Win2003 Server Security Configuration Tips 1th/3 page _win server

Source: Internet
Author: User
The premise here is that the system is already installed, IIS, including FTP Server, mail server and so on, these specific configuration methods are no longer repeated, and now we focus on the main description of the SafetyAspects of the configuration.

About regular security installation systems, setting up and managing accounts, shutting down redundant services, auditing policies, modifying terminal management ports, configuring Ms-sql, removing dangerous stored procedures, connecting with the least privileged public account, etc.

First of all, about the system of NTFS disk permissions settings, we may see more, but 2003 server some detail places to pay attention to, I see a lot of articles have not written completely.

C Disk only to administrators and system permissions, other permissions do not give, the other disk can also be set up here, the system authority given here does not necessarily need to give, just because some third-party applications are launched in the form of services, need to add this user, otherwise it will not start.

Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run. Previously have friends to set INSTSRV and temp directory permissions, in fact, there is no such need.

In addition, it is important here in C:/Documents and settings/that the permissions in the following directory will not inherit from the previous settings, if only set the C disk to administrators permissions, and in all users/application The Everyone user has full control in the data directory, so the intrusion can jump to this directory, write script or file only, and then combine other vulnerabilities to elevate permissions, such as using serv-u local overflow to elevate permissions, or systems missing patches, database weaknesses, Even the social engineering and so on n many methods, once not have the bull person to send a squall to say: "As long as gives me a webshell, I can get system", this also certainly is possible. In systems that are used as WEB/FTP servers, it is recommended that these directories be set up for lock-dead. The table of contents for each of the other disks is set in this way, and none of the disks give adinistrators permissions.

In addition, you will: Net.exe,cmd.exe,tftp.exe,netstat.exe,regedit.exe,at.exe,attrib.exe,cacls.exe, these files are set to allow only administrators access.

Prohibit unnecessary services, although these may not be used by attackers, but in accordance with security rules and standards, superfluous things do not need to open, reduce a hidden danger.

In "Network Connections", delete all the unwanted protocols and services, install only basic Internet protocol (TCP/IP), and install the QoS Packet Scheduler in addition to the bandwidth flow service. In Advanced TCP/IP Settings--"NetBIOS" setting disables NetBIOS (S) on TCP/IP. In the advanced option, use Internet connection firewall , which is a firewall with Windows 2003, not in the 2000 system, although not functional, but can screen ports, This has basically reached the functionality of one IPSec.

Here we follow the required services to open the response port. In the 2003 system, TCP/IP filtering is not recommended in the port filtering function, such as the use of FTP server, if only open 21 ports, due to the specificity of the FTP protocol , in the FTP transmission, due to FTP Unique port mode and passive mode, in the data transmission, the need to dynamically open the high-end port, so in the case of TCP/IP filtering, often the connection can not be listed after the directory and data transfer problems. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the NIC.

Current 1/3 page 123 Next read the full text

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.