About security policies for Windows servers

1.1.1Windows Server installation system requires at least two partitions, the partition format is in NTFS format;

Install the operating system in the case of disconnected network;

Install IIS to install only the necessary IIS components (disable unwanted FTP and SMTP services, for example);

Install the MSSQL and other required software and then update;

Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze your computer's secure configuration and identify missing patches and updates.

1.1.2 Settings and Management Account system Administrator account is best to build less, change the default Administrator account name (administrators) and description, the password is best to use the number of small letters plus number of the upper file key combination, the length of the best not less than 14;

Create a new trap account named Administrator, set minimum permissions for it, and then randomly enter a combination of the best not less than 20-bit password to disable the Guest account and change the name and description, and then enter a complex password;

In the run, enter Gpedit.msc carriage return, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-account policy-account lockout policy, the account is set to "three login invalid", "Lockout time is 30 minutes", "Reset lock count is set to 30 minutes";

In security settings-local policy-security option "Do not show last user name" set to Enabled;

In security settings-local policy-the "Access this computer from the network" in the user rights assignment retains only the Internet Guest account and the IIS process account is started. Keep the ASPNET account if you use asp.net;

Create a user account to run the system if you want to run privileged commands using the runas command.

1.1.3 Network Service security management prohibits the default sharing of C $, d$ and admin$;

Unbind the NetBIOS from the TCP/IP protocol;

Turn off services that you do not need.

1.1.4 Open the appropriate audit policy (the recommended project to audit) The logon event failed successfully

Account Logon event failed successfully

System Event failed successfully

Policy Change failed successfully

Object access failed

Directory service access failed;

Privilege usage failed.

1.1.5 Security Related Settings Hide important files/directories;

Start the system's own Internet Connection Firewall and check the Web server in the settings service option;

Prevent SYN flood attack;

Prohibit responding to ICMP routing notification packets;

Prevent ICMP redirect packets from attacking;

IGMP protocol not supported;

Disables DCOM.

1.1.6 Configure the IIS service to not use the default Web site, and to separate the IIS directory from the system disk if you use it.

Delete the Inetpub directory that IIS creates by default (on the disk on which the system is installed).

Delete the virtual directories under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.

Remove unnecessary IIS extension mappings;

Remove unnecessary application mappings. mainly for. sHTML,. shtm,. stm;

To change the path of the IIS log

Use the WIS (WEB injection Scanner) tool to scan the entire Web site for SQL injection vulnerabilities.