Win2003 Server security Settings tutorial (permissions and Local policy) _win server

Server security Settings

1, the system disk and site placement disk must be set to NTFS format, easy to set permissions.

2, the system disk and site placement disk in addition to administrators and system user rights are removed.

3, enable Windows with a firewall, only to retain useful ports, such as remote and Web, FTP (3389, 80, 21), and so on, there are mail server to open 25 and 130 ports.

4, after the installation of SQL into the directory search xplog70 and then will find three files renamed or deleted.

5, change the sa password for you do not know the very long password, under no circumstances should not use the SA account.

6, rename the system default account name and create a new administrator account as a trap account, set an extra long password, and remove all user groups. (that is, set to NULL in the user group.) Let this account not belong to any user group-sample) also renamed to disable the Guest user.

7. Configure Account Lockout policy (enter Gpedit.msc carriage return in run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-account policy-account lockout policy, set account to "three login invalid", "Lock time 30 minutes", " The reset lock count is set to 30 minutes. ）

8, in the security settings local policy-security options will

Network access: Shares that can be accessed anonymously;

Network access: Named pipes that can be accessed anonymously;

Network access: A registry path that can be accessed remotely;

Network access: A registry path and subpath that can be accessed remotely;

The above four items are emptied.

9, in the security settings local policy-security options through Terminal Services refused to login to join

The following are the referenced contents:
ASPNET
Guest
iusr_*****
iwam_*****
Network SERVICE
SQLDebugger

(* * * * to indicate your machine name, specific search can be clicked to add user or group Select the advanced selection immediately find the list below the user list selection.) Be careful not to add into the user group and the Administrators group after adding it there is no way to remotely log in. ）

10, remove the default share, save the following file as a reg suffix, and then perform the import.

Windows Registry Editor Version 5.00

[Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters]

"AutoShareServer" =dword:00000000

"AutoShareWks" =dword:00000000

11, disabling unwanted and dangerous services, the following list of services need to be disabled.

Alerter Send administrative alerts and notifications

Computer Browser: Maintaining network computer updates

Distributed file System: LAN management shared files

Distributed linktracking Client for LAN update connection information

Error Reporting Service send bug report

Remote Procedure call (RPC) Locator rpcns* remoting procedure calls (RPC)

Remote Registry remotely Modify registry

Removable Storage manage removable media, drivers, and libraries

Remote Desktop help session Manager Remoting

Routing and Remote Access provides routing services to enterprises in LAN and WAN environments

Messenger Message File Transfer service

Net Logon domain Controller channel management

Ntlmsecuritysupportprovide telnet Service and Microsoft Serch

Printspooler Print Service

Telnet Telnet Service

Workstation leak System User Name list

12. Change audit policy for local security policy

Account Management failed successfully

Logon event failed successfully

Object access failed

Policy Change failed successfully

Privilege usage failed

System Event failed successfully

Directory Service access failed

Account Logon event failed successfully

13, change is likely to be the right to use the file run permissions, find the following files, the security settings in addition to the Administrators user group all deleted, it is important not to leave the system.

Net.exe

Net1.exe

Cmd.exe

Tftp.exe

Netstat.exe

Regedit.exe

At.exe

Attrib.exe

Cacls.exe

Format.com

C.exe special files may not be able to find this file on your computer.

Enter in the search box

"Net.exe", "Net1.exe", "cmd.exe", "Tftp.exe", "Netstat.exe", "Regedit.exe", "At.exe", "Attrib.exe", "Cacls.exe", " Format.com "," C.exe "

Click Search and select All right key property security

This is one of the most important points, and it is the most convenient way to reduce the possibility of being put right and destroyed.

14, backup work, the current server to capture the process of the map or record it, save it to facilitate later check whether there are unknown procedures. Grasp the current open port or record it, save it for later to see if the unknown port is open. Of course if you can distinguish each process, and the port this step can be omitted.