Building a fortress for Win2003 servers

Source: Internet
Author: User
Tags ftp iis firewall

Windows Server 2003 is one of the most common server operating systems. While it provides a powerful network service and is simple to use, its security has been plagued by a number of network administrators, how to take full advantage of the services provided by Windows Server 2003, while ensuring the security and stability of the server operation to maximize the protection against viruses and hackers. Windows Server 2003 SP1 The release of the Chinese version of the patch package, which addresses this issue, not only provides a fix for system vulnerabilities, but also adds a number of easy-to-use security features, such as the Security Configuration Wizard (SCW) feature. Using the SCW feature's security policy maximizes the security of your servers, and the configuration process is simple, so let's look at it together!

Making determined efforts first install "SCW"

As you all know, Windows Server 2003 System for enhanced security, many service components are not installed by default, and you must install them manually if you want to use them. The same is true with the SCW feature, which requires you to manually install the Security Configuration Wizard (SCW) component, although you have successfully installed the patch pack SP1.

After you go to Control Panel, run Add or Remove Programs, and then switch to the Add/Remove Windows Components page. Following the Security Configuration Wizard option in the Windows Components Wizard dialog box, you can easily complete the installation of the SCW component by clicking the Next button.

The installation process is so simple that you can then use SCW to configure security policies to enhance the security of your Windows Server 2003 server, depending on your needs.

Configure security Policy "simple".

In a Windows Server 2003 server, when you click start → run and execute the "SCW.exe" command in the Run dialog box, the Security Configuration Wizard dialog box pops up, starting your security policy configuration process. Of course, you can also go to the control Panel → admin tools window and follow the Security Configuration Wizard shortcuts to enable SCW.

1. Create the first security policy

If you are using the SCW feature for the first time, first create a new security policy for the WINDOWS Server 2003 server, which is stored in a file formatted as XML, and its default storage location is "C:\WINDOWS\SECURITY\MSSCW \policies ". So a Windows Server 2003 system can create multiple security policy files depending on your needs, and you can modify the security policy file, but only one of the security policies is applied at a time.

In the Welcome to the Security Configuration Wizard dialog box, click the Next button to go to the Configure Actions dialog box because it is the first time that you have used SCW, where you select the "Create a new security policy" single option, and then click the "Next" button to start configuring Security policy.

2. Easily configure "roles"

First go to the Select Server dialog box, enter the machine name or IP address of the Windows Server 2003 server that you want to configure securely in the server column, and the Security Configuration Wizard will process the Security configuration database after clicking the Next button.

Then you go to the Role-based Service Configuration dialog box. In a role-based service configuration, you can configure content such as Windows Server 2003 server roles, client roles, system services, applications, and administrative options.

The server "role" is actually a Windows Server 2003 server that provides a variety of services, such as file servers, print servers, DNS servers, and DHCP servers, and a Windows Server 2003 server can provide only one server "role", You can also play multiple server roles. By clicking the "Next" button, you go to the "Select Server Role" Configuration dialog box, where you need to check the role of your Windows Server 2003 server in the Server Roles list box.

Note: To ensure the security of the server, just tick the server roles you need, and select the Extra server role option, which increases the security risks of the Windows Server 2003 system. If the author's Windows Server 2003 server is used only as a file server, then simply select the "File Server" option.

Go to the "Select Client Features" tab to configure the "client features" supported by the Windows Server 2003 server, but the client features of the Windows Server 2003 server are well understood, and the server provides a variety of network services while You also need some support for client functionality, such as Microsoft network clients, DHCP clients, and FTP clients. As needed, check out the client features you need in the list box, and also, for unwanted client-side functionality options, it is recommended that you cancel the selection.

Next, go to the Select Management and Other Options dialog box, where you can choose the management and service features provided by the Windows Server 2003 system that you want, as long as you check the admin options you need in the list box. After clicking "Next", you will also configure additional services for the Windows Server 2003 system, which are typically services provided by Third-party software.

Then go to the "Process Unspecified Services" dialog box where "unspecified service" means that if this security policy file is applied to other Windows Server 2003 servers, and some of the services provided in this server are not listed in the Security Configuration database, So what is the status of these services that are not listed? Here you can specify their running status, and we recommend that you select the "Do not change the Enable mode for this service" single option. Finally, the "Confirm Service Change" dialog box is finalized, and the Role-based service configuration is completed after the final confirmation of your configuration.

3. Configuring network security

The above completes the role-based service configuration. However, Windows Server 2003 servers contain a variety of services that provide service content through one or some ports, and Windows Firewall does not open these service ports by default in order to ensure server security. The Network Security Configuration Wizard allows you to open the ports required for each service, which is simpler, more convenient, and more secure than manually configuring Windows Firewall.

In the Network Security dialog box, open the selected server role, the administrative capabilities provided by the Windows Server 2003 system, and the ports used by the services provided by Third-party software. After clicking the "Next" button, open the required ports in the "open port and Allow Applications" dialog box. such as the "20 and 21" Port required by the FTP server, the "80" port required by the IIS service, and so on, remember the "minimize" principle, as long as you select the port option you want to open in the list box, Finally confirm the port configuration, here to note: Other ports do not need to use, we recommend that you do not open, so as to avoid the Windows Server 2003 server caused a security risk.

4. Registry settings

Windows Server 2003 servers provide a variety of services to users on the network, but the user's communication with the server is likely to contain "malicious" access, such as hacking and virus attacks. The Registry Settings Wizard makes it easy to secure your servers and limit illegal user access to the maximum extent possible.

Use the Registry Settings Wizard to modify some of the special key values in the Windows Server 2003 server registry to strictly restrict user access rights. Users can maximize the security of Windows Server 2003 servers by strictly setting the Require SMB security signature, outbound authentication method, and inbound authentication method, depending on the Setup wizard prompts and the server's service needs. and eliminates the hassle of manually modifying the registry.

5. Enable Audit Policy

Smart network management will use the log function to analyze the health of the server, so it is important to enable the appropriate audit policy. The SCW feature is also fully taken into account, and it is easy to enable auditing policies with a guided operation.

In the System Audit Policy Configuration dialog box, to reasonably select an audit target, after all, logging too many events can affect the performance of the server, it is recommended that the user select the audit successful Operation option. Of course, if you have special needs, you can also choose other options. such as "Do not audit" or "audit successful or unsuccessful actions" options.

6. Enhance IIS Security

The IIS server is one of the most widely used services in the network and the most vulnerable service in the Windows system. How to ensure that IIS servers are running safely, to the maximum extent possible from hackers and viruses, this is the SCW feature to solve a problem. With the Security Configuration Wizard, you can easily enhance the security of your IIS servers to ensure that they are stable and safe to run.

In the Internet Information Services Configuration dialog box, use the Configuration Wizard to select the Web service extensions that you want to enable, the virtual directories to keep, and to set anonymous users write permissions on content files. This will greatly enhance the security of the IIS server.

Tip: If your Windows Server 2003 server does not have the IIS service installed and running, the IIS Security Configuration section will not appear during the SCW configuration.

After completing these steps, go to the Save Security Policy dialog box, first name the security policy you configured in the Security Policy File Name dialog box, and then select the Apply Now option in the Apply Security Policy dialog box to have the configured security policy take effect immediately.

Using SCW to enhance the security of a Windows Server 2003 server is as simple as this, all parameter configurations are done through a wizard dialog box, eliminating the cumbersome manual configuration process, and the SCW feature is indeed an effective combination of security and ease of use. If your Windows Server 2003 system has a SP1 patch package installed, try SCW!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.