Windows 2003 server Security Settings Graphics Tutorial _win server

Source: Internet
Author: User
Tags anonymous ini net command parent directory sql injection web services ftp protocol net send


First, the system installation



1, according to the WINDOWS2003 installation CD-ROM prompts installation, by default, 2003 did not install IIS6.0 installed in the system.
2, the installation of IIS6.0
Start Menu-> Control Panel-> Add or Remove Programs-> Add/Remove Windows Components
Application ——— asp.net (optional)
|--Enable network COM + access (required)
|--internet Information Services (IIS) ——— Internet Information Services Manager (required)
|--Public files (required)
|--World Wide Web service ——— Active Server pages (required)
|--internet data connector (optional)
|--webdav Release (optional)
|--WWW service (required)
|--on server-side include file (optional)




Then click OK-> next installation.



3, the System Patch update 
Click Start Menu-> All Programs->windows update
Follow the prompts to install the patches.
4. Backup system
With Ghost backup system (software download http://www.jb51.net/softs/54.html This is green software, very convenient, if you can use http://www.jb51.net/softs/8860.html).
5, the installation of commonly used software
For example: Anti-Virus software McAfee, decompression software winrar and so on, after installation with Ghost again back up the system.



More utility software on the server can be downloaded to the s.jb51.net.



Second, the System permissions settings


1. Disk Permissions
system disk and all disks only give full control to the Administrators group and system
System disk \documents and Settings directory gives only full control to Administrators group and system
The system disk \documents and Settings\All Users Directory is for Administrators groups and system
Full Control of permissions
System disk \inetpub directory and all of the following directories, files only to the Administrators group and system Full Control permissions
System disk \windows\system32\cacls.exe, Cmd.exe, Net.exe, net1.exe files are only given to
Full Control permissions for the Administrators group and SYSTEM
2. Local Security policy settings
Start Menu-> Administration Tools-> Local Security Policy
A, local policy--> audit policy
Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed
Audit process Tracking No audit
Audit directory service access failed
Audit privilege usage failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management failed successfully
B, local policy--> user Rights Assignment
Shutdown system: Only Administrators group, all other delete.
Deny login via Terminal Services: Join guests, user group
Allow login via Terminal Services: Only join Administrators group, all other delete
C, Local policy--> security options
Interactive login: Do not display last user name enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Enable for network authentication store credentials is not allowed
Network access: All shares that can be accessed anonymously are deleted
Network access: Anonymous access to all of the lives deleted
Network access: Remote access to the registry path all deleted
Network access: Remotely accessible registry paths and subpath Delete all
Account: Rename guest account rename an account
Accounts: Renaming a system administrator account renaming an account
3. Disabling unnecessary services
Start Menu-> management tools-> Services
Print Spooler
Remote Registry
TCP/IP NetBIOS Helper
Server
These are disabled in services that are started by default on the Windows Server 2003 system, and the default disabled service does not start if it is not specifically needed.
4. Enable firewall
Desktop-> Network Neighborhood-> (right) property-> Local Area Connection-> (right) property-> Advanced-> (checked) Internet Connection Firewall-> settings
Select the service port that you want to use on the server
For example: A Web server, to provide Web (80), FTP (21) services, and Remote Desktop Management (3389)
On the "FTP server", "Web server (HTTP)", "Remote Desktop" before the check mark
If you want to provide the service port is not inside, you can also click on "Add" ammonium Shilai Add, specific parameters can refer to the original parameters of the system.
then click OK. Note: If you are managing this server remotely, first determine if the remotely administered port is selected or added.



