Windows Server detailed security settings

1), System security basic settings

1. Installation instructions: System all NTFS format, reinstall the system (using the original win2003), install anti-virus software (Mcafee), and the anti-virus software update, install SP2 patch, install IIS (only necessary components installed), install SQL2000, install. net2.0, Turn on the firewall. and put the server on the latest patch.

2), close the service you do not need

Computer Browser: Maintaining network computer updates, disabling

Distributed File System: LAN manages shared files and does not need to be disabled

Distributed linktracking client: For LAN update connection information, no need to disable

Error Reporting Service: Prohibit sending bug reports

Microsoft serch: Provides fast word search without the need to disable

Ntlmsecuritysupportprovide:telnet Services and Microsoft Serch, no need to disable

Printspooler: If no printer can be disabled

Remote Registry: Prohibit remotely modifying the registry

Remote Desktop help Session Manager: No remotely assisted other services pending verification

3), set up and manage accounts

1. Disable the Guest account and change the name and description, then enter a complex password

2, the system administrator account is best less built, change the default Administrator account name (Administrator) and description, the password is best to use the number of small letters plus the number of the upper file key combination, the length of the best not less than 10 bits

3, create a new trap account named Administrator, set the minimum permissions for it, and then randomly enter the combination of the best not less than 20-bit password

4, Computer Configuration-windows Settings-security Settings-account policy-account lockout policy, set the account to "three times the invalid time is 30 minutes

5. Set "Do not show last user name" to Enabled in security settings-Local Policies-security options

6. In security settings-Local Policies-User rights Assignment, "Access this computer from the network" is retained only in the Internet Guest account, the IIS process account is started, and the ASPNET account

7. Create a user account, run the system, and use the runas command if you want to run the privileged command.

4), open the appropriate audit policy

Audit policy change: Success

Audit logon events: Success, failure

Audit object access: failed

Audit object Tracking: Success, failure

Audit directory service access: failed

Audit privilege use: Failed

Audit system events: success, failure

Audit account logon events: Success, failure

Audit account Management: Success, failure

5), other safety-related settings

1. Prohibit the default sharing of C $, d$, admin$ class

Hkey_local_machinesystemcurrentcontrolsetserviceslanmanserverparameters, create a new DWORD value in the right window, The name is set to AutoShareServer value set to 0

2. Unbind the NetBIOS from the TCP/IP protocol

Right-click My Network Places-Properties-right-click Local Area Connection-Properties-double-click Internet Protocol-Advanced-wins-disable NETBIOS on TCP/IP

3. Hide important files/directories

You can modify the registry implementation to completely hide: "Hkey_local_machinesoftwaremicrosoftwindowscurrent-versionexploreradvancedfol DerHi-ddenSHOWALL", Mouse Right click "CheckedValue", select Modify, change the value from 1 to 0

4. Prevent SYN flood attack

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters new DWORD value, named SynAttackProtect, with a value of 2

5. No response to ICMP routing notification messages

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparametersinterfacesinterface new DWORD Value, A value of 0 named PerformRouterDiscovery

6. Attacks against ICMP Redirect messages

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters set the Enableicmpredirects value to 0

7. IGMP protocol not supported

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters new DWORD value, named IGMPLevel value of 0

8. Disable DCOM: Enter Dcomcnfg.exe in the run. Carriage return, click Component Services under Console root. Open the Computers sub-folder.

For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab. Clear the Enable distributed COM on this computer check box.

9, the default port for Terminal Services is 3389, you can consider modifying to another port.

Modify the method to: Server-side: Open the registry, at "Hklm\system\current controlset\control\terminal Server\win Stations" found a sub-key similar to RDP-TCP, Modify the PortNumber value. Client: Follow normal steps to build a client connection, select the connection, select Export from the File menu, and generate a file with a suffix of. CNS in the specified location. Open the file and modify the value of the server port value to the portnumber of the servers side. Then import the file (method: menu → file → import) so that the client modifies the port.

6), configure IIS Services

1, do not use the default Web site, if used also to separate the IIS directory from the system disk.

2. Delete the Inetpub directory created by IIS by default (on the disk where the system is installed).

3, delete the virtual directory under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.

4. Remove unnecessary IIS extension mappings. Right-click Default Web site → properties → home directory → configuration to open the application window and remove unnecessary application mappings. mainly for. sHTML,. shtm,. stm

5. Change the path of the IIS log right-click Default Web site → Properties-web site-click Properties under Enable Logging

6. If you are using 2000 you can use IISLockdown to protect IIS, the version of IE6.0 that is running in 2003 is not required.

7. Using URLScan

URLScan is an ISAPI filter that parses incoming HTTP packets and can reject any suspicious traffic.　　Currently the latest version is 2.5, if it is 2000Server you need to install version 1.0 or 2.0 first.　　If there is no special requirement to use the URLScan default configuration. But if you run the ASP. NET program on the server and you want to debug it, you need to open the Urlscan.ini file in the folder that you want to%windir%system32inetsrvurlscan, and then add the debug verb in the Userallowverbs section.　　Note This section is case-sensitive.　　If your page is an. asp webpage you need to delete. asp-related content in DenyExtensions. If your Web page uses non-ASCII code, you need to set the value of Allowhighbitcharacters to 1 in the option section after you make changes to the Urlscan.ini file, you need to restart the IIS service to take effect. Fast method Run input iisreset if you have any problems after configuration, you can remove URLScan by adding/removing programs.

