First, intrusion detection and data backup
(i) Intrusion detection work
As the day-to-day management of the server, intrusion detection is a very important work, in the ordinary detection process, mainly include routine server security routine inspection and intrusion inspection, which is divided into the intrusion in the security check and before and after the invasion of security. The security of the system follows the principle of cask, the barrel principle refers to: a wooden bucket consists of many pieces of wood, if the composition of the wooden barrels of the length of the wood, then the maximum capacity of the bucket does not depend on the length of the plank, but depending on the shortest piece of wood. Applying to security means that the security of the system depends on the most vulnerable parts of the system, and these places are the focus of everyday security testing.
Daily safety Testing
The daily safety inspection is mainly aimed at the security of the system, and the work mainly follows the following steps:
1. View server Status: Open Process Manager, view server performance, and observe CPU and memory usage. See if there are any exceptions, such as CPU and memory usage.
2, check the current process situation switch task Manager to the process to find if there are any suspicious applications or background processes running. When you view a process with the process manager, there is a taskmgr, which is the process manager's own process. If you are running a Windows Update, there is a wuauclt.exe process. For a unsure process or a process that doesn't know which application is on the server, you can search the Web for the process name to determine the process knowledge base. If there is a process, typically take a name similar to the system process, such as svch0st.exe, you should carefully distinguish [ Usually confusing means is the variable letter o for the number 0, variable letter L for the number 1]
3, check the system account to open Computer Management, expand Local Users and group options, view group options, see whether the Administrators group added a new account, check whether there is a clone account.
4. View current port opening use Activeport to view current port connections, especially with externally connected ports to see if there are unauthorized ports communicating with the outside world. If so, close the port immediately and record the corresponding program for the port, and then transfer the program to another directory for later analysis. Turn on Computer Management = = "Software Environment = =" Running task [here you can see hidden processes that are not visible in the process manager], see the currently running program, if there is an unknown program, record the location of the program, open Task Manager to end the process, For the daemon using the backdoor and other programs can try to end the process tree, such as still unable to end, search the registry in the name of the program, delete the key values, switch to safe mode to delete the relevant program files.
5, check the system service running services.msc, check the service in the started state, see if there is a new addition unknown service and determine the purpose of the service. For a service that is not clear, open the properties of the service, see what the executable file corresponds to the service, and if you are sure that the file is a normal file within the system, you can leave it at a glance. See if there are any other normal open service dependencies on the service, and if so, can be roughly spared. If you cannot determine if the execution file is a normal system file and there are no other normal open services dependencies on the service, you can temporarily stop the service and then test that the various applications are normal. For some backdoor because of the use of the Hook system API technology, added service items in the Service Manager is not visible, you need to open the registry hkey_local_machine-system-currentcontrolset- Services items to find, by looking at the name of each service, the corresponding execution file to determine whether it is a backdoor, trojan program, and so on.
6, check the relevant log run eventvwr.msc, a cursory inspection of the relevant log records in the system. Right-click Properties on the corresponding log record while viewing, set a log filter in filter, select only errors, warnings, and view the source and description of the log. For errors that occur if a solution can be found in the common troubleshooting of the server, the problem is handled in accordance with this method, and if there is no solution, the problem is recorded, and the event source, ID number and specific description information are recorded in detail to find out the solution to the problem.
7, check system files mainly check the system tray EXE and DLL files, recommend the system after installation with Dir *.exe/s >1.txt all the exe file list to save, and then each time to check the command to generate a list of the time, with FC compare two files, Similarly, check for DLL files. Note that the original list will be rebuilt once the patch is patched or the software is installed. Check if the related system files are replaced or if the system is installed a Trojan door and other malicious programs. If necessary, run an antivirus program to scan the system disk once.
8. Check to see if the security policy changes the properties that open the Local area connection. Check to see if only the TCP/IP protocol is selected in general, turn on the TCP/IP protocol settings, click Advanced = = options, see if IP Security is a set IP policy, view TCP/IP The filter allowed ports have not been changed. Open the Administrative Tools = Local Security policy to see if the IP Security policy currently in use has changed.
9, check the directory permissions to focus on the system directory and important application permissions have been changed. The directory that needs to be viewed has c:;c:winnt; C:winntsystem32;c:winntsystem32inetsrv;c:winntsystem32inetsrvdata;c:documents and Settings, and then check the Serv-u installation directory, See if the permissions for these directories have been changed. Check to see if some of the important files under System32 have changed permissions, including files such as Cmd,net,ftp,tftp,cacls.
10, check the Startup items mainly check the current boot from the program. You can use Areporter to check for a startup program.
