[Experience] Windows 2000 + IIS + SQL Server 200 Security Settings

Windows 2000 Server Security Settings

Security settings should be applied to all applicationsProgramAfter the installation is complete and running properly, it must be performed before the access network (LAN and Internet.

Operating system security settings include permission settings for the disk directory and system files, system running service settings, and Local Security Policy configuration.

Disable the following services:

Alerter notifies the selected user and computer about system management-level alarms.
Application Management provides software installation services, such as dispatch, release, and deletion.
Automatic Updates enables download and installation of important windows updates from Windows Update. If this service is disabled, the operating system can be manually updated on the Windows Update Web site.
The Background Intelligent Transfer Service uses idle network bandwidth to transmit files in the background. If this service is disabled, any function dependent on bits, such as Windows Update or MSN Explorer, cannot automatically download programs and other information.
ClipBook supports the "Clipboard viewer" so that you can view the clipboard page remotely.
The Distributed Link Tracking Server saves the information that files are moved between volumes in the domain.
Fax Service helps you send and receive faxes
File Replication maintains file synchronization between multiple servers in the file directory.
Indexing Service
Internet Connection Sharing provides network address translation, addressing, and name resolution services for all computers in the home network connected through a dial-up network.
Intersite Messaging allows sending and receiving messages between Windows Advanced Server sites.
Kerberos Key Distribution Center generates session keys and grants service creden。 (ticket) for Interactive Client/Server Authentication ).
Logical Disk Manager Administrative Service System Management Service for disk management requests
Messenger sends and receives messages sent by the system administrator or the "alarm" service.
Net Logon supports the pass-through account logon authentication event on the network.
NetMeeting Remote Desktop Sharing allows authorized users to remotely access Windows desktops using netmeeting.
Network DDE provides the network transmission and security features of Dynamic Data Exchange (DDE.
Network dde dsdm Management Network DDE shared Dynamic Data Exchange
Performance Logs and alerts configure Performance Logs and alarms.
Print Spooler loads the file into the memory for later printing.
QoS RSVP provides network signal and local communication control installation for quality service (QoS)-dependent programs and control applications.
Remote Access Auto Connection Manager creates a connection to the remote network whenever a program references a remote DNS or NetBIOS name or address.
Remote Procedure Call (RPC) Locator manages the RPC Name Service database.
Remote Registry Service allows remote registry operations.
Routing and Remote Access provides routing services for enterprises in LAN and WAN environments.
Smart Card manages and controls access to smart cards inserted into smart card readers.
Smart Card Helper provides support for connecting to legacy smart cards on computers.
Telnet allows remote users to log on to the system and run console programs using the command line.
Terminal Services provides a multi-session environment that allows client devices to access virtual Windows 2000 Professional desktop sessions and Windows-based programs running on servers.
Uninterruptible power supply manages the uninterruptible power supply (UPS) that is connected to the computer ).
Utility Manager starts and configures auxiliary tools from a window
Windows Management Instrumentation Driver Extensions exchanges system management information with drivers.
Windows Time sets the computer clock.
Wireless Configuration uses IEEE 802.1x to provide network access control for authentication for wired and wireless Ethernet networks.

Services to be started for a dial-up connection:

Remote Access Connection Manager creates a network connection.
Telephony supports TAPI to allow programs to control local computers, servers, telephone devices on the LAN, and IP-based voice connections.

Local full policy

Password Policy for account policy:

The password must comply with complexity requirements. Enabled
The minimum password length is 6 Characters
Password retention period: 42 days
Password retention period: 0 days
Force password history 0 remembered passwords
Used recoverable encryption to store passwords for all users in the domain

Account locking policy based on account policy:

Reset the account to lock the counter 30 minutes later
Account lock time: 30 minutes
The account lock threshold value is 3 Invalid Logins

Audit Policy for Local Policies

Audit Policy Change not reviewed
Login event review successful, failed
Audit object access not reviewed
Audit Process Tracking not reviewed
Audit Directory Service Access not reviewed
Audit privilege usage not reviewed
Audit system events not reviewed
Account Logon review successful, failed
Account Management review successful, failed

Security Options of local policies

Do not show that the user name for the last logon is enabled on the logon screen
Extra restrictions on anonymous connections do not allow enumeration of SAM accounts and sharing

Directory and file permission settings

Delete everyone from Documents and Settings and Program Files Folder Permissions
Cmd.exe ftp.exe net.exe telnet.exe File Permission to delete everyone

Cancel default directory sharing and management sharing

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lanmans erver \ Parameters
Add key: AutoShareServer type REG_DWORD value 0x0

HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lanmans erver \ Parameters
Add key: autoscaling wks type REG_DWORD value 0x0

Account settings

Disable the Guest account, set a complex password, and delete the guest from the guests user group.

Modify the default Administrator Account Name, full name, and description, and set a strong password.

IIS Security Settings

Change the Home Directory of the default web site, delete unnecessary file ing, and delete the inetpub directory. Delete virtual sites, directories, and files created by default.

SQL Server 2000 Security Configuration

Set strong passwords for SAS

Server network utility-> TCP/IP-> properties: Modify the default port value and choose to hide the server.

Delete hidden system stored procedures:

Use master

Sp_dropextendedproc 'xp _ export shell'

Not recommended operation: Delete the stored procedure of Registry Access

sp_dropextendedproc 'xp _ regaddmultistring '
comment 'xp _ regdeletekey'
comment 'xp _ regdeletevalue '
comment 'xp _ regenumvalues'
sp_dropextendedproc 'xp _ regread'
sp_dropextendedproc 'xp _ regremovemultistring '
sp_dropextendedproc 'xp _ regwrite'