8. Use the WIS (WEB injection Scanner) tool to scan the entire Web site for SQL injection vulnerability.

7), configure SQL Server

1, the System Administrators role best not more than two

3. Do not use SA account to configure a super complex password for it

4. Remove the following extended stored procedure format as:

Use master sp_dropextendedproc ' extended stored procedure name '

xp_cmdshell: Is the best way to enter the operating system, delete access to the registry stored procedures,

Delete

xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumvalues xp_regread Xp_regwrite Xp_regremovemu Ltistring

OLE automatic stored procedures, do not need to delete

sp_OACreate sp_OADestroy sp_oageterrorinfo sp_oagetproperty sp_oamethod sp_OASetProperty Sp_OAStop

5. Hide SQL Server, change the default 1433 port

Right-click Instance Selection Properties-General-Select the properties of the TCP/IP protocol in the network configuration, select Hide SQL Server instance, and change the default 1433 port.

8), modify the system log save address the default location for the application log, security log, System log, DNS log default location:%SystemRoot%\System32\Config, the default file size of 512KB, the administrator will change the default size.

Security log file:%systemroot%\system32\config\secevent.evt System log file:%systemroot%\system32\config\sysevent.evt Application log file:% SYSTEMROOT%\SYSTEM32\CONFIG\APPEVENT.EVT Internet Information Services FTP log default location:%systemroot%\system32\logfiles\msftpsvc1\, Default one log per day Internet Information Services www log default location:%systemroot%\system32\logfiles\w3svc1\, default one log per day Scheduler (Task Scheduler) service log default location:% Systemroot%\schedlgu.txt application logs, security logs, system logs, DNS server logs, these log files in the registry: hkey_local_machine\system\currentcontrolset\ Services\eventlog Schedluler (Task Scheduler) service log hkey_local_machine\software\microsoft\schedulingagent SQL in the registry Remove or rename Xplog70.dll [Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters] "AutoShareServer "=dword:00000000" AutoShareWks "=dword:00000000//AutoShareWks to Pro version//AutoShareServer to server version//0

Prohibit managing shared admin$,c$,d$ such as default share [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] "RestrictAnonymous" =dword:0 0000001//0x1 Anonymous users cannot enumerate the native user list//0x2 anonymous users cannot connect to native ipc$ shares (SQL Server may not be able to start

9), Local Security policy

1. Only the ports and protocols required for the service are open. In order to do this, open My Network Places → properties → local connections → properties →internet protocol → properties → advanced → options →tcp/ip filter → properties to add the required TCP, UDP port, and IP protocol. According to the service opening, commonly used TCP port: 80 for Web Services, 21 for FTP services, 25 for smtp;23 port for Telnet service, 110 ports for POP3. Common UDP ports are: 53 port-dns Domain name resolution Service, 161 port-SNMP Simple Network Management protocol. 8000, 4000 for OICQ, the server receives the information with 8000来, the client sends the message with 4000. TCP port: (FTP, FTP port) (TELNET), (DNS), 135,136,137,138,139,443,445,1028,1433,3389 TCP port: 1080,3128,6588,8080 ( The above is the proxy port). (SMTP), 161 (SNMP), 67 (boot) UDP port: 1434 (This is needless to say) all ICMP, that is, ping above is the most commonly swept port, there are other also sealed, of course, because 80 is to do the web

2, prohibit the establishment of an empty connection by default, any user can connect to the server via an empty connection, enumerate the accounts and guess the password. Null connection with the port is 139, through a null connection, you can copy files to the remote server, planning to perform a task, this is a vulnerability. There are two ways to disable the establishment of an empty connection:

(1) Modify the value of Local_machine\system\ currentcontrolset\control\lsa-restrictanonymous in the registry to 1.

(2) Modify the local Security policy for Windows 2000. Set the RestrictAnonymous (additional limit for anonymous connections) in local security policy → local policies → options to "do not allow enumeration of SAM accounts and shares". First, the default installation of Windows 2000 allows any user to get a list of all accounts and shares of the system through an empty connection, which is intended to facilitate local area network users to share resources and files, but at the same time any remote user can get your user list in the same way. And may use the brute force law to crack the user password to cause the entire network to destroy. A lot of people just know to change the registry local_machine\system\currentcontrolset\control\lsa-restrictanonymous = one prevents null user connections, in effect windows 2000 of the Local Security policy (if the domain server is in the domain server security and Domain Security policy) has the RestrictAnonymous option, there are three values: "0" This value is the system default, without any restrictions, remote users can know all the accounts on your machine, group information, Shared directory, network transmission list (netservertransportenum), etc; "1" is a value that allows only non-null users to access SAM account information and share information; "2" is only supported by Windows 2000, and it is important to note that if you use this value, Can no longer share resources, so it is recommended to set the value of "1" is better.

10), Prevent ASP Trojan

1. ASP Trojan based on FileSystemObject component

cacls%systemroot%\system32\scrrun.dll/e/d guests//disable guests use regsvr32 scrrun.dll/u/s//delete

2. ASP Trojan based on Shell.Application component

cacls%systemroot%\system32\shell32.dll/e/d guests//disable guests use regsvr32 shell32.dll/u/s//delete

3. Set permissions on the picture folder to not be allowed to run.

4. If ASP is not present in the site, disable ASP

11), Prevent SQL injection

1. Use parameterized statements whenever possible

2. Filtering cannot be used with parameterized SQL.

3. The site is set to not display detailed error messages, and the page jumps to the error page when an error occurs.

4. Do not use the SA user to connect to the database

5. Create a new public rights database user and use this user to Access database 6, [roles] Remove the role public select access to sysobjects and syscolumns objects

Finally, the above settings may affect some application services, such as the inability to connect to a remote server,

Therefore, it is strongly recommended that the above settings be set first on the local machine or virtual machine (VMware Workstation), that it is OK to do so and then on the server

Windows Server detailed security settings