The security of the WIN2003 server has improved significantly compared to Win2K, but with Win2003
Is the server really safe as the servers? How can you build a secure personal Web server? Here are some suggestions:



Installation of Windows Server2003
1, the installation system requires at least two partitions, the partition format is formatted with NTFS
2. Install 2003 systems in the case of disconnected network
3, install IIS, install only the necessary IIS components (disable unwanted such as FTP and SMTP
Services). By default, the IIS service is not installed, select Application Server in the Add/Remove Win component, click Details, double-click Internet Information Services (IIS), and select the following options:
Internet Information Services Manager;
Common Files;
Background Intelligent Transfer Service (BITS) server Extensions;
World Wide Web services.
If you use a FrontPage-extended Web site, check again: FrontPage 2002 Server Extensions
4, the installation of MSSQL and other software required and then update.
5. Use the MBSA provided by Microsoft (Microsoft Baseline Security Analyzer)
Tools to analyze the security configuration of your computer and identify missing patches and updates. Download Address: See the link at the end of the page



Ii. setting up and managing accounts



1, the system administrator account is best to build less, change the default Administrator account name (administrators) and description, the password is best to use the number of lowercase letters plus number of the upper file key combination, the length of the best not less than 14 bits.
2, create a new name for the administrator of the trap account, set the minimum permissions, and then casually enter the combination of the best not less than 20-bit password
3, disable the Guest account and change the name and description, and then enter a complex password, of course, now also has a delguest tool, perhaps you can also use it to delete the Guest account, but I did not try.
4, in the operation of the input gpedit.msc enter, open Group Policy Editor, select the Computer Configuration-windows Settings-security Settings-account strategy-account lockout policy, the account is set to "three login invalid", "Lockout time is 30 minutes", "Reset lock count is set to 30 minutes."
5, in the security settings-Local policy-security options, "Do not display the last user name" set to enable
6, in the security settings-Local policy-user rights assignment in the "Access this computer from the network" only keep the Internet Guest account, start the IIS process account. If you use ASP.net, keep the ASPNET account.
7, create a user account, run the system, if you want to run privileged commands using the runas command.



Third, Network Service security management


1, prohibit the default share of C $, d$, admin$ class
Open the registry, Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters, and create a new DWORD value in the right window. The name is set to the AutoShareServer value set to 0
2, the release of NetBIOS and TCP/IP protocol binding
Right-click Network Neighborhood-Properties-right-click Local Connection-Properties-double-click Internet Protocol-Advanced-wins-Disable NetBIOS on TCP/IP
3, turn off unwanted services, the following is the recommended option
Computer Browser: Maintaining network computer updates, disabling
Distributed file System: LAN management shared files, no need to disable
Distributed linktracking client: For LAN update connection information, no need to disable
Error Reporting Service: Prohibit sending errors report
Microsoft serch: Provides fast word search without the need to disable
Ntlmsecuritysupportprovide:telnet Service and Microsoft Serch, no need to disable
Printspooler: If there are no printers to disable
Remote Registry: Disable the registry from being modified remotely
Remote Desktop help session Manager: No distance assistance
Iv. Open the appropriate audit policy
Enter Gpedit.msc carriage return in run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-Audit policy when creating an audit project, it is necessary to be aware that if there are too many audited items, the more events are generated, The harder it is to find serious events, of course, if too little is done, it can also affect the way you find serious events, so you need to choose between the two depending on the situation.
Recommended Items to Audit:
Logon event failed successfully
Account Logon event failed successfully
System Event failed successfully
Policy Change failed successfully
Object access failed
Directory Service access failed
Privilege usage failed

