Windows 2003 Server Security Configuration tutorial

1. Select a program with technical support from the official website for a large number of users, or select a program with a cold door. The colder the program, the better.

For example, both discuz and dedecms are good. Although there are a variety of vulnerabilities, they are quickly patched. As long as you patch them in time, the website is quite secure. Of course, you can also choose the unpopular program, and there are not many people using the program. Of course, there are few people who study its vulnerabilities. For example, the sablog developed by security Angel is good and niche, it is also safe and reliable. When can I see that he has cracked a vulnerability?

2. Perform code security detection and secondary development on your own if necessary.

Qualified e-businesses must perform secondary development on these open-source programs. Secondary development not only meets e-commerce needs, you can also fix a large number of undiscovered 0-day vulnerabilities (such as SQL injection, cross-site xss, and session spoofing) to make your website safer.

3. Shut down unnecessary services and processes on the server. Fewer services and fewer attacks.

When have you seen freebsd vulnerabilities? On the contrary, isn't windows with powerful functions prone to daily vulnerabilities? The more features, the more security factors need to be taken into account in all aspects. A point that is not taken into account is a devastating blow. The service configuration can be configured as follows:

Web + database tutorial 1 server: enable web service; enable iis service; enable SQL/mysql tutorial service; install filezilla ftp server software (do not use serv-u, full of vulnerabilities, you know); firewall should not be enabled when it passes through 80, 21; 1433 or 3306, connect to the database directly through local connection, and do not give intruders any chance;

Single database server: enable the SQL/mysql service; install the filezilla ftp server software (used to upload and download the backup database); the firewall only uses port 21;

In short, services and software that are not needed are all turned off, and ports must be filtered out.

The figure is as follows:

Enable and disable services (control panel --- management tools --- services ):

 

Port enabling and filtering (control panel --- firewall ):

 

4. Configure iis and directory permissions.

Iis deletes unnecessary mappings. Do not grant permissions to directories. Each website corresponds to a guest permission account. Do not use the same account for all websites !!!

The configuration diagram is as follows:

Iis ing deletion & current permission configuration:

 

 

Iis Directory account binding settings:

 

After completing the above basic security settings, if the enterprise website is an access database, remember to do a good job of anti-download settings, in addition to modifying the complexity of the website background management system and limiting ip access, at the same time, you can set a complex password for the website management password and all account passwords related to the server, and change the password regularly. If you are afraid to forget the password, you can save your account password on paper. Do not save it on your own PC!

All right, after completing the above basic work, install anti-virus software on the server (360 anti-virus, install anti-virus separately, and do not install security guards). Regularly patch the system, and the server will be much safer, at the very least, if hackers want to intrude into your website, they have to work hard.