Home > Others

Win2003 Web server NTFS permissions setting graphics and text method _win Server

Source: Internet
Author: User
Tags goto file permissions ntfs permissions
Developer on Alibaba Coud: Build your first app with APIs, SDKs, and tutorials on the Alibaba Cloud. Read more >
Generally speaking, the former is more difficult to configure, reference some of the other people's configuration and some of their own practice, to find a relatively satisfied with my practice, due to the limited level of personal, I hope the experts pointed out that I lack of place, thank you. Because recently busy other things, and so busy after the part of the IIS configuration also have their own to tidy up some of the data to serve ~ ~ Then we can go to the forum www.n0ws.com to see, but this blog is also to provide relevant information to download.
Here are my practices:
First, configure the permissions under the system disk (for example, C disk) (the default folder for IIS has been removed)
1. System disk:Select the system disk, properties, Security tab, and delete other groups or users except the administrators and system groups.
2. Program Files:Right-click Folder-> Select Properties-> Select the "Security" tab-> click the "Advanced" option-> Select "Allow parent ..." and "Use this to show ..."-> click "Copy"-> click OK to exit the Advanced security settings-> Remove the Security tab from groups or users other than administrators and the system group

The Advanced security settings effect is as follows:


3. Program Files/common File/users:Under the common File folder under Program files, locate the system add users, and the default permissions are available. The so-called default permission is that you add this user system to automatically grant this user permission to manipulate folders or files. (Someone may ask why you want to set the permissions for users on this folder?) A: There are some DLL files in this section that are needed when createobject in ASP.
4. Documents and Settings:Go to the system disk, select the Documents and Settings folder right and remove any users or groups other than the administrator, System, Power Users group. Access to the Documents and Settings folder, the administrator of this folder does not need to set permissions. All Users folder, go to Advanced option Select "Use the directory that is shown here that can be applied to child objects to replace all child object permission Entries", OK, under the Security tab, delete other user groups and users except Administrator and system, click OK. Default Users folder, go to Advanced option Select "Use the directory that is shown here to be applied to child objects to replace permission entries for all child objects", OK, under the Security tab, delete the administrator, System, power User groups and users other than users, click OK.
5. Windows:Right-key folder-> Select Properties-> Select the "Security" tab-> Remove the user-> Click OK except the Administrator and system.
6. Windows/temp:Right-click Folder-> Select Properties-> Select the Security tab-> Add the Users group-> set the Users group to have read only, write permissions.
7. Other folders under the root directory:Right-click Folder-> Select Properties-> Select the "Security" tab-> click the "Advanced" option-> Select "Allow parent ..." and "Use this to show ..."-> click "Copy"-> click OK, exit Advanced security settings-> put "security" tab in addition to Administrators and system group or user deletion
8. Batch processing:Next is some special folders, file permissions, some service modifications, the deletion of dangerous components.
The portion of the batch is finally attached with the following Save as *.bat or directly from the download where I provided the download.
Copy Code code as follows:

