Detailed description of Windows Server Security Settings (1)

The security of Windows has always been a matter of high concern, so security is more important for servers. How can our network administrator securely set Windows Server systems. Next, let's take a look at several aspects to bring security armor to your servers.

1) Basic System Security Settings

1. installation instructions: All the systems are NTFS formatted, the system is re-installed (with the original win2003), anti-virus software (Mcafee) is installed, anti-virus software is updated, and sp2 patch is installed, install IIS (only required components), SQL2000, and. net2.0: Enable the firewall. Add the server to the latest patch.

2) disable unnecessary services

Computer Browser: maintain and disable network Computer updates.

Distributed File System: allows you to manage shared files on a LAN. You do not need to disable this function.

Distributed linktracking client: used to update the connection information on the LAN. It does not need to be disabled.

Error reporting service: forbidden to send Error reports

Microsoft Serch: provides quick word search and does not need to be disabled.

NTLMSecuritysupportprovide: used by the telnet service and Microsoft Serch. It does not need to be disabled.

PrintSpooler: Disable it if no printer is available

Remote Registry: Disable Remote Registry Modification

Remote Desktop Help Session Manager: Disable Remote assistance to other services for verification

3) set and manage accounts

1. Disable and change the name and description of the Guest account, and enter a complicated password.

2. It is recommended that you create fewer system Administrator accounts, change the default Administrator Account Name and description, and use a combination of numbers, lowercase letters, and numbers to increase the password. The maximum length is 10 characters.

3. Create a new trap account named "Administrator", set the minimum permissions for it, and enter a password of no less than 20 characters in the combination.

4. Choose Computer Configuration> Windows Settings> Security Settings> Account Policy> account locking policy. Set the account to "three logon failures for 30 minutes ".

5. In Security Settings-local policy-security options, set "Last User Name Not Displayed" to enable

6. In "Security Settings"-"Local Policy"-"User Rights Assignment", "access to this computer from the network" will only retain the Internet Guest Account, start the IIS process account, and Aspnet account

7. Create a User account and run the system. Use the Runas command to run privileged commands.

4) Open the corresponding audit policy

Audit Policy Change: Successful

Audit Logon event: Successful, failed

Audit Object Access: Failed

Audit Object Tracking: Successful, failed

Audit Directory Service Access: Failed

Audit privilege usage: Failed

Audit System Events: Successful, failed

Audit Account Logon event: Successful, failed

Audit Account Management: Successful, failed

5). Other Security Settings

1. Do not share C $, D $, or ADMIN $ by default.

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters, create a Dword Value in the window on the right, and set the name to AutoShareServer to 0

2. Unbind NetBios from TCP/IP protocol

Right-click Network Neighbor-properties-right-click Local Connection-properties-double-click Internet protocol-advanced-Wins-Disable NETBIOS on TCP/IP

3. hide important files/Directories

You can modify the Registry to achieve full hiding: "HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsCurrent-VersionExplorerAdvancedFol derHi-ddenSHOWALL", right-click "CheckedValue", select modify, change the value from 1 to 0

4. Prevent SYN flood attacks

HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters create a DWORD Value named SynAttackProtect and the value is 2