Server maintenance security policy solution

Most of the servers we use are windows server 2000 and windows server 2003 windows. server2003 is currently the most mature network server platform, which greatly improves security compared with windows 2000, however, the default security configurations of 2003 and 2000 are not necessarily suitable for our needs. Therefore, we need to complete the security configurations of win2003 and win2000 according to the actual situation. Security Configuration is a relatively difficult network technology. The permission configuration is too strict, many programs cannot run, and the permission configuration is too loose and easy to be hacked. as an administrator, we need to set security policies based on our actual usage and the application to ensure the permanent and secure operation of the server.★The following are some security policies for our current server situation: 1. windows Account 1. rename the administrator, for example, change it to an alias, such as boco_ofm, or use a Chinese name (this can add a level of obstacle to hacker attacks. rename guest as administrator as a trap account, and set strong passwords or disable them directly. (some hacker tools exploit the weakness of guest, the account can be upgraded from an ordinary user to an Administrator group .) 3. In addition to administrator accounts and services, all users must be disabled or deleted. (1) website accounts are generally used only for system maintenance. Do not use one redundant account, because one more account is at risk of being broken. (2) In addition to the Administrator, it is necessary to add an account belonging to the Administrator Group; (the accounts of the two administrators groups prevent the Administrator from having forgotten the password of an account and having a backup account number; in addition, once a hacker breaks an account and changes the password, we still have the opportunity to regain control in the short term .) (3) give all user accounts a complex password (SYSTEM account going out). The password must contain at least 8 characters and contain letters, numbers, and special characters. Do not use familiar words (such as boco), familiar keyboard in ascending order (such as qwert), and familiar numbers (such as 2008. (Password is the focus of hacker attacks. Once the password is broken, there will be no system security at all. By checking the information on the network, A five-digit password with only letters and numbers will be cracked in a few minutes. 2. Password and user policy 1. when enabling the password policy, pay attention to the application of the password policy and enable the Password Complexity Requirements. Set the minimum password length to 8 bits, and set the force password history to 5 times for 31 days. 2. enable the user policy to use the user policy. Set the reset user lock counter time to 30 minutes, the user lock time to 30 minutes, and the user lock threshold to 3 times. 3. Windows Firewall Windows 2000 does not contain a firewall by default. We need to install a secure software firewall by ourselves; 1. before enabling the Service, check whether port 3389 is added to the exception. Because our servers are deployed in the data center, maintenance personnel generally perform remote maintenance. If not, check the Remote Desktop before enabling the Service. 2. Add ports 80, 1433, and 21 to the exception. In short, do not add any ports unless necessary. (Alternatively, you can use the "advanced" Local Connection "setting" service of windows Firewall to check the services you want, such as remote desktop, http, ftp, and smtp ). 3. Allow ping to the server: windows Firewall-advanced-Local Connection "set" ICMP, first checked: allow incoming response requests. 4. Add an IP address in the firewall policy that allows the remote desktop to pass through. Iv. Local Policy 1. local Policy --> Security Option interactive login: do not display the Last User Name enable Network Access: do not allow SAM accounts and shared Anonymous Enumeration enable network access: network Access is not allowed for the network identity authentication storage credential: Share all objects that can be accessed anonymously Delete Network Access: All Named Pipes that can be accessed anonymously Delete network access: delete all registry paths with remote access network access: delete all registry paths and sub-paths with remote access network access: Restrict anonymous access to named pipelines and share 2. local Policy --> Audit Policy Change successful failed audit login Event successful failed Audit Object Access failure Audit Process Tracking no Audit Directory Service Access failure Audit Privilege Use failure Audit System Event successful failure Audit account Logon event failed Audit Account Management failed 3. local Policy --> User permission allocation Shut Down System: only the Administrators group and all others are deleted. Access computers from the Network: only the system administrator and the specified account are allowed. 4. Use the NTFS format partition to change all the server partitions to the NTFS format. NTFS file systems are much safer than FAT and FAT32 file systems. 