Configure Win2000 Server for security

Currently, Win2000 Server is one of the most popular server operating systems, but it is not easy to securely Configure Microsoft's operating system. This article attempts to preliminarily discuss the security configuration of Win2000 Server.

1. Customize your own Win2000 Server:

1. select a version: Win2000 has a variety of language versions. For us, you can select the English or Simplified Chinese version. I strongly recommend that you use the English version if the language does not become an obstacle. You know, Microsoft products are known for bugs and patches. The Chinese version has more bugs than the English version, the patch is usually at least half a month late (that is to say, after microsoft announces the vulnerability, your machine will be unprotected for half a month)
2. component customization: Win2000 installs some common components by default, but this is the default installation that is extremely dangerous (mitniko said that he can access any default installed server, although I dare not say this, if your host is installed by default on Win2000 Server, I can tell you that you are dead.) You should know exactly what services you need, in addition, only install the services you actually need. According to the security principle, the minimum service + minimum permission = maximum security. The minimum components required for a typical web server are: Install only the iis com files, IIS snap-in, and WWW server components. If you do need to install other components, be careful, especially the Indexing Service, FrontPage 2000 Server Extensions, and Internet Service Manager (HTML) Dangerous services.
3. Manage applicationsProgramChoice: it is very important to choose a good remote management software. This is not only a security requirement, but also an application requirement. Win2000 Terminal Service is a remote control software based on RDP (Remote Desktop Protocol). It is fast and easy to operate and is suitable for conventional operations. However, Terminal Service also has its shortcomings because it uses virtual desktops and Microsoft programming is not rigorous, when you use the terminal service to install software or restart the server and other operations that interact with the real desktop, you may often laugh. For example, you can use the terminal service to restart the Microsoft certified server (Compaq, may be shut down directly. Therefore, for the sake of security, we recommend that you have another remote control software as an aid to complement Terminal Service. Like PCAnywhere is a good choice.

Ii. Install Win2000 Server correctly:

1. partition and Logical Disk allocation, some friends in order to save trouble, the hard disk is only divided into A Logical Disk, all the software is installed on the C drive, this is very bad, we recommend that you create at least two partitions, one system partition and one application partition. This is because Microsoft's IIS often has the source code/overflow vulnerability, if you place the system and IIS on the same drive, system files may leak and even intruders may remotely obtain the admin. The recommended security configuration is to create three logical drives, the first is greater than 2 GB, used to install the system and important log files, the second is IIS, and the third is FTP, in this way, no matter whether IIS or FTP has a security vulnerability, the system directory and system files will not be directly affected. You must know that IIS and FTP are external services and are prone to problems. The main purpose of separating IIS from ftp is to prevent intruders from uploading programs and running them from IIS. (This may cause the annoyance of program developers and editors. You are the Administrator)
2. Select the installation sequence: Do not think that the sequence is important? You only need to install it. Error! There are several steps to install Win2000: first, when to access the network: Win2000 has a vulnerability during installation. After you enter the administrator password, the system has established the ADMIN $ share, but it does not use the password you just entered to protect it. This situation continues until after you start again, during this period, anyone can access your machine through ADMIN $. At the same time, as long as the installation is complete, various services will run automatically, and the server is vulnerable to access. Therefore, do not connect the host to the network until the Win2000 Server is fully installed and configured. Second, patch installation: The patch installation should be completed after all applications are installed, because the patch often needs to replace/modify some system files, if you install a patch before installing the application, the patch may not work properly. For example, the hotfix of IIS requires you to install the patch every time you change the IIS configuration (not abnormal ?)

Iii. Security Configuration Win2000 Server:

Even if the Win2000 Server is correctly installed, the system still has many vulnerabilities and requires further configuration.
1. port: the port is the logical interface connecting a computer to an external network and the first barrier of a computer. Whether the port is correctly configured directly affects the security of the host. Generally, it is safer to open only the port you need. The configuration method is to enable TCP/IP filtering in the NIC properties-TCP/IP-advanced-Option-TCP/IP filtering, however, for Win2000 port filtering, there is a bad feature: You can only specify which ports are opened, but not which ports are closed, which is more painful for users who need to open a large number of ports.

