only join Administrators group, all other delete
C, Local policy--> security options
Interactive login: Do not display last user name enabled
Network access: All shares that can be accessed anonymously are deleted
Network access: Named pipes that can be accessed anonymously are all deleted
* * Network access: Remote access to the registry path all deleted
* * Network access: Remote access to the registry path and Subpath are all deleted
Account: Rename guest account rename an account
(One of the following changes may cause SQL Server to be out of use)
Accounts: Renaming a system administrator account renaming an account
Second, IIS configuration (including the directory where the site resides)
1. Create your own web site (* Note: The permissions are set to none in the application settings, changed in the desired directory), the directory is not on the system disk
Note: To support asp.net, copy the aspnet_client folder in the system disk \Inetpub\Wwwroot to the Web root and Add users permissions to the Web root directory.
2. Erase the system disk \inetpub directory
3. Remove Unused mappings
In application configuration, only the necessary script execution permissions are given: ASP, ASPX.
4. Create a system user for a Web site
A. For example: The website is sinesafe.cn, the new user Sinesafe permission is guests. Then, in the Web site properties, the user name and password that set anonymous access to use the following Windows user accounts in the directory security---Authentication and access control use the sinesafe.cn information for this user. (User name: Host name \sinesafe.cn)
B. Add user Sinesafe to the disk directory where the Web site resides, giving only read and write permissions.
5. Set execution permissions for applications and subdirectories
A. "Properties-Application Settings--Execute Permissions" in the main application directory is set to plain script
B. In subdirectories that do not need to execute ASP, asp.net, such as uploading file directories, execute permissions are set to None
6. Application pool Settings
My site uses the default application pool. Set "Memory Recycle": The maximum virtual memory here is: 1000M, the maximum use of physical memory is 256M, such a setting is almost no limit to the performance of this site.
Recycle worker process (minutes): 1440
Recycle worker processes at the following times: 06:00
Three, SQL Server 2000 configuration
1. Password setting
I programmed the program to use the SA user, the password settings are very complex (I do not remember, save in the phone, hey heh).
2. Delete dangerous extended stored procedures and associated. dll.
3.xp_cmdshell (This must be the first, needless to say), Xp_regaddmultistring, Xp_regdeletekey, Xp_regdeletevalue, Xp_regenumvalues, Xp_ RegRead, Xp_regwrite, xp_regremovemultistring
The vulnerability has been a lot of time ago my own server has a temporary storage process vulnerability extension of sql: Xp_dirtree stored procedures.
Beforehand: A vulnerability was recently found to be caused by SQL Server
Just a few days ago, there is nothing to use a SQL injection tool for the server to inject their own servers, accidentally found the use of MSSQL Web site can be used in the form of SQL injection of the entire server directory (my server security settings) can still be seen, Then a grab tool is installed on the server to grab the SQL Server, use the tool to connect SQL vulnerabilities Xp_dirtree read the directory, you can get the entire server directory, such as listing the C disk directory He will list all the directories under your C-disk, which is very unsafe, At present is only able to investigate the catalogue to wear things, we can imagine, if I arbitrarily modify a Boot.ini cover the C-disk boot.ini is a concept, OH first can cause service its paralysis, unable to read the system
Solution: Delete xp_dirtree, command is Sp_dropextendedproc ' Xp_dirtree '
Delete the above build you are using a D or any of the SQL injection tools are in vain
Here also to provide you with some other SQL dangerous storage process
Suggested deletion
[Note: All operations that delete SQL stored procedures must be operated in the MSSQL Query Analyzer, which is preceded by the name of the stored procedure and the command to delete the stored procedure]
First, list the dangerous built-in stored procedures:
Copy code code as follows:
xp_cmdshell sp_dropextendedproc ' xp_cmdshell '
Xp_regaddmultistring sp_dropextendedproc ' xp_regaddmultistring '
Xp_regdeletekey sp_dropextendedproc ' Xp_regdeletekey '
Xp_regdeletevalue sp_dropextendedproc ' Xp_regdeletevalue '
Xp_regenumkeys sp_dropextendedproc ' Xp_regenumkeys '
Xp_regenumvalues sp_dropextendedproc ' xp_regenumvalues '
Xp_regread sp_dropextendedproc ' Xp_regread '
Xp_regremovemultistring sp_dropextendedproc ' xp_regremovemultistring '
Xp_regwrite sp_dropextendedproc ' xp_regwrite '
ActiveX Scripts:
Copy code code as follows:
sp_OACreate sp_dropextendedproc ' sp_OACreate '
sp_OADestroy sp_dropextendedproc ' sp_OADestroy '
sp_OAMethod sp_dropextendedproc ' sp_OAMethod '
sp_OAGetProperty sp_dropextendedproc ' sp_OAGetProperty '
sp_OAGetErrorInfo sp_dropextendedproc ' sp_OAGetErrorInfo '
sp_OAStop sp_dropextendedproc ' sp_OAStop '
Iv. Other settings (optional, I am not responsible)