v. Other security-related settings
1. Hide Important files/directories
You can modify the registry to achieve complete concealment: "Hkey_local_machine\software\microsoft\windows\
Current-version\explorer\advanced\folder\hi-dden\showall ", right mouse click
"CheckedValue", select Modify, change the value from 1 to 0
2. Start the system with Internet Connection Firewall, check the Web server in the Setting service option.
3. Prevent SYN Flood attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named SynAttackProtect, with a value of 2
4. Prohibit responding to ICMP routing notification messages
Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface
Creates a new DWORD value with the name PerformRouterDiscovery value of 0
5. Prevent ICMP redirect packets from attacking
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the Enableicmpredirects value to 0
6. IGMP protocol not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Creates a new DWORD value with the name IGMPLevel value of 0
7. Disable DCOM:
Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console root. Open the Computers subfolder.
For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab.
Clear the Enable distributed COM on this computer check box.
Note: 3-6 items I am using the Server2000 settings, not tested for 2003 whether it works. But one thing is certain that I spent a period of time without finding the effects of other facets.
Vi. Configuring the IIS service:
1, do not use the default Web site, if used also to separate the IIS directory and the system disk.
2, delete the IIS default created Inetpub directory (on the installation system disk).
3, delete the virtual directory under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.
4, remove unnecessary IIS extension mappings.
Right-click the default Web site → properties → home directory → configuration, open the application window, and remove unnecessary application mappings. mainly for. sHTML,. shtm,
. stm
5, change the path of the IIS log
Right-click the default Web site → Properties-web site-click Properties under Enable Logging
6. If you are using 2000, you can use IISLockdown to protect IIS, and the version of IE6.0 running in 2003 is not required.
7. Use URLScan
URLScan is an ISAPI filter that analyzes incoming HTTP packets and can reject any suspicious traffic. The latest version is 2.5, and if it is 2000Server you need to install the 1.0 or 2.0 version first. Download address no link to page
If there are no special requirements to use the URLScan default configuration on it.
But if you run the ASP.net program on the server and you want to debug it you need to open the%windir%\system32\inetsrv\urlscan
folder, and then add the debug verb in the Userallowverbs section, noting that this section is case-sensitive. \ urlscan.ini
If your page is an. asp page you need to delete the. asp-related content in DenyExtensions.
If your page uses non-ASCII code, you need to set the value of Allowhighbitcharacters to 1 in the option section
After making changes to the Urlscan.ini file, you will need to restart the IIS service to take effect, and enter IISReset in the fast method run
If you have any problems after configuration, you can remove URLScan by adding/removing programs.
8. Use WIS (WEB injection Scanner) tool to scan the entire website for SQL injection vulnerability.

Seven, configure SQL Server
1, the System Administrators role preferably not more than two
2, if it is in this machine is best to configure the authentication to win login
3, do not use the SA account, configure a super complex password for it
4, delete the following extended stored procedure format:
Use master
Sp_dropextendedproc ' Extended stored procedure name '
xp_cmdshell: Is the best shortcut to enter the system, delete
Accessing the registry's stored procedures, deleting
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues
Xp_regread xp_regwrite xp_regremovemultistring
OLE automatic stored procedures that do not need to be deleted
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop
5, hide SQL Server, change the default 1433 port
Right-click the properties of the TCP/IP protocol in the instance selection properties-General-network configuration, choose to hide the SQL Server instance and change the default 1433 port.
If only do server, do not do other *, use IPSec
1. Management tools-Local Security policy-right-click IP Security Policy-Manage IP filter tables and filters * Do-click under Manage IP filter table options
Add-Name to Web filter-click Add-Enter the Web server in the description-set the source address to any IP address-set the destination address to my IP address-the protocol type is set to the TCP--IP protocol port The first item is set to from any port, the second entry to this port 80--click Finish-click OK.
2, again in the management of IP filter table options under click
Add-Name set to all inbound filters-click Add-Enter all inbound filters in the description-set the source address to any IP address--Set the destination address to my IP address--the protocol type is arbitrary--click Next--Finish--click OK.
3, under the Management filter * Option Click Add--Next--name input block--next--Select block--next--Finish--Close admin IP filter table and filter * as window
4. Right-click IP Security Policy-Create IP Security Policy-next-Name Input packet Filter-next--Cancel the default activation response principle--next--complete
5. In the open new IP Security Policy Properties window, select Add--next--do not specify a tunnel--next--all network connections--next--In the IP filter list, select the new
Web Filter--Next--Select the license in the filter *--next--complete--Select the new blocking filter in the IP filter List--Next--Select block in Filter *
--Next--complete--OK
6. In the right window of the IP Security Policy, right-click the new packet filter, click Assign, do not need to reboot, IPSec can take effect.
Nine serious attention
If you do this, it is recommended that you test the server for every change you make, and then undo the changes if you have a problem. And if the number of changed items, only to find out the problem, it is difficult to determine the question is where the step.


