XFocus Windows Internet Server Security Configuration

Differences between Windows 2003 and later versions

1) Windows Server 2003, Standard Edition (Standard Edition)

It also supports dual-circuit processors and 4 GB memory for core products of small and medium enterprises. In addition to all functions of Windows Server 2003 Web Edition, it also supports Certificate Services, UDDI Services, fax Services, IAS Internet authentication Services, removable storage, RIS, smart cards, Terminal Services, WMS and Services for Macintosh.

Supports file and printer sharing. Provides secure network connections.

2) Windows Server 2003, Enterprise Edition (Enterprise Edition)

This product is defined as a new high-end product that supports a maximum of 8 processors, 32 GB memory, and 28 node clusters. It is an extended version of Windows Server 2003 Standard Edition and adds Metadirectory Services Support, Terminal Service Session Directory, cluster, and Hot Add (Hot-Add) memory and NUMA non-uniform memory access and access technology. This version also adds a version that supports 64-bit computing.

The full-featured operating system supports up to 8 processors. Provides enterprise-level functions such as 8-node clusters, supporting 32 GB memory. Supports the Intel Itanium processor. The 64-bit computer version will be available, which can support 8 64-bit processors and 64 GB memory.

3) Windows Server 2003, Datacenter Edition (Data Center)

As in the past, this is a product that has always represented the highest performance of Microsoft products. Its Market targets have always been positioned on the highest-end applications, with extremely reliable stability and scalability. It supports 8-32 processors, 64 GB memory, 2-8 node clusters. Compared with Windows Server 2003 Enterprise Edition, Windows Server 2003 Datacenter Edition adds a set of Windows Datacenter Program packages. This product also supports another 64-bit version.

The most powerful and powerful server operating system provided by Microsoft so far. Supports 32 processors and 64 GB memory. 8-Point Cluster and Server Load balancer are provided at the same time. Provides a 64-bit processor platform that supports amazing 64-channel processors and GB of memory.

4) Windows Server 2003, Web Edition (Web Edition)

This version is specially optimized for Web Services. It supports dual-processor and 2 GB memory. This product supports both ASP. NET, DFS Distributed File System, EFS file encryption system, IIS6.0, smart image, ICF Internet firewall, IPv6, Mircrosoft. net Framework, NLB network load balancing, PKI, Print Services for UNIX, RDP, remote OS installation (non-RIS service), result set of RSoP policy, Shadow Copy Restore), VPN, and WMI command line mode. The only difference between Windows Server 2003 Web Edition and other versions is that it can only act as a member Server in the AD domain, rather than a DC Domain Controller.

You can deploy various web applications and XML page services. IIS 6.0. Quick and easy development of various platforms based on XML and ASP. NET service projects.
5) Windows Server 64-bit Edition (64-bit version)

This version is specially developed for 64-bit processor anteng Itanium.
There are two versions:

Windows Server 2003 Enterprise Server
64-bit Edition.

Windows Server 2003 Datacenter Server
64-bit Edition.
Practice

The following is an example of a standard VM.
System: windows2003
Service: [IIS] [SERV-U] [IMAIL] [SQL SERVER 2000] [PHP] [MYSQL]
Description: The most services are bound for demonstration. You can perform screening and subtraction based on the actual situation.

1. WINDOWS Local Security Policy port restrictions
A. For our example, we need to activate the following ports:
External> Local 80
-> Local 20
-> Local 21
-> Some ports used by the local PASV
-> Local 25
-> Local 110
-> Local 3389
Then, open the ports of SQL SERVER and MYSQL according to the actual situation.
-> Local 1433
-> Local 3306
B. Then open the ports to be opened from the inside out.
Based on the actual situation, do not open the following two rules if no email service is required
Local> outside 53 TCP, UDP
Local> external 25
According to the specific situation. If you do not need to access the webpage on the server, try not to open the following port
Local> external 80
C. In addition to explicit blocking, this is the key to security rules.
-> All local protocols are blocked.

2. User Account
A. Rename the administrator. In this example, change it to root.
B. Cancel all user attributes except administrator root
Remote Control-> enable remote control and
Terminal service configuration file-> allow login to Terminal Server
C. Change the name of guest to administrator and change the password.
D. In addition to the administrator root, IUSER, IWAM, and ASPNET, disable all other users, including SQL DEBUG and TERMINAL USER.

