Configure IIS server security for anti-Trojan permission settings in win2003

1. System installation
1. Install IIS6.0 in the system by default as instructed by Windows2003.
2. Installation of IIS6.0
Start menu-> Control Panel-> add or delete programs-> add/delete Windows components
Application --- ASP. NET (optional)
| -- Enable network COM + access (required)
| -- Internet Information Service (IIS) --- Internet information service manager (required)
| -- Public file (required)
| -- World Wide Web service --- Active Server pages (required)
| -- Internet data connector (optional)
| -- WebDAV release (optional)
| -- World wide web service (required)
| -- Contains files on the server (optional)
Then click OK-> next to install. (For details, see Appendix 1)

3. System patch updates
Choose Start> All Programs> Windows Update.
Install patches as prompted.

4. Backup system
Use GHOST to back up the system.

5. Install common software
For example, anti-virus software and decompression software. After installation, configure anti-virus software and scan for system vulnerabilities. After installation, use GHOST to back up the system again.

6. Disable unnecessary ports first. Enable firewall to import IPSEC policies
In "network connection", delete unnecessary protocols and services. Here, only basic Internet protocols (TCP/IP) are installed. To control bandwidth traffic services, additionally, Qos packet scheduler is installed. In advanced TCP/IP settings -- "NetBIOS" settings "disable NetBIOS (S) on TCP/IP )". In advanced options, use "Internet Connection Firewall", which is a firewall built on windows 2003, which is not available in the 2000 system. Although there is no function, it can shield ports, this basically achieves an IPSec function.

Modify the remote connection port 3389
Modify the registry.
Start -- run -- regedit
Expand HKEY_LOCAL_MACHINE/SYSTEM/CURRENTCONTROLSET/CONTROL/
Terminal server/WDS/RDPWD/TDS/TCP
Change PortNumber in the key value on the right to the port number you want to use. Use decimal (for example, 10000)

HKEY_LOCAL_MACHINE/SYSTEM/CURRENTCONTROLSET/CONTROL/terminal server/
WINSTATIONS/RDP-TCP/
Change PortNumber in the key value on the right to the port number you want to use. Use decimal (for example, 10000)
Note: Do not forget to add port 10000 to the Windows Firewall.
Modification completed. Restart the server. The setting takes effect.

II. User security settings
1. Disable the Guest account
Disable the Guest account in a computer-managed user. For the sake of insurance, it is best to add a complicated password to Guest. You can open notepad, enter a long string containing special characters, numbers, and letters, and copy it as the password of the Guest user.
2. Restrict unnecessary users
Remove all Duplicate User users, test users, and shared users. The user group policy sets the corresponding permissions and regularly checks the users of the system to delete users that are no longer in use. These users are often a breakthrough for hackers to intrude into the system. 3. Rename the system Administrator account
As we all know, the Administrator user of Windows 2003 cannot be deactivated, which means that others can try the user's password over and over again. Try to disguise it as a common user, for example, change it to Guesycludx.
4. Create a trap user
What is a trap user? Create a local user named "Administrator", set its permissions to the lowest level, and add a super complex password with more than 10 digits. In this way, hackers can be busy for a while to discover their intrusion attempts.
5. Change the shared file permission from The Everyone Group to an authorized user.
Do not set users of shared files to the "Everyone" group at any time, including printing and sharing. The default attribute is the "Everyone" group, so do not forget to change it.
6. Enable user policy
Use the user policy to set the reset user lock counter time to 20 minutes, the user lock time to 20 minutes, and the user lock threshold to 3 times. (Optional)
7. Do not allow the system to display the user name of the last logon.
By default, the user name of the last logon is displayed in the logon dialog box. This makes it easy for others to get some user names of the system and then guess the password. Modify the registry so that the user name of the last logon is not displayed in the dialog box. Method: Open the registry editor and find the registry "HKLMSoftwareMicrosoftWindows TCurrentVersionWinlogonDont-DisplayLastUserName", and change the key value of REG_SZ to 1.
Password security settings
1. Use a secure password
Some company administrators often use the company name and computer name as user names when creating accounts, and then set the passwords of these users too easily, such as "welcome. Therefore, pay attention to the complexity of the password and remember to change the password frequently.
2. Set screen saver password
This is a simple and necessary operation. Setting screen protection passwords is also a barrier to prevent internal personnel from damaging the server.
3. Enable password policy
Apply the password policy. For example, to enable password complexity, set the minimum password length to 6 bits, set the force password to 5 times, and the time is 42 days.
4. Consider using a smart card instead of a password.
For passwords, the security administrator is always in a dilemma. The password settings are simple and vulnerable to hacker attacks, and the password settings are complex and easy to forget. If conditions permit, it is a good solution to replace complex passwords with smart cards.
3. System permission settings
1. Disk permissions
SYSTEM disks and all disks are only granted full control permissions to the Administrators group and SYSTEM.
The SYSTEM disk Documents and Settings directory only gives full control permissions to the Administrators group and SYSTEM.
The SYSTEM disk Documents and SettingsAll Users directory only gives full control permissions to the Administrators group and SYSTEM.
Allow, netstat.exe、regedit.exe、at.exe、attrib.exe, format.com, and del files only give full control permissions to the Administrators group and SYSTEM.
In addition, transfer <systemroot> system32).exe%format.com%ftp.exe to another directory or rename it
All directories under Documents and Settings are set to only grant the adinistrators permission. You need to view all the subdirectories in one directory.
Delete the c: inetpub Directory

