Win2003 Server security Settings Complete tutorial

Tutorials | server | Security one, hard disk partition and installation of operating system

• Hard Disk partitions
  In general, the hard disk partition on the top of what is worth in-depth analysis of the place, nothing more than a plan before zoning know what to put something, if you really do not know. Then only one hard drive is divided into one area, the partition should be completed at once, do not split into FAT32 and then turn to NTFS. A one-time into the NTFS format, in my personal habits, the system disk generally to 12G. It is recommended that you start the partition process using CD-ROM and do not load the hard drive software.
  
• System Installation
  The following are examples of 2003
  Installation process is not much to say, the installation system is a personal character for the parameters of the activity, I suggest that the installation path to keep the default path, many articles on what to write installation path to change what Ah, this is not necessary. The path is saved in the registration table, how to change is useless. In the installation process to select the services you need, such as some DNS, DHCP no special needs also do not install. You can retain only the TCP/IP entry in the NIC properties during installation, and disable Netbois. When the installation is complete, if the bandwidth condition allows the available system to be brought online to upgrade itself.
  

Second, system permissions and Security Configuration
The above is all fart words, embellish Lun just. (I also literati once)
Changed a turn. The actual operation stage of system permission setting and Security Configuration
System settings on the Internet there is a word is "minimal permissions + minimum service = maximum security." This sentence is basically an individual has read, but I do not seem to have seen a more detailed and comprehensive article, the following on my personal experience to make a teaching attempt!
2.1 How is the minimum privilege implemented?
NTFS System permission settings
Use each hard drive root plus Administrators user as full permissions before using (optionally join system user)
To delete another user, enter the system disk: permissions are as follows

• C:\WINDOWS Administrators System users full privileges Users default permissions are not modified
• Other directories Remove everyone user, and remember the all Users\default user directory and its subdirectories under C:\Documents and settings
  such as C:\Documents and Settings\All Users\Application The Data directory default configuration retains everyone user rights
  The permissions under the C:\WINDOWS directory must also be noted, such as C:\WINDOWS\PCHealth, C:\windows\Installer also retains the Everyone permission.
• Deletes the C:\WINDOWS\Web\printers directory, which causes IIS to add a. printers extension, an overflow attack
• The default IIS error page is largely not used by many people. It is recommended that you delete the C:\WINDOWS\Help\iisHelp directory
• Delete C:\WINDOWS\system32\inetsrv\iisadmpwd, which is used to manage IIS passwords, such as using OWA or IISADMPWD to modify the sync password when the password is not synchronized, but you can delete it here, The settings described below will eliminate the problem of password synchronization caused by system settings.
• Open C:\Windows Search
  

  net.exe;cmd.exe;tftp.exe;netstat.exe;regedit.exe;at.exe;attrib.exe;cacls.exe;format.com;
  Regsvr32.exe;xcopy.exe;wscript.exe;cscript.exe;ftp.exe;telnet.exe;arp.exe;edlin.exe;
  Ping.exe;route.exe;finger.exe;posix.exe;rsh.exe;atsvc.exe;qbasic.exe;runonce.exe;syskey.exe
  

  Modify permissions, delete all users only save administrators and system for all permissions
  

Close port 445

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters
New "DWORD Value" value named "smbdeviceenabled" data is the default value of "0"

Prohibit the establishment of an empty connection

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
New DWORD value value named "RestrictAnonymous" Data value is "1" [2003 defaults to 1]

Prevent system from automatically starting server sharing

Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
New DWORD value value named "AutoShareServer" data value is "0"

Prevent system from automatically starting administrative shares

Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
New DWORD value value named "AutoShareWks" data value is "0"

Preventing small-scale DDoS attacks by modifying the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value value named "SynAttackProtect" Data value is "1"

Prohibit the generation of dump file
Dump files are a useful resource for finding problems when the system crashes and blue screens. However, it can also provide hackers with some sensitive information such as the password of some applications. Control Panel > System Properties > Advanced > Startup and failback to change write debug information to none.
Close Dr. Dr.Watson of China
Enter "DrWtsn32" in the start-run, or start-Program-attachment-System Tools-System Information-tools-DR Watson, bring up the system's Dr. Watson Dr.Watson, only "Dump all thread context" option, otherwise, once the program is wrong, the hard drive will read for a long time, and takes up a lot of space. If this is the case, look for the User.dmp file, which saves dozens of MB of space after deletion.
Local Security policy configuration
Start > Program > Management Tools > Local Security Policy