2. IIS: IIS is one of the most vulnerable components in Microsoft. On average, one vulnerability may occur in two or three months. Microsoft's IIS installation by default is not flattering, therefore, the IIS configuration is our focus, and now everyone is following me: first, delete the inetpub directory of drive C completely, create an inetpub on disk D (you can change the name if you are not sure about using the default directory name, but remember it). in IIS manager, point the main directory to D: \ inetpub. Second, what is the default IIS installation scripts and other virtual directories are deleted (the source of evil ah, forget the http://www.target.com/scripts/..%c1%1c../winnt/system32/cmd.exe? Although we have removed inetpub from the system disk, we should be careful.) If you need a directory with any permissions, you can create it by yourself and what permissions are needed. (Pay special attention to the write and execute permissions. There is no absolute need to do not grant them)

3: Application configuration: Delete unnecessary mappings in the IIS manager, which must refer to ASP, ASA, and other file types you actually need, for example, if you use stml (using server side include), in fact, 90% of hosts have the above two mappings. Almost every other ing has a miserable story: HTW, HTR, idq, Ida ...... Want to know these stories? Check the previous vulnerability list. What? Where can I delete it? In the IIS manager, right-click host> Properties> WWW Service Edit> Home Directory configuration> application ing, and delete the files one by one (no selection is available, ). Then, change the script error message to send text in the application debugging bookmarks in the window (unless you want to know your program/Network/database structure when ASP errors occur) what are error texts written? If you like it, do it yourself. When you click OK to exit, do not forget to let the Virtual Site inherit the attributes you set. To deal with the increasing number of CGI vulnerability scanners, you can also refer to the following tips: redirect the http404 object not found error page in IIS to a custom HTM file through URL, this vulnerability can cause most CGI vulnerability scanners to malfunction. In fact, the reason is very simple. Most CGI scanners use the HTTP Code program file on the returned page to facilitate the compilation, all scans will return http200 regardless of whether there are any vulnerabilities. 90% of CGI scanners will think that you have all the vulnerabilities, but the results will cover up your real vulnerabilities, it makes intruders confused. (In martial arts novels, it is often said that the full body vulnerabilities are rather impeccable. What is hard to say is this realm ?) However, from a personal perspective, I still think that it is more important to do a good job of security settings than such tips. Finally, you can use the backup function of IIS to back up all the settings you just set so that you can restore the security configuration of IIS at any time. In addition, if you are afraid that the IIS load is too high, causing the server to crash at full load, you can also enable the CPU limit in performance, for example, limiting the maximum CPU usage of IIS to 70%.

4. account Security: Win2000 account security is another focus. First, the default installation of Win2000 allows any user to obtain a list of all accounts/shares of the system through empty users, this was originally intended to facilitate LAN users to share files, but a remote user can also get your user list and use the brute force to crack the user password. Many of you know that you can disable null connection 139 by changing the Registry LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ LSA-restrictanonymous = 1, in fact, Win2000's Local Security Policy (if the Domain Server is in the Domain Server Security and Domain Security Policy) has this option restrictanonymous (additional restrictions on anonymous connections ), this option has three values:
0: None. Rely on default permissions (none, depending on the default permission)
1: do not allow enumeration of SAM accounts and shares (enumeration of SAM accounts and sharing is not allowed)
2: No access without explicit anonymous permissions (access is not allowed without explicit anonymous permissions)
The value 0 is the default value and has no restrictions. remote users can know all the accounts, group information, shared directories, and network transmission lists (netservertransportenum) on your machine, this setting is very dangerous for servers.
1. This value only allows non-null users to access Sam account information and share information.
2. This value is only supported in Win2000. It should be noted that if you use this value, your sharing estimation will all be finished, therefore, it is recommended that you set it to 1. Now, intruders cannot get our user list. Our account is secure ...... Slow down. At least one account can run the password, which is the Built-in Administrator in the system. What should I do? In computer management> User Account, right-click administrator and rename it. Just remember what you want. No, no. I have already changed the user name. Why is someone running my administrator password? Fortunately, my password is long enough, but isn't that a solution? Well, it must have been seen on the local or terminal service logon interface. Okay, let's change the don't Display Last User Name string data in the HKEY_LOCAL_MACHINE \ Software \ Microsoft \ WindowsNT \ CurrentVersion \ WinLogon item to 1, in this way, the system will not automatically display the last logon user name. Modify the don't Display Last User Name string data in the hkey_local _ machine \ Software \ Microsoft \ WindowsNT \ CurrentVersion \ WinLogon entry of the server registry to 1, hide the user name used to log on to the console. (Wow, the world is quiet)