2. Local security policy settings
Choose Start> Administrative Tools> Local Security Policy
A. Local policies --> audit policies
Audit Policy Change failed
Login event review successful failed
Audit object access failure audit process trail not reviewed
Failed to audit directory service access
Failed to audit privilege usage
System Event Review successful failed
Account logon review successful failed
An error occurred while reviewing account management

B. Local policies --> User permission allocation
Shut down the system: only the Administrators group and all others are deleted.
Allow logon through terminal services: only join the Administrators and Remote Desktop Users groups, and delete all others

C. Local policies --> Security Options
Interactive login: do not display the last user name enabled
Network access: do not allow enabling of SAM accounts and shared anonymous enumeration
Network access: do not enable the storage credential for network identity authentication
Network access: all shares that can be accessed anonymously are deleted.
Network access: delete all anonymous access attempts
Network access: delete all registry paths that can be remotely accessed
Network access: delete all registry paths and sub-paths that can be remotely accessed.
Account: rename guest account rename an account
Account: rename a system administrator account rename an account

3. Disable unnecessary services to start-run-services. msc
TCP/IPNetBIOS Helper supports the resolution of NetBIOS on the TCP/IP service and NetBIOS name on the client on the network so that users can share
File, print, and log on to the network
Server allows this computer to share files, prints, and named pipes over the network.
The Computer Browser maintains the latest list of computers on the network and provides this list.
Task scheduler allows programs to run at a specified time.
Messenger transmits the net send and alarm service messages between the client and server
Distributed File System: Allows you to manage shared files on a LAN. You do not need to disable this function.
Distributed linktracking client: used to update connection information on the LAN. It can be disabled without any need.
Error reporting service: forbidden to send Error reports
Microsoft Serch: Provides Quick word search and does not need to be disabled.
NTLMSecuritysupportprovide: used by the telnet service and Microsoft Serch. It can be disabled without any need.
PrintSpooler: disable it if no printer is available
Remote Registry: disable Remote Registry modification
Remote Desktop Help Session Manager: disable Remote assistance
If Workstation is disabled, the remote NET command does not list the user group.
The preceding settings are disabled in services started by default on Windows Server 2003. Do not enable services that are disabled by default if they are not needed.

4. Modify the registry
Modify the registry to make the system stronger
1. You can modify the registry to hide important files/directories.
HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindows Current-versionpoliceradvancedfolderhi-ddenSHOWALL ", right-click" CheckedValue ", select modify, and change the value from 1 to 0.

2. Prevent SYN flood attacks

The code is as follows:

Copy code

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters Create a DWORD value named SynAttackProtect. The value is 2. Create EnablePMTUDiscovery REG_DWORD 0 Create NoNameReleaseOnDemand REG_DWORD 1 Create EnableDeadGWDetect REG_DWORD 0 Create KeepAliveTime REG_DWORD 300,000 Create PerformRouterDiscovery REG_DWORD 0 Create EnableICMPRedirects REG_DWORD 03. Disable response to ICMP route notification packets HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface Create a DWORD value, with the name "descrimrouterdiscovery" set to 0.

