Building Fortress Server

Server requirements: 1, configure a fortress host, PHP, ASP virtual 10-station web fortress host; that is, to buy a new server, installation, configuration, shelves of the process.
First, install the system, here I choose the Windows Server version, in fact, Windows 2000 is a very safe operating system, easy to operate, and Microsoft is also responsible for his system. The installation is nothing special, but also very simple, in fact, we just need to pay attention to the following points on it.
1, the installation of the use of NTFS-formatted system partition. The NTFS format partition's access control is no less than *nix system, in fact, his file system is designed according to UNIX, every disk on the server should be used.
2, in the installation must be disconnected with the public network, to ensure that the installation plate is intact and can be trusted.
3, install only the TCP/IP protocol can be installed, the same installation does not install any programs and services, as shown in Figure 1, to minimize the installation can be. For security purposes, our server does not join the domain.

Second, the general online tutorials are often said to install the system after the "Patch shop", in fact, this is very unsafe, then the system's safety factor is almost 0, access to network updates when very

It is possible to "win the Lottery", we first play a good system underlying security.
1, start  run the input "lusrmgr.msc" (quotation marks do not follow the same) open Local users and groups, where first build a "backup Operators" group of users, for day-to-day data backup and maintenance work, Users who set up 10 guests groups are allocated to the 10 virtual sites, such as user1----USER10 Rename the Administrator account and guest account, and give a strong password.
2, configure the account policy, open the "Local Security settings."
Password Policy: Password must conform to complexity----enabled
Minimum password length----13 characters (higher recommended)
Account Lockout policy setting: Account lockout threshold----3 Invalid Logins
Account lockout time----30 minutes (can be changed as needed)
As shown in Figure 2, 3.

3, the configuration log audit.
Audit policy Change succeeded + failed
Audit logon event Success + failure
Audit object access failed
Audit directory service access failed
Audit privilege usage failed
Audit account Management Success + failure
Audit System Event Success + failure
Audit account Management Success + failure as shown in Figure 4

4, configure User Rights assignment.
    Backup files and directories     ----recommend using the Administrator account and the Backup Operators group that you just built. Delete Administrators group and other groups.
Log on Locally              ----IBID.
Shutdown system               ----Ditto
Restore files and directories         -----IBID.
Managing auditing and security log    ----Administrator account
Configuring a single process           ----Administrator account
Get ownership of files or objects----Administrator account
    Force shutdown from remote system    ---- No
Change system time          ----None
Load Uninstall device driver  ----Administrator account
Disk quotas              ----Administrator Account
Add according to your needs, do not grant any permissions to other groups , except that you have other special requirements.

Third, deactivate the system to provide unnecessary services.
Start  Run the input services.msc open the System Services console. Enabling unnecessary services poses a certain security risk to the server, and it also takes up a portion of the system's resources. General

The system will only run the following services, if it is specifically required to be visible.
Event Log Events Viewer
IIS Admin Service Management Web Service
Logical Disk Manager Disks Management
Plug and play to manage Plug and run hardware devices
Protected Storage provides protective storage of sensitive data
Remote Procedure Call (RPC) system process invocation
Security Accounts Manager Stores secure information for local user accounts
Windows Management Instrumentation provides system management information
World Wide Web Publishing service provides Web connectivity and management

Iv. Security Configuration for network connections
1, on the desktop of the "Network Places" on the right Key "properties", find the "Local connection" right button "properties" as shown in Figure 5. We only keep Internet Protocol (TCP/IP), and others are not useful for servers like ours and pose a security risk.

2. Internet Protocol (TCP/IP)--Properties--Advanced-wins tab, select Netblos on TCP/IP (S) as shown in Figure 6
3, select "Options---TCP/IP Filtering---Properties", if only a Web service can allow only 80 ports of TCP data through, if it is more than one web and the use of the port to distinguish it depends on the situation

Out. As shown in Figure 7.

Five, set access control and file permissions
Change all partitions to NTFS format, and if the hard disk has no data, "right- format" on the local letter "file system (F)" to select NTFS. Otherwise use life

Order: "Convert D:/fs:ntfs" requires a reboot at this time.
Remove the default Everyone group from Full control of all disks, or if a hacker comes up with a webshell, it can be malicious to the server. Open "My Computer" right button

The local Disk "properties" are removed by "everone" in the security options, add the administrator name account and set Full Control, add the Backup Operators group just created the user, for day-to-day maintenance, and system disk to add systems otherwise something running with system privileges will not run, click "Advanced" as shown in Figure 8, check "Reset permissions on all child objects and allow propagate inheritable permissions" click OK.

Of course, we can also encrypt the important files on the disk, even if others take away your hard drive can not read your data. But this function must be used with caution, when your system crashes you also

This data is not available and is recommended for encryption after backup. See X file for details on the previous period brochure. Okay, the basic security of the server is first done here.

VI. construction of server main body

1, Server sql, my SQL installation, installation is a fool-type installation. The root user does not have a password at my SQL default installation, and a strong password is given to it, as does the SA for server SQL.

