Create a secure Personal Web server (winserver2003, sql2000) _ Server

Installation of Windows Server2003
1, the smallest 2 partitions, the partition format is formatted with NTFS

2. Install 2003 systems in the case of disconnected network

3, install IIS, install only the necessary IIS components. (Disable unwanted FTP and SMTP services, for example)
By default, the IIS service is not installed, select Application Server in the Add/Remove Win component, and then click Details.
Double-click Internet Information Services (IIS) to check the following options:
Internet Information Services Manager; Common files; Background Intelligent Transfer Service (BITS) server Extensions; WWW service.
If you use a FrontPage-extended Web site, check again: FrontPage 2002 Server Extensions

4, the installation of MSSQL and other software required and then update.

5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze your computer's secure configuration.
and identify the missing patches and updates. Download Address: See links not available on page



Ii. setting up and managing accounts
1, the system administrator account is best to build less, change the default Administrator account name (administrators) and description, the password is best to use the number plus
Uppercase and lowercase letters plus the number of the upper file key combination, preferably not less than 14 bits in length.

2, create a new name for the administrator of the trap account, set the minimum permissions, and then casually input the combination of the best not less than 20 bit
The password

3, disable the Guest account and change the name and description, and then enter a complex password, of course, now also has a
DelGuest Tool, maybe you can also use it to delete the Guest account, but I haven't tried

4. Enter Gpedit.msc carriage return in operation, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-account policy
-Account lockout strategy, the account is set to "three landing invalid", "lock Shenyang, 0 minutes", "Reset lock count is set to 30 minutes."

5, in the security settings-Local policy-security options, "Do not display the last user name" set to enable

6, in the security settings-Local policy-user rights assignment in the "Access this computer from the network" only keep the Internet Guest account, start IIS
Process account. If you use ASP.net, keep the ASPNET account.

7, create a user account, run the system, if you want to run privileged commands using the runas command.

Third, Network Service security management
1, prohibit the default share of C $, d$, admin$ class
Open the registry, Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters, on the right.
New DWORD value in window: Name set to AutoShareServer value set to 0

2, the release of NetBIOS and TCP/IP protocol binding
Right-click Network Neighborhood-Properties-right-click Local Connection-Properties-double-click Internet Protocol-Advanced-wins-Disable NetBIOS on TCP/IP

3, turn off unwanted services, the following is the recommended option
Computer Browser: Maintaining network computer updates, disabling
Distributed file System: LAN management shared files, no need to disable
Distributed linktracking client: For LAN update connection information, no need to disable
Error Reporting Service: Prohibit sending errors report
Microsoft serch: Provides fast word search without the need to disable
Ntlmsecuritysupportprovide:telnet Service and Microsoft Serch, no need to disable
Printspooler: If there are no printers to disable
Remote Registry: Disable the registry from being modified remotely
Remote Desktop help session Manager: No distance assistance


Iv. Open the appropriate audit policy
Enter Gpedit.msc carriage return in run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-Audit policy
When you create an audit project, you need to be aware that if you audit too many projects and generate more events, it's harder to find serious events.
Of course, if too few audits can affect your discovery of serious events, you need to make a choice between the two depending on the situation.
The recommended items to audit are:
Logon event failed successfully
Account Logon event failed successfully
System Event failed successfully
Policy Change failed successfully
Object access failed
Directory Service access failed
Privilege usage failed


V. Other security-related settings

1. Hide Important files/directories
You can modify the registry to achieve complete concealment: "HKEY_LOCAL_MACHINE\Software
\microsoft\windows\current-version\explorer\advanced\folder\hi-dden\showall ", mouse
Right-click "CheckedValue", select Modify, change the value from 1 to 0
2. Start the system with Internet Connection Firewall, check the Web server in the Setting service option.

3. Prevent SYN Flood attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named SynAttackProtect, with a value of 2

4. Prohibit responding to ICMP routing notification messages
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
\interfaces\interface
Creates a new DWORD value with the name PerformRouterDiscovery value of 0

5. Prevent ICMP redirect packets from attacking
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the Enableicmpredirects value to 0

6. IGMP protocol not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Creates a new DWORD value with the name IGMPLevel value of 0

7. Disable DCOM:
Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console root. Open the Computers subfolder.
For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab.
Clear the Enable distributed COM on this computer check box.

8, the System32 folder under the Dllcache in the cmd command rename, and then the System32 folder under the cmd command renamed

9,


Note: 3-6 items I am using the Server2000 settings, not tested for 2003 whether it works. But one thing's for sure, I used a
No other side effects were found in the time.