@echo off
ECHO.
ECHO.
ECHO. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ECHo.
ECHo "Windows2003ntfs Hardening Script"
ECHo.
ECHO. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ECHO.
ECHO.
ECHO. -------------------------------------------------------------------------
ECHo please follow the prompts to back up the registry, otherwise you can not restore after modification, I am not responsible.
ECHO.
ECHO Yes=next Set No=exit (this time Second default for N)
ECHO. -------------------------------------------------------------------------
choice/t 30/c yn/d N
if errorlevel 2 goto end
if errorlevel 1 goto next
: Next
If EXIST backup (echo.) Else MD Backup
If EXIST temp (rmdir/s/q TEMP|MD temp) Else MD Temp
If EXIST backup\backupkey.reg (move Backup\backupkey.reg backup\backupkey_old.reg) Else Goto run
: Run
regedit/e temp\backup-reg1.key1 "Hkey_local_machine\system\currentcontrolset\"
regedit/e Temp\backup-reg2.key2 "Hkey_classes_root\"
copy/b/y/v Temp\backup-reg1.key1+temp\backup-reg2.key2 Backup\backupkey.reg
If exist Backup\wshom.ocx (echo backup already exists) Else copy/v/y%systemroot%\system32\wshom.ocx Backup\wshom.ocx
If exist Backup\shell32.dll (echo backup already exists) Else copy/v/y%systemroot%\system32\shell32.dll Backup\shell32.dll
ECHO Backup is complete
ECHO.
Goto NEXT2
: next2
ECHO.
ECHO. -------------------------------------------------------------------
ECHo Modify Permissions System32 directory unsafe several EXE files, change only administrators only have permission to run
ECHO Yes=next Set No=this set Ignore (this time Second default for y)
ECHO. -------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto NEXT3
if errorlevel 1 goto next21
: next21
echo Y|cacls.exe%systemroot%\system32\net.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\net1.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\cmd.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\tftp.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\netstat.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\regedit.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\at.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\attrib.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\cacls.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\fortmat.com/g administrators:f
echo Y|cacls.exe%systemdrive%\boot.ini/g administrators:f
Echo Y|cacls.exe%systemdrive%\autoexec. Bat/g administrators:f
echo Y|cacls.exe%systemroot%/system32\ftp.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\secedit.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\gpresult.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\gpupdate.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\logoff.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\shutdown.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\telnet.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\wscript.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\doskey.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\help.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\ipconfig.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\nbtstat.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\print.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\debug.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\regedt32.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\reg.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\register.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\replace.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\nwscript.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\share.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\ping.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\ipsec6.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\netsh.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\edit.com/g administrators:f
echo Y|cacls.exe%systemroot%\system32\route.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\tracert.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\powercfg.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\nslookup.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\arp.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\rsh.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\netdde.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\mshta.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\mountvol.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\setx.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\find.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\where.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\finger.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\regsvr32.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\sc.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\shadow.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\runas.exe/g administrators:f
echo Y|cacls.exe%systemroot%\pchealth\helpctr\binaries\msconfig.exe/g administrators:f
echo Y|cacls.exe%systemroot%\notepad.exe/g administrators:f
echo Y|cacls.exe%systemroot%\regedit.exe/g administrators:f
echo Y|cacls.exe%systemroot%\winhelp.exe/g administrators:f
echo Y|cacls.exe%systemroot%\winhlp32.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\edlin.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\posix.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\atsvc.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\qbasic.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\runonce.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\syskey.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\cscript.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\sethc.exe/g administrators:f

echo "C Disk permission set"
cacls "%systemroot%/registration"/R "Everyone"/e

echo "Remove permission to create owner in the Windows directory of C disk"
cd/

cacls "%systemroot%/repair"/r "Create owner"/e
cacls "%systemroot%/system32"/r "Create owner"/e
cacls "%systemdrive%/system32/config"/r "Create owner"/e
cacls "%systemroot%/system32/wbem"/r "Create owner"/e

echo "Remove permissions for Power Users under Windows folders"

cacls "%systemroot%/repair"/R "Power Users"/e
cacls "%systemroot%/system32"/R "Power Users"/e
cacls "%systemdrive%/system32/config"/R "Power Users"/e
cacls "%systemroot%/system32/wbem"/R "Power Users"/e

echo "Remove access rights for users under Windows"