5. Setting screen saver passwords is simple and necessary. Setting screen saver passwords is also a barrier to prevent internal personnel from damaging the server. Be careful not to use some complex screen protection programs, waste system resources, and let him black screen. It is best to add Screen Protection passwords to the machines used by all system users. 6. change the file sharing permission from the "everyone" group to "authorized users" and "everyone". In win2000 and win3003, this means that any user with the right to access your network can obtain the shared information. Do not set users who share files to the "everyone" group at any time. Including print sharing. The default attribute is "everyone. 7. Ensure the security of the backup disk. Once the system data is damaged, the backup disk will be the only way to restore the data. After backing up the data, place the backup in a safe place. Do not back up data on the same server. We have deployed a backup server in room 3001. 5. Disable useless services 1. we usually disable the following services: Computer Browser (Browser update) Help and Support (Computer Help) Messenger (netsend and alerter service messages between the client and the server) print Spooler (printing later in memory) Remote Registry (Remote user modify Registry) TCP/IP NetBIOS Helper (netbios name resolution) Workstation (Create and maintain Remote computer client network connection) telnet (allows remote users to log on to some computers) to disable unnecessary services. Although these services may not be exploited by attackers, they must comply with security rules and standards, there is no need to enable unnecessary things to reduce potential risks. 2. in "network connection", delete unnecessary protocols and services, and only retain the basic Internet Protocol (TCP/IP ), in advanced TCP/IP settings -- "NetBIOS" Settings "Disable NetBIOS (S) on TCP/IP )". 3. Disable the empty session check to check whether empty sessions are disabled. Avoid creating anonymous (unauthenticated) sessions with the server. Run Regedt32.exe to check whether the "RestrictAnonymous" item is set to 1, as shown below. HKLM \ System \ CurrentControlSet \ Control \ LSA \ RestrictAnonymous = 1 4. to review sharing and related permissions, run the "Computer Management" MMC snap-in and select "share" under "shared folder ". Check whether all shares are required. Delete all unnecessary shares. Delete the default shared bat script: net share/delete C $ Net share/delete D $ Net share/delete E $ Net share/delete IPC $ Net share/delete ADMIN $ or cancel it by modifying the registry: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ Parameters: the AutoShareServer type is REG_DWORD. Change the value to 0. do not install applications unrelated to applications on the server. 6. IIS: IIS is the most vulnerable component in Microsoft. On average, a vulnerability is generated in two or three months. The default configuration of Microsoft IIS is the focus, we now use some of the company's websites for the IIS service. First, delete the Inetpub directory on drive C, and create an Inetpub on drive D (you can change the name if you are not sure about using the default directory name, but remember it) in IIS manager, direct the main directory to D: \ Inetpub. Secondly, the default virtual directory is deleted during IIS installation. Although Inetpub has been removed from the system disk, be careful, if you need a directory with any permissions, you can create it by yourself. (write permission and execution program permission) 6. Modify port number 1. expand HKEY_LOCAL_MACHINE/SYSTEM/CURRENTCONTROLSET/CONTROL/terminal server/WDS/RDPWD/TDS/TCP to change PortNumber to the port number you want to use. use decimal (example 40228) HKEY_LOCAL_MACHINE/SYSTEM/CURRENTCONTROLSET/CONTROL/TERMINAL SERV ER/WINSTATIONS/RDP-TCP/PortNumber in the right key value to change the port number you want to use. note: Use decimal (for example, 40228). Note: The port 40228 is modified on the firewall of windows. restart the server. the setting takes effect. 2. generally, the following ports are disabled: 135 138 139 443 445 4000 4899. the hacker can roughly judge your operating system based on the TTL value returned by the ping, for example, TTL = 107 (WINNT) and TTL = 108 (win2000 ); TTL = 127 or 128 (xp); TTL = 240 or 241 (linux); TTL = 252 (solaris); TTL = 240 (Irix); change the port number: HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters: DefaultTTL REG _ DWORD 0-0xff (0-255 decimal, default value 128) is changed to an inexplicable number such as 258, which is generally hacked.★The following are routine server maintenance policies: 1. the system account password is changed once a month to meet the complexity; 2. clear the system log files once a week and view the logs. 3. antivirus software is automatically updated and manually updated every half month. the system update is set to automatic, and is checked and updated every half a month; 5. the server hardware status is checked once a month, and the CPU, memory, and hard disk usage are calculated once a month. 6. install patches and anti-virus software.