Install win2K and IIS
Indexing Service,
FrontPage 2000 Server Extensions,
Internet Service Manager (HTML)
These are not loaded, and there are others. In short, they are not installed. (According to the security principle, minimum service + minimum permissions = maximum security .)
First, open the internet manager and start --> program --> Management --> Internet service management.) If you install the above, there is a default site and an smtp service item to select the default site, delete all directories under it. (Press the delete key on your keyboard) to stop iis. The simplest method is to start --> Run --> enter net stop iisadmin and Press Y to press enter (the start command is net start w3svc) delete the Inetpub directory of drive C completely (disable iis before deletion ), create a directory on another disk. in IIS manager, direct the Home Directory of the default site to the directory you just created. If you need a directory with any permissions, you can create it on your own. (Pay special attention to write and execute permissions. There is no absolute need to do not give them. By default, they are not given)
Application configuration: delete any unnecessary mappings that are required in the IIS manager, leaving ASP, ASA and other file types that you actually need (except cgi, php, other things I think are useless. Delete htw, htr, idq, ida ......) Do you know where to delete it ?? Method: Choose Internet Service Management> site> Properties> WWW Service> Edit> Home directory> Configuration> application ing, then we can start to delete them one by one without selecting all of them, which is really troublesome ). Then, change the script error message to send text in the application debugging bookmarks in the window, unless you want to know your program/Network/database structure when ASP errors occur) what are error texts written? If you like it, do it yourself. When you click OK to exit, do not forget to let the virtual directory inherit the attributes you set.
To deal with the increasing number of cgi vulnerability scanners, you can also refer to the following tips: redirect the HTTP404 Object Not Found error page in IIS to a custom HTM file through URL, this vulnerability can cause most CGI vulnerability scanners to malfunction. In the ghost file, all scans will return HTTP200 regardless of whether the vulnerability exists. 90% of CGI scanners will think that you have all the vulnerabilities, but the results will cover up your real vulnerabilities, it makes intruders confused, but from a personal point of view, I still think that it is more important to do a solid security setting than such tips.
Win2000 account security is another focus. First, the default installation of Win2000 allows any user to obtain a list of all accounts/shares of the system through empty users. This is intended to facilitate LAN users to share files, however, a remote user can also obtain your user list and use the brute force to crack the user password. Many of you know that you can disable null connection 139 by changing the Registry Local_Machine \ System \ CurrentControlSet \ Control \ LSA-RestrictAnonymous = 1, in fact, if the Local Security Policy of win2000 is a domain server, it is in the Domain Server Security and Domain Security Policy) there is an additional restriction on the RestrictAnonymous anonymous connection option. This option has three values:
0: None. Rely on default permissions None, depending on the default permission)
1: Do not allow enumeration of SAM accounts and shares Do not allow enumeration of SAM accounts and sharing)
2: No access without explicit anonymous permissions is not allowed to access without explicit anonymous permissions)
The value 0 is the default value and has no restrictions. remote users can know all the accounts, group information, shared directories, and network transmission lists (NetServerTransportEnum) on your machine, this setting is very dangerous for servers.
1. This value only allows non-NULL users to access SAM account information and share information.
2. This value is only supported in win2000. It should be noted that if you use this value, your sharing estimation will all be finished, therefore, it is recommended that you set it to 1.
Now, intruders cannot get our user list. Our account is secure ...... Slow down. At least one account can run the password, which is the Built-in administrator in the system. What should I do? In computer management> User Account, right-click administrator and rename it. Just remember what you want. After changing the hypervisor user name, you can still see it on the logon interface of the Terminal Service (remember it after you log on). Modify the method: Run regedit and find
The data in the Don't Display Last User Name string in the HKEY_LOCAL_MACHINE \ SOFTWARE \ Microsoft \ WindowsNT \ CurrentVersion \ winlogon item is changed to 1, so that the system does not automatically Display the Last login User Name.
To ensure security, you can also enable TCP/IP filtering, right-click network neighbor on the desktop-> properties-> right-click the network adapter you want to configure-> properties-> TCP/IP-> advanced-> options-> TCP/IP filtering, there are three filters: TCP port, UDP port, and ip tcp port. Click "only allow" and add the port you want to open below, generally, the WEB server only needs to enable 80 (www), the FTP server requires 20 (FTP Data), 21 (FTP Control), 3306 (Mysql), and 3389 (Remote Terminal Control, if your host is hosted in another machine room and cannot be directly used *, you need this.) The Mail Server may need to open 25 (SMTP), 110 (POP3), and I have not studied the port, however, if you use the services provided in this article, you only need to activate the above services. (, 3306)
CGI support
Download activeperl (you can download the latest version from www.perl.com)
1. Run install.exe. It is installed in C: \ PERL by default. For convenience, install install.exe in the C: \ USR directory, (In this way, the path for writing the Perl interpreter can be directly used #! /Usr/bin/perl: the path of the standalone environment and the network environment can be consistent. During installation, Press Y .)
2. After installation, follow the three steps below to modify the Registry: Run RegEdit and search for: HKEY_LOCAL_MACHINE \ System \ Currentcontrlset \ Services \ W3svc \ Parameters \ scriptMap \ key name, then add the key name :". cgi ", key value:" C: \ USR \ BIN \ perl.exe % s "and key name :". pl ", key value:" C: \ USR \ BIN \ perl.exe % s "do not know how to create? Then, in the box on the right ---> right-click ---> New --> change the string value name to. cgi. Double-click the key to enter the value data, that is, the key value mentioned above)
To make this host support php, it is easy to add php and php3 support here for new site building points)
Add the key name ". php" and the key value: "C: \ php \ php.exe % s"
Add the key name ". php3" and the key value: "C: \ php \ php.exe % s"
It takes effect immediately after restart! Cgi support! After a new site is created, php and cgi support will be added by default in the application configuration (if you do not grant this permission, delete it ).
MySQL support
Download mysql (you can download the latest version from www.mysql.com)
1. decompress and run setup.exe for full installation. The default installation path is c: \ mysql;
2. After the installation is complete, open "run" in the "Start" button, enter the command: C: \ mysql \ bin \ mysqld-nt.exe -- install, and execute;
3. Start --> program --> management tool --> service --> Find mysql --> Start it;
4. mysql installation is complete. Restart win2000.
5. After the restart, Open C: \ mysql \ bin \ winmysqladmin.exe. When using it for the first time, you need to set the Administrator name and password, respectively set the user name and password, A small "traffic light" icon will appear on the system tray (it will be automatically loaded when the system starts later ).
6. OK, mysql support!
PHP support
Download PHP (you can download the latest version from www.php.com)
1. Decompress php 4.0.4 to c: \ php;
2. Set PHP in the php Directory. copy the ini-dist file to the WinNT directory and change it to php. ini; (this is the php configuration file and can be run without any changes. I did not study it carefully)
3. Modify php as needed. ini file content. To use the session function, create the c: \ tmp directory and. session in ini document. the value of save_path is set to absolute path: c:/tmp;
4. Copy the Php4ts. dll file in the PHP Directory to the WinNt \ System32 directory;
5. Start "Internet Service Manager" IIS in the management tools on the control panel );
6. Open the site attribute. In the 'isapi filter' option, add a new filter, use 'php' as the filter name, and fill in php4isapi In the executable file column. dll and its path (c: \ php \ sapi \ php4isapi. dll ).
7. In the "document" option of the attribute, "enable default document" and add "index. php ";