cacls "%systemroot%/addins"/R "users"/e
cacls "%systemroot%/apppatch"/R "users"/e
cacls "%systemroot%/connection Wizard"/r "users"/e
cacls "%systemroot%/debug"/R "users"/e
cacls "%systemroot%/driver Cache"/r "users"/e
cacls "%systemroot%/help"/R "users"/e
cacls "%systemroot%/iis Temporary Compressed Files"/r "users"/e
cacls "%systemroot%/java"/R "users"/e
cacls "%systemroot%/msagent"/R "users"/e
cacls "%systemroot%/mui"/R "users"/e
cacls "%systemroot%/repair"/R "users"/e
cacls "%systemroot%/resources"/R "users"/e
cacls "%systemroot%/security"/R "users"/e
cacls "%systemroot%/system"/R "users"/e
cacls "%systemroot%/tapi"/R "users"/e
cacls "%systemroot%/temp"/R "users"/e
cacls "%systemroot%/twain_32"/R "users"/e
cacls "%systemroot%/web"/R "users"/e
cacls "%SYSTEMROOT%/SYSTEM32/3COM_DMI"/R "users"/e
cacls "%systemroot%/system32/administration"/R "users"/e
cacls "%systemroot%/system32/cache"/R "users"/e
cacls "%systemroot%/system32/catroot2"/R "users"/e
cacls "%systemroot%/system32/com"/R "users"/e
cacls "%systemroot%/system32/config"/R "users"/e
cacls "%SYSTEMROOT%/SYSTEM32/DHCP"/R "users"/e
cacls "%systemroot%/system32/drivers"/R "users"/e
cacls "%systemroot%/system32/export"/R "users"/e
cacls "%systemroot%/system32/icsxml"/R "users"/e
cacls "%systemroot%/system32/lls"/R "users"/e
cacls "%systemroot%/system32/logfiles"/R "users"/e
cacls "%systemroot%/system32/microsoftpassport"/R "users"/e
cacls "%systemroot%/system32/mui"/R "users"/e
cacls "%systemroot%/system32/oobe"/R "users"/e
cacls "%systemroot%/system32/shellext"/R "users"/e
cacls "%systemroot%/system32/wbem"/R "users"/e

Goto NEXT3
: NEXT3
ECHO.
ECHO.
ECHO. ------------------------------------------------------------------------
ECHo prohibits unnecessary services, press CTRL + C if you want to exit
ECHO Yes=next Set No=this set Ignore (this time Second default for y)
ECHO. ------------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto NEXT4
if errorlevel 1 goto next31
: next31
echo Windows Registry Editor Version 5.00 >temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\lanmanworkstation] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\alerter] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\browser] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\dfs] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\scheduler] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\lmhosts] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\tlntsvr] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [hkey_local_machine\system\currentcontrolset\services\remoteaccess] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\ntmssvc] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\remoteregistry] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\trkwks] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\ersvc] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\messenger] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\netdde] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETDDEDSDM] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
REGEDIT/S Temp\services.reg

ECHO.
Goto NEXT4
: NEXT4
ECHO.
ECHO. -------------------------------------------------------------------------
ECHo prevents human intrusion and attack. If you want to quit, press CTRL + C
ECHO Yes=next Set No=this set Ignore (this time Second default for y)
ECHO. -------------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto NEXT5
if errorlevel 1 goto next41

