Server | security
First, when installing the system, you first need to unify all the disk partitions in NTFS format
System installed, first update the system all patches, followed by a good ARP patch, because the ARP vulnerability in the Microsoft Station can not download, hackers can use this loophole for large quantities of the hanging horse
Second, modify the hard drive permissions.
NTFS system permission settings remove other users from each hard disk root plus the Administrators user for all permissions (optionally joining the system user) before use.
Enter system disk: Permissions are as follows
C:\WINDOWS Administrators System users full privileges Users default permissions are not modified
Other directories Remove everyone user, and remember the all Users\default user directory and its subdirectories under C:\Documents and settings
such as C:\Documents and Settings\All Users\Application The Data directory default configuration retains everyone user rights
The permissions under the C:\WINDOWS directory must also be noted, such as C:\WINDOWS\PCHealth, C:\windows\Installer also retains the Everyone permission.
Deletes the C:\WINDOWS\Web\printers directory, which causes IIS to add a. printers extension, an overflow attack
The default IIS error page is largely not used by many people. It is recommended that you delete the C:\WINDOWS\Help\iisHelp directory
Delete C:\WINDOWS\system32\inetsrv\iisadmpwd, which is used to manage IIS passwords, such as some 500 because of a password not synchronized
Use OWA or Iisadmpwd to modify the sync password at the wrong time, but you can delete it here, the settings described below will eliminate the system
The settings cause a password synchronization problem.
Open C:\Windows Search
net.exe;cmd.exe;tftp.exe;netstat.exe;regedit.exe;at.exe;attrib.exe;cacls.exe;format.com;
Regsvr32.exe;xcopy.exe;wscript.exe;cscript.exe;ftp.exe;telnet.exe;arp.exe;edlin.exe;
Ping.exe;route.exe;finger.exe;posix.exe;rsh.exe;atsvc.exe;qbasic.exe;runonce.exe;syskey.exe
Modify permissions, delete all users only save administrators and system for all permissions
These people just know the steps of the specific operation I at the end of the corresponding documents and the path to follow the steps to set
These permissions are set, and then the local security policy is turned on
Set auditing permissions Change Guset account name and set a very complex password
Local Security policy configuration
Start > Program > Management Tools > Local Security Policy
Account strategy > Password Policy > Password minimum age change to 0 days [that is, the password is not available, I mentioned above will not cause IIS password is not synchronized]
Account Strategy > account lockout policy > account lockout threshold 5 times account lockout time 10 minutes [personal recommendation configuration]
Local Policies > Audit Policies >
Account Management failed successfully
Logon event failed successfully
Object access failed
Policy Change failed successfully
Privilege usage failed
System Event failed successfully
Directory Service access failed
Account Logon event failed successfully
Ground policy > Security Options > Clear virtual Memory paging file change to Enabled
> Do not show last user name changed to Enabled
> Do not need to press Ctrl+alt+del to change to Enabled
> Do not allow anonymous enumeration of SAM accounts to change to Enabled
> does not allow anonymous enumeration of SAM accounts and shares to be changed to Enabled
> Rename guest account change into a complex account name
> Rename system Administrator account to change a personal account
These are all set in local security.
Third, turn off unwanted services
IPSEC Services
Print Spooler
TCP/IP NetBIOS Helper
These 3 need to stop their services
Four open registry modify remote port close default share, etc.
Close port 445
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters
New "DWORD Value" value named "smbdeviceenabled" data is the default value of "0"
Prohibit the establishment of an empty connection
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
New DWORD value value named "RestrictAnonymous" Data value is "1" [2003 defaults to 1]
Prevent system from automatically starting server sharing
Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
New DWORD value value named "AutoShareServer" data value is "0"
Prevent system from automatically starting administrative shares
Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
New DWORD value value named "AutoShareWks" data value is "0"
Preventing small-scale DDoS attacks by modifying the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value value named "SynAttackProtect" Data value is "1"
Modify port not listed this can be searched.
Then uninstall the unsafe components
The main component that hackers use to raise power
This only needs to save a bat file and put it in the boot.
Content is:
Regsvr32/u C:\WINDOWS\System32\wshom.ocx
Del C:\WINDOWS\System32\wshom.ocx
Regsvr32/u C:\WINDOWS\system32\shell32.dll
Del C:\WINDOWS\system32\shell32.dll
And then open only the ports that you need on the NIC.
So the server's basic security is set.
Then install the antivirus software.
Recommended with Macffe or
NOD32
Macffe Anti-Virus ability is not strong, but strong defense NOD32 Antivirus Strong
and set up Automatic Updates.
And then we're looking at IIS and Web site permissions
Because a lot of hackers like to use the Web site vulnerabilities into the right
Then IIS security is also important
First change the name of the IIS Guest account
And then set up a complex password for him.
Third, set up a two-storey directory on the disk where you put the program.
So that each station's program is independently separated from the
So, just now that we've set uninstall permissions, he can't mention Administratr privileges.
This way, even a single station has a loophole that doesn't affect other stations.
Then we install the SQL, and there will be a Sqldubeg in the user who deletes him.
Finally open the firewall, pay attention to open their own needs of the port, if your server not only put the site that remember to open the required port