Countermeasures to discover the invasion
For the immediate discovery of the intrusion, the following conditions for the system has been damaged under the treatment, the system has not been damaged or temporarily unable to detect damage, first of all in accordance with the above inspection procedures and then consider the following measures, as appropriate. The following measures should be taken immediately after the system has been compromised: the manner in which the treatment is seriously determined, whether by remote processing or through field processing. If the situation is seriously recommended for field treatment. If the use of field processing, in the discovery of the first time the invasion of the engine room to shut down the server, the processing staff rushed to the room when the network disconnect, and then enter the system for inspection. If the use of remote processing, such as serious first time to stop all application services, change the IP policy to only allow remote management port to connect and then restart the server, reboot and then remotely connect to the processing, restart before restarting with Areporter check the boot from the program. And then proceed to the security check. The following processing measures for user site intrusion but not endanger the system, if the user requirements to enhance the security of their site, you can strengthen the security of the user site as follows:
The site root----only Read permissions to the administrator, and permissions inherit. wwwroot------Read and Write permissions to Web users. Advanced inside has delete subfolders and file permissions logfiles------Write permission to system. The database------Read and Write permissions to Web users. Advanced inside does not delete subfolders and file permissions
If further modification is required, the characteristics of the user site for ordinary file storage directory such as HTML, JS, pictures folder only to read permissions, ASP and other script files to give the permissions of the table above. Also view the security log of the user's site, identify the cause of the vulnerability, and assist the user with patch vulnerabilities.
(ii) Data backup and data recovery
Data backup work is roughly as follows: 1. Back up the system data once a month.
2, backup the system two weeks after a separate backup of the application data, mainly including IIS, Serv-u, databases and other data.
3, to ensure the security of backup data, and the classification of the data backup. As a result of basically all backup methods, the retention period for the data can only retain the second backup and the last backup data two copies.
Data Recovery work:
1, the system crashes or encounter other unrecoverable system normal state situation, first after the last system backup occurred some changes such as application, security policy, such as the settings of the backup, restore the system and then restore these changes.
2, the application and other errors with the most recent backup data recovery related content.
Second, server performance optimization
1, organize the system space:
Delete the system backup files, delete the drive backup, remove the unused input method, delete the system's Help files, uninstall the infrequently used components. Minimize the C-disk file.
2, performance optimization:
Remove redundant boot autorun program; Reduce the pre-read, reduce the progress bar wait time; Allow the system to automatically shut down programs that stop responding; Disables error reporting, but is notified when a critical error occurs; Turn off automatic updating to manually update the computer; Enable hardware and DirectX acceleration; disabling shutdown event tracking; Disable the Configure Server Wizard; Reduce the boot disk scan wait time;
Transfer the processor plan and memory usage to the application; adjust virtual memory; Memory optimization; Modify the CPU level two cache; Modify the disk cache.
IIS Performance Tuning
1. Adjust the IIS cache
The range of HKEY_LOCAL_MACHINE Systemcurrentcontrolsetservicesinetinfoparametersmemorycachesize Memorycachesize is from 0 4GB, The default value is 3072000 (3MB). In general, this value should be set to 10% of the server memory. IIS improves system performance by caching system handles, directory listings, and other commonly used data values. This parameter indicates the amount of memory allocated to the cache. If the value is 0, that means "no caching is done." In this case, the performance of the system may be reduced. If your server network traffic is busy, and you have enough memory space, you can consider increasing the value. It is important to note that after you modify the registry, you need to reboot for the new value to take effect.
2, do not shut down the system services: "Protected Storage"
3, the access to traffic restrictions
(1) Limit the number of site visitors (2) site bandwidth. Keep the HTTP connection. (3) Process limit, input CPU consumption percent
4, improve the processing efficiency of IIS
Application settings, the Application Protection Drop-down button, from the Drop-down list that pops up, selects the low (IIS process) option, and the efficiency of the IIS server handler can be increased by about 20%. However, this setting poses a serious security issue and is not worth recommending.
5, set the IIS server as a stand-alone server
(1) Improve the hardware configuration to optimize the IIS performance hard disk: Hard disk space is used by NT and IIS services in the following two ways: one is simply storing the data and the other is used as virtual memory. If you use a ULTRA2 SCSI hard drive, you can significantly improve the performance of IIS (2) You can distribute the paging files of NT servers to multiple physical disks, note that multiple "physical disks" are not available on multiple partitions. Also, do not place the paging file in the same partition as the Windows NT boot zone (3) Use disk mirroring or disk stripe sets to improve disk read performance (4) It is best to store all the data in a separate partition. Then run the Disk Defragmenter on a regular basis to ensure that there is no fragmentation in the partition where the Web server data is stored. Using NTFS helps reduce fragmentation. It is recommended that you use Norton's SpeedDisk to quickly organize NTFS partitions.
6. HTTP Compression
HTTP compression is a way to transfer compressed text content between a Web server and a browser. HTTP compression uses a common compression algorithm such as gzip compression html, Javas cript, or CSS files. You can set it by using Pipeboost.
7. Recycle Resources
Use IIS5 recycle to recycle process resources at timed intervals.