: next41
echo Windows Registry Editor Version 5.00 >temp\skyddos.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] >>temp\skyddos.reg
echo "EnableDeadGWDetect" =dword:00000000 >>temp\skyddos.reg
echo "Enableicmpredirects" =dword:00000000 >>temp\skyddos.reg
echo "PerformRouterDiscovery" =dword:00000000 >>temp\skyddos.reg
echo "NoNameReleaseOnDemand" =dword:00000001 >>temp\skyddos.reg
echo "KeepAliveTime" =dword:000493e0 >>temp\skyddos.reg
echo "EnablePMTUDiscovery" =dword:00000000 >>temp\skyddos.reg
echo "SynAttackProtect" =dword:00000002 >>temp\skyddos.reg
echo "TcpMaxHalfOpen" =dword:00000064 >>temp\skyddos.reg
echo "TcpMaxHalfOpenRetried" =dword:00000050 >>temp\skyddos.reg
echo "TcpMaxConnectResponseRetransmissions" =dword:00000001 >>temp\skyddos.reg
echo "TcpMaxDataRetransmissions" =dword:00000003 >>temp\skyddos.reg
echo "TCPMaxPortsExhausted" =dword:00000005 >>temp\skyddos.reg
echo "DisableIPSourceRouting" =dword:0000002 >>temp\skyddos.reg
echo "TcpTimedWaitDelay" =dword:0000001e >>temp\skyddos.reg
echo "EnableSecurityFilters" =dword:00000001 >>temp\skyddos.reg
echo "TcpNumConnections" =dword:000007d0 >>temp\skyddos.reg
echo "Tcpmaxsendfree" =dword:000007d0 >>temp\skyddos.reg
echo "IGMPLevel" =dword:00000000 >>temp\skyddos.reg
echo "DefaultTTL" =dword:00000016 >>temp\skyddos.reg
echo Delete ipc$ (Internet Process Connection) is a resource that shares a named pipe
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] >>temp\skyddos.reg
echo "RestrictAnonymous" =dword:00000001 >>temp\skyddos.reg
echo [Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interfaces] >>temp\ Skyddos.reg
echo "PerformRouterDiscovery" =dword:00000000 >>temp\skyddos.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters] >>temp\skyddos.reg
echo "Backlogincrement" =dword:00000003 >>temp\skyddos.reg
echo "Maxconnbacklog" =dword:000003e8 >>temp\skyddos.reg
echo [Hkey_local_machine\system\currentcontrolset\services\afd\parameters] >>temp\skyddos.reg
echo "EnableDynamicBacklog" =dword:00000001 >>temp\skyddos.reg
echo "MinimumDynamicBacklog" =dword:00000014 >>temp\skyddos.reg
echo "MaximumDynamicBacklog" =dword:00002e20 >>temp\skyddos.reg
echo "DynamicBacklogGrowthDelta" =dword:0000000a >>temp\skyddos.reg
echo [Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters] >>temp\skyddos.reg
echo "AutoShareServer" =dword:00000000 >>temp\skyddos.reg
REGEDIT/S Temp\skyddos.reg
ECHO.
ECHO.
Goto NEXT5
: NEXT5
ECHO.
ECHO. ------------------------------------------------------------------------
ECHo prevents ASP Trojans from running dismount Wscript.Shell, Shell.Application, wscript.network
ECHO Yes=next Set No=this set Ignore (this time Second default for y)
ECHO. -----------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto NEXT6
if errorlevel 1 goto next51
: Next51
echo Windows Registry Editor Version 5.00 >temp\del.reg
echo [-hkey_classes_root\shell.application] >>temp\del.reg
echo [-hkey_classes_root\shell.application.1] >>temp\del.reg
echo [-hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540000}] >>temp\del.reg
echo [-hkey_classes_root\adodb.command\clsid] >>temp\del.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}] >>temp\del.reg
REGEDIT/S Temp\del.reg
Regsvr32/u%systemroot%\system32\wshom.ocx
del/f/q%systemroot%\system32\wshom.ocx
regsvr32/u%systemroot%\system32\shell32.dll
del/f/q%systemroot%\system32\shell32.dll
RMDIR/Q/S Temp

ECHO.
Goto NEXT6
: Next6
ECHO.
ECHO.
ECHO. ---------------------------------------------------------------------
The ECHo setting has completed a reboot before it can take effect.
ECHO yes=reboot Server No=exit (this Second default for y)
ECHO. ----------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto end
if errorlevel 1 goto reboot
: Reboot
SHUTDOWN/R/T 0
: End
If EXIST temp (rmdir/s/q temp|exit) Else exit

This article is an English version of an article which is originally in the Chinese language on aliyun.com and is provided for information purposes only. This website makes no representation or warranty of any kind, either expressed or implied, as to the accuracy, completeness ownership or reliability of the article or any translations thereof. If you have any concerns or complaints relating to the article, please send an email, providing a detailed description of the concern or complaint, to info-contact@alibabacloud.com. A staff member will contact you within 5 working days. Once verified, infringing content will be removed immediately.

Related Keywords:
ntfs and share permissions web server permissions setting up server web hosting setting up web hosting server setting server setting up web server on mac sql server list database users and permissions

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

What's Trending
Top 10 Tags
datastax versions naming convention zookeeper client class definition md5 microsoft sql server 2005 data structures exception handling error handling
Top 10 Keywords
microsoft download center down wordpress address url site address url wordpress address url windows installer 4 0 download 302 not found web address url definition site address url wordpress db2 integer mac os installation step by step pdf abbreviation for return

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

Get Started for Free

  • Sales Support

    1 on 1 presale consultation

    Chat Contact Sales

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

    Open a Ticket

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.

    Learn More