4. Prevent ICMP redirection packet attacks
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
Set EnableICMPRedirects to 0

5. IGMP protocol not supported
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
Create a DWORD value named IGMPLevel 0
6. Disable null IPC connection:
Cracker can use the net use command to establish a null connection, and then invade into the database. net view and nbtstat are all based on null connections. It is good to disable null connections.
Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous to change this value to "1.

7. Change the TTL value
Cracker can roughly judge your operating system based on the TTL value returned by ping, such:

The code is as follows:	Copy code
TTL = 107 (WINNT ); TTL = 108 (win2000 ); TTL = 127 or 128 (win9x ); TTL = 240 or 241 (linux ); TTL = 252 (solaris ); TTL = 240 (Irix );

You can actually change it by yourself: HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters: DefaultTTL REG_DWORD 0-0xff (0-255 decimal, default value 128) to an inexplicable number such as 258, at least to make the little Cainiao dizzy, you don't have to give up intrusion.

8. Delete default share
Someone asked me what happened when I shared all the disks when I started. After I changed it back, I restarted and shared it again. This is the default share set for 2 K management. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters: the AutoShareServer type is REG_DWORD. Change the value to 0.

9. Do not create a null connection
By default, any user connects to the server through an empty connection, and then enumerates the account and guesses the password. We can modify the registry to disable null connections:
The value of the Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous is changed to "1.

10. Create a notebook and fill in the following code. Save as *. bat and add it to the startup project

The code is as follows:	Copy code
Net share c $ Content $ nbsp;/del Net share d $ Content $ nbsp;/del Net share e $ Content $ nbsp;/del Net share f $ Content $ nbsp;/del Net share ipc $ Content $ nbsp;/del Net share admin $ Content $ nbsp;/del

5. IIS site settings:
1. Separate the IIS Directory & data from the system disk and save it in a dedicated disk space.
2. Enable parent path
3. Delete unnecessary mappings in the IIS Manager (retain necessary mappings such as asp)
4. Redirect the HTTP404 Object Not Found error page in IIS to a custom HTM file through URL
5. Web site permission settings (recommended)
Read permitted
Write not allowed
Origin access is not allowed.
Disable directory browsing
Disable log access
Disable index resources.
Select "script only" for execution recommendation"
6. We recommend that you use W3C to expand the log file format and record the customer's IP address, user name, server port, method, URI root, HTTP status, and user proxy every day. (It is recommended that you do not use the default directory. We recommend that you change the log recording path and set the log access permission to only allow the administrator and system to be Full Control ).
7. Program security:
1) programs involving user names and passwords should preferably be encapsulated on the server and appear in as few ASP files as possible. The minimum permissions should be granted to the user names and passwords that are connected to the database;
2) for an ASP page that requires verification, you can trace the file name of the previous page. Only sessions that are transferred from the previous page can read this page. 3) prevent ASP homepage. inc file leakage;
4) prevent leakage of some. asp. bak files generated by UE and other editors.

6. How to set IIS permissions
? Create a system user for each independent individual (such as a website or a virtual directory) so that the website has a unique identity that can be set in the system.
? In IIS, click [site or virtual directory properties & rarr; Directory Security & rarr; anonymous access and verification control & rarr; edit & rarr; anonymous access & rarr; edit: enter the username you just created.
? All partitions are set to prohibit access by this user, and the folder setting corresponding to the home directory of the site just now allows access by this user (to remove the parent permission, and add the hypervisor group and SYSTEM Group ).

7. Uninstall the most insecure components
The simplest way is to directly unmount and delete the corresponding program file. Save the following code as a. BAT file (the following uses WIN2000 as an example. If 2003 is used, the system folder should be C: WINDOWS)

The code is as follows:	Copy code
Regsvr32/u C: WINDOWSSystem32wshom. ocx Del C: WINDOWSSystem32wshom. ocx Regsvr32/u C: WINDOWSsystem32shell32. dll Del C: WINNTWINDOWSshell32.dll

Run WScript. Shell, Shell. application, and WScript. Network. You may be prompted that the file cannot be deleted, so you don't have to worry about it. Restart the server and you will find that all three prompts "x Security.