Windows Server2003 Security Settings Policy

Windows Server2003 Security Settings Policy
One, installation of Windows Server2003
1, the installation system needs a minimum of two partitions, the partition format is in NTFS format
2, in the case of disconnecting the network installed 2003 system
3. Install IIS to install only the necessary IIS components (disable unneeded FTP and SMTP services, for example). By default, the IIS service is not installed, select Application Server in the Add/Remove Win component, then click Details, double-click Internet Information Services (IIS), tick the following options:
Internet Information Service Manager;
public files;
Background Intelligent Transfer Service (BITS) server Extensions;
World Wide Web services.
If you're using a FrontPage-extended Web site, check again: FrontPage 2002 Server Extensions
4. Install the MSSQL and other required software and update it.
5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze the security configuration of your computer and identify the missing patches and updates. : See links at the end of the page
Ii. setting up and managing accounts
1, the system account is best less built, change the default account name (Administrator) and description, the password is best to use the number of small letters plus the number of the upper file key combination, the length is preferably not less than 14 bits.
2, create a new trap account named Administrator, set the minimum permissions for it, and then randomly enter the combination of the best not less than 20-bit password
3, disable the Guest account and change the name and description, and then enter a complex password, of course, now also has a delguest tool, perhaps you can also use it to delete the Guest account, but I did not try.
4. Enter Gpedit.msc carriage return in the run, open the Group Policy Editor, select the Computer Configuration-windows Settings-security Settings-account policy-account lockout policy, set the account to "three times invalid login", "Lock shen, 0 minutes", "Reset lock count is set to 30 minutes".
5. Set "Do not show last user name" to Enabled in security settings-Local Policies-security options
6. In security settings-Local Policies-user rights assignment, only the Internet Guest account is retained in the access this computer from the network, and the IIS process account is started. If you are using ASP, you also want to keep the ASPNET account.
7. Create a user account, run the system, and use the runas command if you want to run the privileged command.
Third, Network Service security management
1. Prohibit the default sharing of C $, d$, admin$ class
Open the registry, Hkey_local_machinesystemcurrentcontrolsetserviceslanmanserverparameters, and create a new DWORD value in the right window, The name is set to AutoShareServer value set to 0
2. Unbind the NetBIOS from the TCP/IP protocol
Right-click My Network Places-Properties-right-click Local Area Connection-Properties-double-click Internet Protocol-Advanced-wins-Disable NetBIOS on TCP/IP
3. Close the service you don't need, here are the recommended options
Computer Browser: Maintaining network computer updates, disabling
Distributed File System: LAN manages shared files and does not need to be disabled
Distributed linktracking client: For LAN update connection information, no need to disable
Error Reporting Service: Prohibit sending bug reports
Microsoft serch: Provides fast word search without the need to disable
Ntlmsecuritysupportprovide:telnet Services and Microsoft Serch, no need to disable
Printspooler: If no printer can be disabled
Remote Registry: Prohibit remotely modifying the registry
Remote Desktop help Session Manager: Prohibit remoting
Iv. Open the appropriate audit policy
Enter Gpedit.msc carriage return in run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-Audit policy When you create an audit project, it is important to note that if you audit too many projects, the more events are generated, the more difficult it is to find serious events and, of course, if the audit is too small, it will affect your discovery of serious Events, you need to make a choice between the two according to the situation.
The recommended items to audit are:
Logon event failed successfully
Account Logon event failed successfully
System Event failed successfully
Policy Change failed successfully
Object access failed
Directory Service access failed
Privilege use failed
V. Other safety-related settings
1. Hide Important files/directories
You can modify the registry implementation to completely hide: "Hkey_local_machinesoftwaremicrosoftwindowscurrent-versionexploreradvancedfolderhi-ddenshowall", Mouse Right click "CheckedValue", select Modify, change the value from 1 to 0
2. Start the Internet Connection Firewall that comes with your system, and tick the Web server in the set up service options.
