WINDOWS2003 Server Security Configuration Recommendations _win Server

First, operating system configuration

1. Install the operating system (NTFS partition), installed anti-virus software, I chose is Kabbah.

2. Install system patches. Scan vulnerability Full Antivirus

3. Remove Windows Server 2003 default share
Start by writing a batch file with the following contents:
@echo off
NET share C $/del
NET share d$/del
NET share e$/del
NET share f$/del
NET share admin$/del
The file name is Delshare.bat and is placed in the startup key, and the share is automatically deleted each time it is powered on.

4. Disable IPC connections
Open cmd and enter the following command to connect: NET use\\ip\ipc$ "password"/user: "Usernqme". We can disable the IPC connection by modifying the registry. Open Registry Editor. Locate the RestrictAnonymous subkey in the following build HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa, and change its value to 1 to disable the IPC connection.

5. Delete the protocols and services in the "network connection"
In Network connections, delete all the unwanted protocols and services, where only basic Internet Protocol (TCP/IP) is installed, while in Advanced TCP/IP Settings – NetBIOS settings disables NetBIOS (S) on TCP/IP.

6. Enable Windows Connection Firewall, open only Web service (80 port).
Note: In 2003 system, do not recommend using TCP/IP filter port filtering function, such as the use of FTP server, if only open 21 ports, due to the specificity of the FTP protocol, FTP transmission, due to FTP-specific port mode and passive mode, In the data transmission, the need to dynamically open the high-end port, so in the case of TCP/IP filtering, often the connection can not be listed after the directory and data transfer problems. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the NIC.

7. Disk Permissions
System disk only gives Administrators and systems permissions
The system disk \documents and Settings directory only gives Administrators and system permissions;
The system disk \documents and Settings\All Users Directory only gives Administrators and system permissions;
The system disk \documents and Settings\All Users\Application Data Directories give only Administrators and system permissions;
The system disk \ Windows directory only gives Administrators, system, and users permissions;
System Disk \windows\system32\ Net.exe,net1.exe,cmd.exe,command.exe,ftp.exe,netstat.exe,regedit.exe,at.exe,attrib.exe,cacls.exe file only gives Administrators permission (if feel useless to delete it, for example, I deleted the Cmd.exe,command.exe, hehe. )；
Other disks, which are run by the installer (e.g. SQL Server 2000 in D disk) give Administrators and SYSTEM permissions, and no only Administrators permissions.

8. Local Security policy settings
Start Menu-> Administration Tools-> Local Security Policy
A, local policy--> Audit policy (optional)
Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed
Audit process Tracking No audit
Audit directory service access failed
Audit privilege usage failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management failed successfully

B, local policy--> user Rights Assignment
Shutdown system: Only Administrators group, all other delete.
Deny login via Terminal Services: Join guests, Users group
Allow login via Terminal Services: Only join Administrators group, all other delete

C, Local policy--> security options
Interactive login: Do not display last user name enabled
Network access: All shares that can be accessed anonymously are deleted
Network access: Named pipes that can be accessed anonymously are all deleted
* * Network access: Remote access to the registry path all deleted
* * Network access: Remote access to the registry path and Subpath are all deleted
Account: Rename guest account rename an account
(One of the following changes may cause SQL Server to be out of use)
Accounts: Renaming a system administrator account renaming an account

Second, IIS configuration (including the directory where the site resides)

1. Create your own web site (* Note: The permissions are set to none in the application settings, changed in the desired directory), the directory is not on the system disk
Note: To support asp.net, copy the aspnet_client folder in the system disk \Inetpub\Wwwroot to the Web root and Add users permissions to the Web root directory.

2. Erase the system disk \inetpub directory

3. Remove Unused mappings
In application configuration, only the necessary script execution permissions are given: ASP, ASPX.

4. Create a system user for a Web site
A. For example: The website is yushan43436.net, the new user yushan43436.net permission is guests. Then in the Web site properties, the username and password for setting anonymous access to use the following Windows user accounts in the Directory security-authentication and access control are used to yushan43436.net this user's information. (User name: Host name \yushan43436.net)
B. Add user yushan43436.net to the disk directory where the Web site resides, giving only read and write permissions.

5. Set execution permissions for applications and subdirectories
A. "Properties – Application Settings – Execute Permissions" in the main application directory is set to plain script
B. In subdirectories that do not need to execute ASP, asp.net, such as uploading file directories, execute permissions are set to None

6. Application pool Settings
My site uses the default application pool. Set "Memory Recycle": The maximum virtual memory here is: 1000M, the maximum use of physical memory is 256M, such a setting is almost no limit to the performance of this site.
Recycle worker process (minutes): 1440
Recycle worker processes at the following times: 06:00

Three, SQL Server 2000 configuration

1. Password setting
I programmed the program to use the SA user, the password settings are very complex (I do not remember, save in the phone, hey heh).

2. Delete dangerous extended stored procedures and associated. dll.
xp_cmdshell (This must be the first, needless to say), Xp_regaddmultistring, Xp_regdeletekey, Xp_regdeletevalue, Xp_regenumvalues, Xp_regread, Xp_regwrite, xp_regremovemultistring

Iv. Other settings (optional, I am not responsible)

1. Any user password must be complex, unwanted users-delete.

2. Prevent SYN flood attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named SynAttackProtect, with a value of 2

3. Prohibit responding to ICMP routing notification messages
Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface
Creates a new DWORD value with the name PerformRouterDiscovery value of 0

4. Prevent ICMP redirect packets from attacking
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the Enableicmpredirects value to 0

5. IGMP protocol not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Creates a new DWORD value with the name IGMPLevel value of 0

6. Disable DCOM:
Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console root. Open the Computers subfolder.
For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab.
Clear the Enable distributed COM on this computer check box.