Ten, run the server record the current program and open the port



1, the current server to capture or record the process, save it to facilitate later check whether there are unknown procedures.
2, the current open to grasp the port map or record, save, easy to check whether the opening of the unknown port. Of course if you can distinguish each process, and the port this step can be omitted.



Recommended settings









Limit test


In "Network Connections", delete all the unwanted protocols and services, install only basic Internet Protocol (TCP/IP), and install the QoS Packet Scheduler in addition to the bandwidth flow service .






In Advanced TCP/IP Settings--"NetBIOS" setting disables NetBIOS (S) on TCP/IP.





In the 2003 system, TCP/IP filtering is not recommended in the port filtering function, such as the use of FTP server, if only open 21 ports, due to the specificity of the FTP protocol, FTP transmission, due to FTP-specific port mode and passive mode, In the data transmission, the need to dynamically open the high-end port, so in the case of TCP/IP filtering, often the connection can not be listed after the directory and data transfer problems. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the NIC.






In the advanced option, use Internet Connection Firewall, which is a firewall with Windows 2003, not in the 2000 system, although not functional, but can screen ports, so that has basically reached an IPSec function.















Open the port you use to, and if you modify the port on the Remote Desktop, do not forget to add it. If you have a mail server, also release the SMTP server port POP3 server port 110. Services can be added to the external service port, otherwise the service cannot be accessed.















Modify ICMP settings, recommended all enabled, easy network test ping, etc.









Of course, in order to secure also prevent this machine to become broiler, sometimes need to set local do not access external 80,22, such as Port, here provide a bat code, if you need to access the external Web site need to remove the 80 port on it


@rem Configure the IP Security policy for the WINDOWS2003 system
 @rem version 3.0 time:2014-5-12 netsh ipsec static add policy name=drop netsh ipsec static a dd filterlist
 name=drop_port netsh ipsec static add filter filterlist=drop_port Srcaddr=me dstaddr=any dstport=21
 Protocol =tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=22 
protocol=tcp mirrore D=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=23 
protocol=tcp mirrored=no netsh i Psec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=25 
protocol=tcp mirrored=no netsh ipsec static Add Filter filterlist=drop_port srcaddr=me dstaddr=any dstport=53 
protocol=tcp mirrored=no netsh ipsec static add filter F Ilterlist=drop_port srcaddr=me dstaddr=any dstport=80 
protocol=tcp mirrored=no netsh ipsec static add filter Filterlist=d Rop_port srcaddr=me dstaddr=any dstport=135 
protocol=tcp mirrored=no netsh ipsec static add filter Filterlist=drop_port SR Caddr=me Dstaddr=any DSTPort=139 
protocol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=443 
Pro Tocol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=445 
protocol=tcp m Irrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1314 
protocol=tcp mirrored=n o netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1433
 protocol=tcp mirrored=no netsh ip  SEC static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=1521
 protocol=tcp mirrored=no netsh ipsec static Add Filter filterlist=drop_port srcaddr=me dstaddr=any dstport=2222 
protocol=tcp mirrored=no netsh ipsec static add Filte R filterlist=drop_port srcaddr=me dstaddr=any dstport=3306 
protocol=tcp mirrored=no netsh ipsec static add filter Filterli St=drop_port srcaddr=me dstaddr=any dstport=3433
 protocol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_p ORT Srcaddr=me Dstaddr=any dstport=3389 
protocol=tcp mirrored=no netsh ipsec static add filter Filterlist=drop_port Srcaddr=me dstaddr=any 899
 protocol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=8080
 Protoc Ol=tcp mirrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any dstport=18186 
protocol=tcp mi Rrored=no netsh ipsec static add filter filterlist=drop_port srcaddr=me dstaddr=any 
protocol=udp mirrored=no netsh ipsec s Tatic add filteraction name=denyact action=block netsh ipsec static add rule Name=kill Policy=drop the Filterlist=drop_port 
fi Lteraction=denyact netsh ipsec static set policy Name=drop assign=y