3. directory permission
Change the permissions of all drive letters to only
All permissions for the administrators group
All system Permissions
Inherit All Sub-directories and sub-files of drive C from the administrator (group or user) and SYSTEM permissions of drive C.
Then make the following changes:
C: Allow ents and SettingsAll Users open the default three permissions for reading and running the list file directory
C: Users and Settings Add the read and run permissions of the Users user group to avoid LoadUserProfile failure.
C: Program FilesCommon Files open Everyone by default to read and run the list file directory read three permissions can increase ASP ASP.net Access Database Access Permissions
C: The following operations on Windows may cause Ghost operation failure. The system can successfully perform the Ghost operation, but it will automatically restart after it is started and wait for resolution.
C: open three permissions for reading and running the list file directory by default on Everyone in WINDOWS.
C: WINDOWSTemp enables Everyone modification, reading and running, listing file directories, reading, and writing permissions.
C: WINDOWS Microsoft. NETFrameworkv1.1.4322Temporary ASP. NET Files
Note that the following directories are not authorized by IIS_WPG and Service users:
C: WINDOWSHelpIISHelpCommon
C: WINDOWSSystem32InetsrvASP Compiled Templates
C: WINDOWSIIS Temporary Compressed Files

Now WebShell cannot write files in the system directory.
You can also use stricter permissions.
In WINDOWS, Set permissions for directories.
However, it is complicated and the effect is not obvious.

4. IIS
Under IIS 6, the ISAPI type corresponding to the file type in the application extension has removed dangerous script types such as IDQ and PRINT,
In IIS 5, we need to delete all types except ASP and ASA.
Install URLSCAN
In [DenyExtensions]
Add the following content
. Cer
. Cdx
. Mdb
. Bat
. Cmd
. Com
. Htw
. Ida
. Idq
. Htr
. Idc
. Shtm
. Shtml
. Stm
. Printer
In this way, intruders cannot download the. mdb database. This method is more thorough than some other methods that add special characters to the file header.
Because even if the file header is added with special characters, it can still be constructed by encoding.

5. WEB directory permissions
As a virtual host, there will be many independent customers
It is safer to create a windows user for each customer.
Then, in the site of the IIS response
Bind the anonymous user executed by IIS to this user
And direct it to the directory
Permission changed
All permissions for administrators
All system Permissions
Select advanced for a user (or IUSER) created separately-> open all permissions except full control, traverse folders/run programs, and obtain three permissions of ownership.

If there are not many sites on the server and there are forums
We can upload directories for each Forum
Remove the execution permission of this user.
Only read and write permissions
In this way, intruders upload webshells even if they bypass the Forum file type detection.
It cannot run.

6. ms SQL SERVER2000
Log on to the query analyzer using a system account
Run the following script
Use master
Exec sp_dropextendedproc 'xp _ export shell'
Exec sp_dropextendedproc 'xp _ dirtree'
Exec sp_dropextendedproc 'xp _ enumgroups'
Exec sp_dropextendedproc 'xp _ fixeddrives'
Exec sp_dropextendedproc 'xp _ loginconfig'
Exec sp_dropextendedproc 'xp _ enumerrorlogs'
Exec sp_dropextendedproc 'xp _ getfiledetails'
Exec sp_dropextendedproc 'SP _ OACreate'
Exec sp_dropextendedproc 'SP _ OADestroy'
Exec sp_dropextendedproc 'SP _ oageterrorinfo'
Exec sp_dropextendedproc 'SP _ oagetproperties'
Exec sp_dropextendedproc 'SP _ oamethod'
Exec sp_dropextendedproc 'SP _ oasetproperties'
Exec sp_dropextendedproc 'SP _ oastop'
Exec sp_dropextendedproc 'xp _ regaddmultistring'
Exec sp_dropextendedproc 'xp _ regdeletekey'
Exec sp_dropextendedproc 'xp _ regdeletevalue'
Exec sp_dropextendedproc 'xp _ regenumvalues'
Exec sp_dropextendedproc 'xp _ regread'
Exec sp_dropextendedproc 'xp _ regremovemultistring'
Exec sp_dropextendedproc 'xp _ regwrite'
Drop procedure sp_makewebtask
Go
Delete all dangerous extensions.

7. Modify CMD. EXE and NET. EXE Permissions
Modify the permissions of the two files to a specific administrator. For example, in this example, modify the permissions of the two files as follows:
Cmd.exe root user all Permissions
Net.exe root user ownership
This prevents unauthorized access.
You can also use the comlog program provided in the example.
Rename com.exe_com.exe and replace the com file. In this way, all command line commands executed can be recorded.

To prevent unauthorized users from modifying permissions through the command line, execute "cmd.exe net.exe net1.exe ping.exe netstat.exe ftp.exe tftp.exe telnet.exe regedit.exe at.exe attrib.exe cacls.exe format.exe permission ".

8. Backup
Use ntbackup software. Back up system status.
Use reg.exe to back up key system data
For example, reg export HKLMSOFTWAREODBC e: ackupsystemodbc. reg/y
To back up the ODBC OF THE SYSTEM

9. Anti-Virus
Here we will introduce the Chinese enterprise version of MCAFEE 8i
This version can be updated in a timely manner for many malicious codes and Trojans in China.
For example, the top 2006 of Haiyang is detected.
Besides, it can remove the MIME-encoded virus files in the queues used by SMTP software such as IMAIL.
Many people prefer to install the Norton Enterprise Edition, while the Norton Enterprise Edition is basic for WEBSHELL.