• Account strategy > Password Policy > Password minimum age change to 0 days [that is, the password is not available, I mentioned above will not cause IIS password is not synchronized]
• Account Strategy > account lockout policy > account lockout threshold 5 times account lockout time 10 minutes [personal recommendation configuration]
• Local Policies > Audit Policies >
• Account Management failed successfully
• Logon event failed successfully
• Object access failed
• Policy Change failed successfully
• Privilege usage failed
• System Event failed successfully
• Directory Service access failed
• Account Logon event failed successfully
• Local Policies > Security Options > Clear virtual Memory paging file change to Enabled
• • > Do not show last user name changed to Enabled
  • > Do not need to press Ctrl+alt+del to change to Enabled
  • > Do not allow anonymous enumeration of SAM accounts to change to Enabled
  • > does not allow anonymous enumeration of SAM accounts and shares to be changed to Enabled
  • > Rename guest account change into a complex account name
  • > Rename the system administrator account to change a personal account [and create a Administrat account with no user group]

Group Policy Editor
Run gpedit.msc Computer Configuration > Administrative Templates > System show Shutdown Event Tracker change to Disabled
removing unsafe components
Wscript.Shell, shell.application These two components generally some ASP Trojan horse or some malicious program will use.

• Programme I:
  
  

  regsvr32/u Wshom.ocx Uninstall Wscript.Shell component
  regsvr32/u Shell32.dll Uninstall Shell.Application component
  

  If you follow the settings mentioned above, you do not have to delete these two files
  
• Programme II:
  
  

  Delete Registry Hkey_classes_root\clsid\{72c24dd5-d70a-438b-8a42-98424b88afb8} corresponds to Wscript.Shell
  Delete Registry hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540000} corresponds to Shell.Application
  

User Management
Create another standby administrator account to prevent special situations from happening.
Servers with Terminal Services and SQL Services installed disable TsInternetUser, SQLDebugger these two accounts
User Group description
In future IIS to be used, IIS users typically use the Guests group, or they can re-establish a separate group for use by IIS, but it is too petty to give this group the C:\Windows directory for Read permission [single read] individuals do not recommend using a separate directory.
Second, system permissions and Security Configuration
2.2 Minimum service if implemented
Black for automatic green for manual red for disabled

• Alerter
• Application Experience Lookup Service
• Application Layer Gateway Service
• Application Management
• Automatic Updates [Windows Auto Update, optional]
• Background Intelligent Transfer Service
• ClipBook
• COM + Event System
• COM + System Application
• Computer Browser
• Cryptographic Services
• DCOM Server Process Launcher
• DHCP Client
• Distributed File System
• Distributed Link Tracking Client
• Distributed Link Tracking Server
• Distributed Transaction Coordinator
• DNS Client
• Error Reporting Service
• Event Log
• File Replication
• Help and Support
• HTTP SSL
• Human Interface Device Access
• IIS Admin Service
• IMAPI cd-burning COM Service
• Indexing Service
• Intersite Messaging
• IPSEC Services [Automatic If IP Security policy is used, if not disabled, optional]
• Kerberos Key Distribution Center
• License Logging
• Logical disk Manager [optional, multiple hard drives recommended automatically]
• Logical Disk Manager Administrative Service
• Messenger/li>
• Microsoft Search
• Microsoft Software Shadow Copy Provider
• MSSQLServer
• MSSQLServerADHelper
• Net Logon
• NetMeeting Remote Desktop Sharing
• Network Connections
• Network DDE
• Network DDE DSDM
• Network Location Awareness (NLA)
• Network Provisioning Service
• NT LM Security Support Provider
• Performance Logs and Alerts
• Plug and Play
• Portable media serial number Service [Microsoft Anti-Piracy tool, currently only for multimedia classes]
• Print Spooler
• Protected Storage
• Remote Access Auto Connection Manager
• Remote Access Connection Manager
• Remote Desktop Help Session Manager
• Remote Procedure Call (RPC)
• Remote Procedure Call (RPC) Locator
• Remote Registry
• Removable Storage
• Resultant Set of Policy Provider
• Routing and Remote Access
• Secondary Logon
• Security Accounts Manager
• Server
• Shell Hardware Detection
• Smart Card
• Special Administration Console Helper
• SQLServerAgent
• System Event Notification
• Task Scheduler
• TCP/IP NetBIOS Helper
• Telephony
• Telnet
• Terminal Services
• Terminal Services Session Directory
• Themes
• Uninterruptible Power Supply
• Upload Manager
• Virtual Disk Service
• Volume Shadow Copy
• WebClient
• Windows Audio [Server does not need to use sound]
• Windows firewall/internet Connection Sharing (ICS)
• Windows Image Acquisition (WIA)
• Windows Installer
• Windows Management Instrumentation
• Windows Management Instrumentation Driver Extensions
• Windows time
• Windows User Mode Driver Framework
• WinHTTP Web Proxy auto-discovery Service
• Wireless Configuration
• WMI Performance Adapter
• Workstation
• World Wide Web Publishing Service

Is the above operation completed after the "Minimum permissions + minimum service = maximum security"? No, everything is relative.
I personally see that the above settings are only the most basic things, if there are omissions, later to fill up!