permissions setting The root of all disk partitions gives full control to the Administrators group and system, noting that the systems disk does not replace the permissions of the subdirectory. Some directories, such as the Windows directory and Program Files directory, do not inherit parent directory permissions, and these directories require some additional permissions to run. The c:documents and Settings directory only gives full control to the Administrators group and SYSTEM, and the project that applies to child objects replaces the permission entries for all child objects. system disk The documents and Settingsall Users directory only gives full control to the Administrators group and system. The system permissions given here do not necessarily need to be given, just because some third-party applications are started in the form of a service and need to be added to this user, otherwise it will not start.












C:/Documents and settings/here to note that the permissions in the following directory will not inherit from the previous settings, if only set the C disk to administrators permissions, and in the all Users/application data directory will The Everyone user has full control, so the intrusion can jump to this directory, write scripts or files, and combine other vulnerabilities to elevate permissions, such as using serv-u local overflow to elevate permissions, or missing patches, database vulnerabilities, and so on. In systems that are used as WEB/FTP servers, the recommended setting.






Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run. If you modify it, do not apply the item to the child object instead of the permission entries for all child objects. System directory permissions in doubt, do not move, generally do the root directory and the documents and settings are relatively safe, ASP programs can not access the root directory can not access the subdirectory.






In addition, the Documents and Settings directory to increase the users user group read run permissions, you can avoid loaduserprofile failure, it is necessary to note that the Users group Read permissions, ASP Trojan can access this directory. You need to accept some error logs for security. (January 13, 2009 Note: It seems that there is no system completely appear loaduserprofile, and users have nothing to do.) )






System disk
Under Cacls.exe; cmd.exe; Net.exe; Net1.exe; Ftp.exe; Tftp.exe; Telnet.exe; Netstat.exe; Regedit.exe; At.exe; Attrib.exe; The Format.com file only gives full control to the Administrators group and system. You can look for a unified setting, or edit a batch and use the CACLS command to process it.




Local policy → Audit policy

Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed
Audit process Tracking No audit
Audit directory service access failed
Audit privilege usage failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management failed successfully

Local Policies → User Rights Assignment
Shutdown system: Only Administrators group, all other delete.
Allow login via Terminal Services: Only join Administrators,remote Desktop Users group, all others deleted

Local Policies → Security options
Interactive login: Do not display last user name enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Enable for network authentication store credentials is not allowed
Network access: All shares that can be accessed anonymously are deleted
Network access: Anonymous access to all of the lives deleted
Network access: Remote access to the registry path all deleted
Network access: Remotely accessible registry paths and subpath Delete all
Account: Rename guest account rename an account
Accounts: Renaming a system administrator account renaming an account

"Disable unnecessary service start-run-services.msc"

Computer Browser: Maintain the latest list of computers on the network and provide this list
Distributed file System: LAN management shared files, no need to disable
Distributed Link Tracking Client: For LAN update connection information, no need to disable
Error Reporting Service: Prohibit sending errors report
Messenger: NET SEND and alarm service messages between the transfer client and the server
Microsoft serch: Provides fast word search without the need to disable
NT LM Security Support provider:telnet Service and Microsoft Serch, no need to disable
Print Spooler: If no printer is available to disable
Remote Desktop help session Manager: No distance assistance
Remote Registry: Disable the registry from being modified remotely
Server: Enables this computer to share file, print, and named pipes across the network
Task Scheduler: Allow programs to run at specified times
Tcp/ipnetbios Helper: Provides support for NetBIOS and NetBIOS name resolution on network clients on TCP/IP services to enable users to share text
Workstation: Remote NET command does not list user group if closed
These are disabled in services that are started by default on the Windows Server 2003 system, and the default disabled service does not start if it is not specifically needed.