1. Any user password must be complex, unwanted users---deleted.
2. Prevent SYN flood attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named SynAttackProtect, with a value of 2
3. Prohibit responding to ICMP routing notification messages
Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface
Creates a new DWORD value with the name PerformRouterDiscovery value of 0
4. Prevent ICMP redirect packets from attacking
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the Enableicmpredirects value to 0
5. IGMP protocol not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Creates a new DWORD value with the name IGMPLevel value of 0
6. Disable DCOM:
Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console root. Open the Computers subfolder.
For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab.
Clear the Enable distributed COM on this computer check box.
7. Uninstall unsafe components.
[Code]
Regsvr32/u C:\Windows\System32\wshom.ocx
Regsvr32/u C:\Windows\System32\shell32.dll executes the above two orders under CMD.
Five. Prevent serv-u privilege elevation
In fact, after the shell component is logged off, the intruder is less likely to run the lifting tool, but Prel and other scripting languages also have shell capabilities, in case, or set it up for good.
Open ServUDaemon.exe with UltraEdit to find Ascii:localadministrator, and [email= #l @ $ak #.lk;0@p] #l @ $ak #.lk;0@p[/email], Change to equal length of other characters on it, ServUAdmin.exe also deal with the same.
Also note that you set the permissions of the folder in which Serv-u is located, and do not let IIS anonymous users have read permissions, or else you may be able to analyze your administrator name and password as you modify the file.
Common methods and precautions of exploiting ASP vulnerabilities
In general, hackers always aim at forums and other programs, because these programs have upload function, they can easily upload ASP trojan, even if set permissions, Trojan can also control the current site of all files. In addition, there is a Trojan horse and then upload the lifting tool to obtain higher privileges, we shut down the shell component is to a large extent to prevent the attacker to run the lifting tool.
If the Forum administrator turned off the upload function, the hacker will find a way to get the super tube password, for example, if you use the Dynamic Network forum and the database forgot to rename, people can directly download your database, and then distance to find the forum administrator password is not far away.
As an administrator, we first need to check our ASP program, do the necessary settings to prevent the site from being hacked into. The other is to prevent attackers from using a hacked web site to control the entire server, because if your server has a site for friends, you may not be sure that your friends will be able to put the forums he uploaded into the security settings. This is used to say that a lot of things, do those permissions settings and prevent the promotion, the hacker even entered a site, can not destroy the site outside of things.
Postscript
Perhaps a security master or a master of destruction to read my article will laugh or secretly happy, but I think in my experience, after all, there are many right places, there are tens of thousands of people than I know the same as I did not understand the beginning of the time in the desire for such an article, so I have to write, I do not care what others say I, I am not afraid of future generations will have tens of thousands of people to me, I am a person to bear down, I have no wife to explain ...
Well, today's on the first to here, and finally send you webmaster one word: the smallest authority, the greatest security! Do not bother not to careless, set the more careful security index higher, we set the password when more set a number may need to hackers more than n days to crack, are the same truth. If you do not understand or need my help please contact me I will be very enthusiastic for the service, thank you.