5. security log: I have encountered such a situation that a host has been infiltrated by someone else. The system administrator asked me to trace the murderer. I logged in and saw that the security log was empty, remember: The default installation of Win2000 does not enable any security review! Go to the Local Security Policy> Audit Policy to open the corresponding audit. The recommended audit is:
Account Management failed
Logon Event successful failed
Object Access failed
Policy Change failed
Failed to use privilege
System Event success/failure
Directory Service Access failed
Account Logon event failed
The disadvantage of review projects is that if you want to see that there are no records, there will be no difference at all. Too many review projects will not only occupy system resources, but also cause you to have no time to look at them, in this way, the meaning of the review is lost.

It is related:
Set in Account Policy> password policy:
Password complexity must be enabled
Minimum Password Length: 6 Characters
Force password five times
Maximum Retention Period: 30 days
In account policy-> account lock policy, set:
Account locked 3 times error Login
Lock time: 20 minutes
Reset lock count 20 minutes

Similarly, the security log of the terminal service is disabled by default. We can configure security audit in the terminal service configration (remote service configuration)-permission-advanced, generally, you only need to record logon and logout events.
6. directory and file permissions: to control the permissions of users on the server and prevent future intrusions and overflow, we must also carefully set the access permissions for directories and files, NT access permissions include read, write, read and execute, modify, column directory, and full control. By default, most folders are fully open to all users (the Everyone group). You need to reset permissions based on application requirements.
When controlling permissions, remember the following principles:
1> the limit is cumulative: if a user belongs to two groups at the same time, the user has all the permissions allowed by the two groups;
2> the denied permission is higher than the permitted permission (the denied policy is executed first). If a user belongs to a group that is denied access to a resource, no matter how many permissions other permissions are granted to him, he cannot access this resource. Therefore, please use rejection with caution. Any improper rejection may cause the system to fail;
3> the File Permission is higher than the folder permission (do you have to explain this ?)
4> using user groups for permission control is a good habit for mature system administrators;
5> only grant users the permissions they really need. The principle of minimizing permissions is an important guarantee of security;

7: DOS prevention:
Change the following value in the Registry HKLM \ System \ CurrentControlSet \ Services \ Tcpip \ Parameters to help you defend against DoS attacks of a certain intensity.
SynAttackProtect REG_DWORD 2
Enablepmtudiscovery REG_DWORD 0
NoNameReleaseOnDemand REG_DWORD 1
EnableDeadGWDetect REG_DWORD 0
KeepAliveTime REG_DWORD 300,000
Invalid mrouterdiscovery REG_DWORD 0
Enableicmpredirects REG_DWORD 0

ICMP attacks: ICMP storm attacks and fragment attacks are also a headache for NT hosts. In fact, they are easy to cope with. Win2000 comes with a routing & remote access tool, this tool is just a prototype of a router (Microsoft is really doing everything? I heard that the firewall is going to be used again recently.) In this tool, we can easily define the input/output packet filter, for example, if you set the input ICMP code 255 to discard, all the external ICMP packets will be discarded? I lost, lost, or lost)

4. Notes:

In fact, there are many conflicts between security and applications. Therefore, you need to find a balance between them. After all, the server is used for users rather than open hack, if the security principle hinders system application, this is not a good principle. Network security is a system project. It not only has a spatial span, but also has a time span. Many of my friends (including some system administrators) think that the host with security configuration is secure. In fact, there is a misunderstanding: we can only say that a host is secure for a certain period of time. With the changes in the network structure, the discovery of new vulnerabilities, and operations by administrators/users, the security status of hosts changes anytime and anywhere. Only security awareness and security systems can be implemented throughout the entire process.