"Uninstall the least secure Components"

The easiest way to do this is to remove the appropriate program files after you uninstall them directly.

Save the following code as one. BAT file, (Win2003 For example system folder should be C:windows)

Copy Code code as follows:

Regsvr32/u C:windowssystem32wshom.ocx
Regsvr32/u C:windowssystem32wshext.dll
Regsvr32/u C:windowssystem32shell32.dll


If it is possible to remove these components
Del C:windowssystem32shell32.dll
Del C:windowssystem32wshom.ocx
Del C:windowssystem32wshext.dll
Then run it, Wscript.Shell, Shell.Application, and Wscript.Network will be unloaded.
Go to http://www.ajiang.net/products/aspcheck/to download the Arjunolic probe to see the relevant security settings.

You may be prompted not to delete the file, do not worry about it, restart the server, you will find that all three prompts "x security".

If you recover, remove/U. FSO (filesystemobject) is a Microsoft ASP's control on file manipulation, which can read, create, modify, delete directories, and file operations on the server. is a very useful control in ASP programming. However, because of the issue of permissions control, many virtual host Server FSO has become a public backdoor of this server, because customers can be in their own ASP Web page directly to the control program, thus controlling the server or even delete files on the server. So many of the industry's virtual hosting providers simply shut down the control, giving customers a lot less flexibility. Our company's W2K Virtual host server has high security, can let the customer in own website space to use arbitrarily but has no way to endanger the system or to hinder other customer website normal operation.

The FSO Add

1, first in the system disk to find Scrrun.dll, if the existence of this file, please skip to step three, if not, please perform the second step.
2, in the installation file directory i386 find Scrrun.dl_, with winrar decompression Scrrun.dll copied to the system disk: Windowssystem32 directory.
3, the Operation Regsvr32 Scrrun.dll can.

FSO Delete
regsvr32/u Scrrun.dll
Recommended retention

Unload Stream Object

Run under cmd:
regsvr32/s/u "c:program filescommon FilesSystemadomsado15.dll"
To recover, remove/U on the line, it is recommended to keep modify the Remote Desktop Connection 3389 port is 9874, hexadecimal 2692 is equal to decimal 9874, as needed to modify the appropriate port. Save the following content as a. reg file and import the registry. (not required)
Copy Code code as follows:

Windows Registry Editor Version 5.00

[Hkey_local_machinesystemcurrentcontrolsetcontrolterminal Serverwdsrdpwdtdstcp]
"PortNumber" =dword:00002692

[Hkey_local_machinesystemcurrentcontrolsetcontrolterminal Serverwinstationsrdp-tcp]
"PortNumber" =dword:00002692


Antivirus

Here are the McAfee 8.5i Chinese Enterprise Edition (s.jb51.net downloads)
Because this version of the domestic many malicious code and Trojans can be updated in a timely manner.
For example, has been able to detect Haiyang top 2006
And able to kill MIME-encoded virus files in queues used by SMTP software such as IMail
And a lot of people like to install Norton Enterprise Edition. and Norton Enterprise Edition, for Webshell. Basically, there is no response.
And the MIME-encoded file cannot be antivirus.
In McAfee.
We can also add rules. Prevent the creation and modification of EXE.DLL files in Windows directories, etc.
We add antivirus programs to the Web directory in the software.
Execute once a day
and turn on real-time monitoring.
Note: Installing some antivirus software can affect ASP execution because the Jscript.dll and Vbscript.dll components are disabled
In DOS mode run regsvr32 jscript.dll, regsvr32 vbscript.dll lifting restrictions can
For example, the requested resource is in use

regsvr32%windir%system32jscript.dll
regsvr32%windir%system32vbscript.dll





You can refer to this article for IP Security policy:



Http://www.jb51.net/article/23037.htm



Http://www.jb51.net/article/30832.htm


Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.