Server Security Configuration lectures [Turn]

Server | security

First, when installing the system, you first need to unify all the disk partitions in NTFS format

System installed, first update the system all patches, followed by a good ARP patch, because the ARP vulnerability in the Microsoft Station can not download, hackers can use this loophole for large quantities of the hanging horse

Second, modify the hard drive permissions.

NTFS system permission settings remove other users from each hard disk root plus the Administrators user for all permissions (optionally joining the system user) before use.

Enter system disk: Permissions are as follows

C:\WINDOWS Administrators System users full privileges Users default permissions are not modified

Other directories Remove everyone user, and remember the all Users\default user directory and its subdirectories under C:\Documents and settings

such as C:\Documents and Settings\All Users\Application The Data directory default configuration retains everyone user rights

The permissions under the C:\WINDOWS directory must also be noted, such as C:\WINDOWS\PCHealth, C:\windows\Installer also retains the Everyone permission.

Deletes the C:\WINDOWS\Web\printers directory, which causes IIS to add a. printers extension, an overflow attack

The default IIS error page is largely not used by many people. It is recommended that you delete the C:\WINDOWS\Help\iisHelp directory

Delete C:\WINDOWS\system32\inetsrv\iisadmpwd, which is used to manage IIS passwords, such as some 500 because of a password not synchronized

Use OWA or Iisadmpwd to modify the sync password at the wrong time, but you can delete it here, the settings described below will eliminate the system

The settings cause a password synchronization problem.

Open C:\Windows Search

net.exe;cmd.exe;tftp.exe;netstat.exe;regedit.exe;at.exe;attrib.exe;cacls.exe;format.com;

Regsvr32.exe;xcopy.exe;wscript.exe;cscript.exe;ftp.exe;telnet.exe;arp.exe;edlin.exe;

Ping.exe;route.exe;finger.exe;posix.exe;rsh.exe;atsvc.exe;qbasic.exe;runonce.exe;syskey.exe

Modify permissions, delete all users only save administrators and system for all permissions

These people just know the steps of the specific operation I at the end of the corresponding documents and the path to follow the steps to set

These permissions are set, and then the local security policy is turned on

Set auditing permissions Change Guset account name and set a very complex password

Local Security policy configuration

Start > Program > Management Tools > Local Security Policy

Account strategy > Password Policy > Password minimum age change to 0 days [that is, the password is not available, I mentioned above will not cause IIS password is not synchronized]

Account Strategy > account lockout policy > account lockout threshold 5 times account lockout time 10 minutes [personal recommendation configuration]

Local Policies > Audit Policies >

Account Management failed successfully

Logon event failed successfully

Object access failed

Policy Change failed successfully

Privilege usage failed

System Event failed successfully

Directory Service access failed

Account Logon event failed successfully

Ground policy > Security Options > Clear virtual Memory paging file change to Enabled

> Do not show last user name changed to Enabled

> Do not need to press Ctrl+alt+del to change to Enabled

> Do not allow anonymous enumeration of SAM accounts to change to Enabled

> does not allow anonymous enumeration of SAM accounts and shares to be changed to Enabled

> Rename guest account change into a complex account name

> Rename system Administrator account to change a personal account

These are all set in local security.

Third, turn off unwanted services

IPSEC Services

Print Spooler

TCP/IP NetBIOS Helper

These 3 need to stop their services

Four open registry modify remote port close default share, etc.

Close port 445

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters

New "DWORD Value" value named "smbdeviceenabled" data is the default value of "0"

Prohibit the establishment of an empty connection

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

New DWORD value value named "RestrictAnonymous" Data value is "1" [2003 defaults to 1]

Prevent system from automatically starting server sharing

Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters

New DWORD value value named "AutoShareServer" data value is "0"

Prevent system from automatically starting administrative shares

Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters

New DWORD value value named "AutoShareWks" data value is "0"

Preventing small-scale DDoS attacks by modifying the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

New DWORD value value named "SynAttackProtect" Data value is "1"

Modify port not listed this can be searched.

Then uninstall the unsafe components

The main component that hackers use to raise power

This only needs to save a bat file and put it in the boot.

Content is:

Regsvr32/u C:\WINDOWS\System32\wshom.ocx

Del C:\WINDOWS\System32\wshom.ocx

Regsvr32/u C:\WINDOWS\system32\shell32.dll

Del C:\WINDOWS\system32\shell32.dll

And then open only the ports that you need on the NIC.

So the server's basic security is set.

Then install the antivirus software.

Recommended with Macffe or

NOD32

Macffe Anti-Virus ability is not strong, but strong defense NOD32 Antivirus Strong

and set up Automatic Updates.

And then we're looking at IIS and Web site permissions

Because a lot of hackers like to use the Web site vulnerabilities into the right

Then IIS security is also important

First change the name of the IIS Guest account

And then set up a complex password for him.

Third, set up a two-storey directory on the disk where you put the program.

So that each station's program is independently separated from the

So, just now that we've set uninstall permissions, he can't mention Administratr privileges.

This way, even a single station has a loophole that doesn't affect other stations.

Then we install the SQL, and there will be a Sqldubeg in the user who deletes him.

Finally open the firewall, pay attention to open their own needs of the port, if your server not only put the site that remember to open the required port