Vi. Configuring the IIS service:
1, do not use the default Web site, if used also to separate the IIS directory and the system disk.

2, delete the IIS default created Inetpub directory (on the installation system disk).

3, delete the virtual directory under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp,
MSADC.

4, remove unnecessary IIS extension mappings.

Right-click the default Web site → properties → home directory → configuration, open the application window, and remove unnecessary application mappings. Mainly has
For. sHTML, shtm,. stm

5, change the path of the IIS log
Right-click the default Web site → Properties-web site-click Properties under Enable Logging

6. If you are using 2000, you can use IISLockdown to protect IIS, and the version of IE6.0 running in 2003 is not required.

7. Use URLScan
URLScan is an ISAPI filter that analyzes incoming HTTP packets and can reject any suspicious traffic. The latest version of the current
Is 2.5, if it is 2000Server you need to first install the 1.0 or 2.0 version. Download address no link to page


If there are no special requirements to use the URLScan default configuration on it.

But if you run the ASP.net program on the server and you want to debug it you need to open the%windir%\system32\inetsrv\urlscan
folder, and then add the debug verb in the Userallowverbs section, noting that this section is case-sensitive. \ urlscan.ini

If your page is an. asp page you need to delete the. asp-related content in DenyExtensions.

If your page uses non-ASCII code, you need to set the value of Allowhighbitcharacters to 1 in the option section

After making changes to the Urlscan.ini file, you will need to restart the IIS service to take effect, and enter IISReset in the fast method run

If you have any problems after configuration, you can remove URLScan by adding/removing programs.

8. Use WIS (WEB injection Scanner) tool to scan the entire website for SQL injection vulnerability.
Download address no link to page


Seven, configure SQL Server
1, the System Administrators role preferably not more than two

2, if it is in this machine is best to configure the authentication to win login

3, do not use the SA account, configure a super complex password for it

4, delete the following extended stored procedures
The format is:
Use master
Sp_dropextendedproc ' Extended stored procedure name '

xp_cmdshell: Is the best way to get into the operating system, delete

Accessing the registry's stored procedures, deleting
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues
Xp_regread xp_regremovemultistring xp_regwrite

OLE automatic stored procedures that do not need to be deleted
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop

5, will xplog70.dll renamed, so you can not restore xp_cmdshell

6, hide SQL Server, change the default 1433 port
Right-click the properties of the TCP/IP protocol in the instance selection properties-General-network configuration. Choose to hide the SQL Server instance.
and change the default 1433 port.


Viii. If you are only doing servers and do nothing else, use IPSec
1. Administrative Tools-Local security policy-right-click IP Security Policy-Manage IP filter tables and filter actions-click under Manage IP filter table options
Add-Name to Web filter-click Add-Enter the Web server in the description-set the source address to any IP address-the destination address
Set to my IP address--The protocol type is set to TCP--IP protocol port The first is set to from any port, the second entry to this port 80--click
Complete--click OK.

2, again in the management of IP filter table options under click
Add-Name set to all inbound filters-click Add-Enter all inbound filters in the description-set the source address to any IP address-the destination address
Set to my IP address--the protocol type is arbitrary--click Next--Finish--click OK.

3, under the Management Filter action option Click Add--Next--name input block--next--Select block--Next--
Finish--Close the Manage IP filter table and filter Actions window

4, right-click IP Security Policy-Create IP Security Policy-next-Name Input packet Filter-next--Cancel default activation
Response principle--Next step--complete

5. In the open new IP Security Policy Properties window, select Add--next--do not specify a tunnel--next--all network connections--
Next--Select the new Web filter in the IP filter List--Next--Select the license in the filter action--The next step--
Complete--Select the new blocking filter in the IP filter List--Next--Select block in filter action--next--
Finish--OK

6. In the right window of the IP Security Policy, right-click the new packet filter, click Assign, do not need to reboot, IPSec can take effect.


IX. recommendations
If you follow this article, it is recommended that you test the server for every change you make, and if you have a problem, you can undo the change immediately. And if you change the
The number of items, only to find out the problem, it is difficult to determine the question is which step.

Ten, run the server record the current program and open the port
1, the current server to capture or record the process, save it to facilitate later check whether there are unknown procedures.
2, the current open to grasp the port map or record, save, easy to check whether the opening of the unknown port.
Of course if you can distinguish each process, and the port this step can be omitted.