2, the Windows system is supported by default ASP format, do not need to install additional subsidy software. Now let's get the Windows system to support PHP, we have to Php-4.3.*-win32 (previously used a PHP installation version, installed without the configuration of IIS, this is a bit cumbersome), first unzip him to the c:\php directory, Php.ini-dist renamed PHP.ini after the copy to the Winnt, and then Php4ts.dll copied to the System32 directory. Locate the relevant web site in Internet Information Services IIS Manager, right-click the Properties pop-up Site Properties dialog box, click on "Home Directory-configuration-application configuration-Add", we are in the executable (X): Input c:\php\sapi\ Php4isapi.dll extension: input. PHP, Action limit (L) get,head,post,trace. As shown in Figure 9

3, IIS+NTFS control the virtual host permissions
Open Internet Information Services to find our site right key properties, pop-up Configuration dialog, in the "IP address (I), TCP port (T)" Enter the appropriate IP and port default port is 80. In the document, add the default home page for the site, and select the physical directory of the site in the home directory, as shown in Figure 10

Click Configure to remove all extensions that are not required by this station in application mappings.
Click on the "Directory Security" button to edit the "Anonymous user Account" dialog box and click Browse to add User1, as shown in Figure 11. Even if the site directory was passed to the last Webshell, he can only stroll in this directory and he does not have permission to run the cmd command.

In the removal of the Inetpub directory under C disk, the IIS installation of the default scripts and other virtual directories are also deleted, for the sake of insurance, you can use the backup function of IIS, the just set up a full backup, so you can restore the security configuration of IIS at any time. We open the directory where the site is located and the right key is in the "Security" option (because we've set it up, so this is only a user of the admin and Backup Operators group), and if we add this station to the Guests group user "User1" adds him in, User1 only Read permission, if there is a database, he also needs to write permission, click Advanced, the "Reset all child object permissions and allow propagate inheritable permissions" check box selected, click OK. Of course, if the database is outside the Web directory, we need to set permissions for this user alone. Other stations in this way, assigned to USER2-USER10 users can be.

4, simple to prevent webshell.
After our configuration, even if the guy gets a webshell of your station, he can't destroy the rest of the site, let alone the server. If you to those ponies already detest, you can also directly in cmd input "regsvr32/u C:\winnt\system32\scrrun.dll" everything is quiet, but if we want to use FSO permission, then we can not use it, We can use regsvr32 c:\winnt\system32\scrrun.dll to recover, but we do not recommend this method. We can find hkey_classes_root\scripting.filesystemobject in the registration form to change the string you want to change, as long as you do not tell others then there is no problem.

Vii. Prevention of overflow attacks
If the server is overflowed successfully, will bind the CMD.EXE command on the server, the hacker will connect our server remotely to run some cmd command to get the server administrator's privileges, malicious damage on the server. What should we do? We know that the general overflow is the system permissions to run our machine CMD.EXE, then the permissions are set to only administrators can access, the other permissions to delete! As shown in Figure 12.

Even if the overflow of "success" is not connected to our server, on the hacker machine should be "refused to ask" of course, to achieve our goal.
Here I would like to suggest that you%system32 the dangerous documents under the name or delete such as: Format.exe, Del.exe, Cmd.exe, Cacls.exe and so on.

Eight, SQL Server database injection simple protection
1, for the database is the first of his data extended storage caused by the injection problem, SQL server+asp such a combination of good to find the injection point, we assume that there is such an address

There is an injection vulnerability.
Http://localhost/new.asp?id=128 then we can use
Http://localhost/new.asp?id=128;execmaster.dbo.xp_cmdshell ' net use Hack/add '--
Http://localhost/new.asp?id=128;execmaster.dbo.xp_cmdshell ' Net Loclaguoup Administrators Hack/add '--
Now hack is already an administrator, but such a host is very few, if you do not configure a turn, then you may become a minority in a member. Open the Enterprise Manager for MS SQL Server to find xp_cmdshell extended storage deletion. As shown in Figure 13.

Of course, delete this one is far from enough, there are a lot of security risks! If you submit
Http://localhost/new.asp?id=128;execmaster.dbo.sp_addextendedproc xp_cmdshell @dllname = ' Xplog70.dll ';
This directly restores the xp_cmdshell back (the specific intrusion method here does not say). We had to delete the Xplog70.dll file as well, and we had to remove the following extended storage

。
Xp_regaddmultistring
Xp_regdeletekey
Xp_regenumvalues
Xp_regdeletevalue
Xp_regremovemultistring
Xp_regwrite
Xp_regread
Xp_subdirs
Xp_fileexist
Xp_instance_regread
Xp_instance_regenumkeys
Xp_instance_regaddmultistring
Wait a minute...... Too much, you can take a look at SQL Server security-related information.
2, the user's permission, for the website user, we only then gives him db_reader,db_writer the permission to be possible, does not give the backup authority, certainly for each user must give him a strong

passwords, as well as focus on MS SQL for new security patches.

Ix. installing patches and configuring applications
Install the latest security patches, general critical updates and service packs to be installed, the update must go to Microsoft's website, do not go to some unknown website download, we can use the Start menu at the top of the Windows Update updates. It is recommended that you do not install any unknown programs and unused programs on the server, and develop tools such as VC + + and office. A network monitoring tool on a server is indispensable (such as network traffic monitoring, firewalls, etc.), but must ensure that the tools are reliable, and first installed on the other machine test and then installed on the server.

Ten, other
1. It is not recommended to use IE and Outlook Express to receive mail on the server.
2, develop good habits, often back up the server data, logs and so on.
3, when there is a certain level of English, try to install the English version of the operating system.
4, to establish a strict management system, strictly control the physical contact server personnel.
PS: Security is a comprehensive and complex work, no configuration is absolutely safe, but we have to do our best to be safe, there may be a momentary negligence caused the fall of the service, a net

The administrator should update the system, application patches and audit system logs in a timely manner, and often carry out security tests on their own servers.
It is helpful to write so many wishes to the same dish as my friend. Because of the limited space, these are only the tip of the iceberg, there are many not related to such as the registry, IPSEC, firewalls, etc.