3. Prevent SYN Flood attack
Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters
New DWORD value, named SynAttackProtect, with a value of 2
4. Disable response to ICMP routing notification messages
Hkey_local_machinesystemcurrentcontrolsetservicestcpipparametersinterfacesinterface
New DWORD value, named PerformRouterDiscovery value of 0
5. Attacks against ICMP Redirect messages
Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters
Set the Enableicmpredirects value to 0
6. IGMP protocol not supported
Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters
New DWORD value, named IGMPLevel value of 0
7. Disable DCOM:
Enter Dcomcnfg.exe in the run. Carriage return, click Component Services under Console root. Open the Computers sub-folder.
For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab.
Clear the Enable distributed COM on this computer check box.
Note: 3-6 items I used the Server2000 setting and did not test whether it worked for 2003. But one thing is certain that I haven't found any other side effects for a period of time.
Vi. Configuring IIS Services:
1, do not use the default Web site, if used also to separate the IIS directory from the system disk.
2. Delete the Inetpub directory created by IIS by default (on the disk where the system is installed).
3, delete the virtual directory under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.
4. Remove unnecessary IIS extension mappings.
Right-click Default Web site → properties → home directory → configuration to open the application window and remove unnecessary application mappings. mainly for. sHTML,. shtm,. stm
5. Change the path of the IIS log
Right-click Default Web site → Properties-site-click Properties under Enable Logging
6. If you are using 2000 you can use IISLockdown to protect IIS, the version of IE6.0 that is running in 2003 is not required.
7. Using URLScan
URLScan is an ISAPI filter that parses incoming HTTP packets and can reject any suspicious traffic. Currently the latest version is 2.5, if it is 2000Server you need to install version 1.0 or 2.0 first. See Links not on page
If there is no special requirement to use the URLScan default configuration.
But if you run the ASP on the server and you want to debug it, you need to open the%windir%system32inetsrvurlscan
Urlscan.ini file in the folder, and then add the debug verb in the Userallowverbs section, note that this section is case-sensitive.
If your page is an. asp webpage you need to delete. asp-related content in DenyExtensions.
If your Web page uses non-ASCII code, you will need to set the value of Allowhighbitcharacters to 1 in the option section
After you make changes to the Urlscan.ini file, you need to restart the IIS service to take effect, and enter IISReset in the Quick Method run
If you have any problems after configuration, you can remove URLScan by adding/removing programs.
8. Use the WIS (WEB injection Scanner) tool to scan the entire Web site for SQL injection vulnerability.
: VB.net enthusiasts
VII. Configuring SQL Server
1, the System Administrators role best not more than two
2. If it is in this machine it is best to configure authentication as win login
3. Do not use SA account to configure a super complex password for it
4. Remove the following extended stored procedure format as:
Use master
Sp_dropextendedproc ' Extended stored procedure name '
xp_cmdshell: Is the best shortcut to enter * System, delete
To access the registry's stored procedures, delete
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues
Xp_regread xp_regwrite xp_regremovemultistring
OLE automatic stored procedures, do not need to delete
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop
5. Hide SQL Server, change the default 1433 port
Right-click Instance Selection Properties-General-Select the properties of the TCP/IP protocol in the network configuration, select Hide SQL Server instance, and change the default 1433 port.
Eight, if only server, do not make other *, use IPSec
1. Administrative Tools-Local security policy-right-click IP Security Policy-Manage IP filter tables and filters-click on the Manage IP filter table option
Add-Name set to Web Filter-click Add-Enter Web server in Description-set source address to any IP address--set destination address to my IP address--protocol type set to TCP--IP protocol port The first entry is set to from any port, the second entry to this port 80--click Done-click OK.
2. Then under the Manage IP Filter table option, click
Add-Name set to all inbound filters-click Add-Enter all inbound filters in the description-set the source address to any IP address--Set the destination address to my IP address--The protocol type is set to any--click Next--Finish--click OK.
3. Click Add under Manage Filter *--Next--Enter block in name--Next--Select block--next--finish--Close Manage IP filter table and filter * Make window
4. Right-click IP Security Policy--Create IP Security Policy--next--Name Input packet Filter--Next--Cancel default activation response principle--next--complete
5. In the new IP Security Policy Properties window that opens, select Add-Next-do not specify tunnel-next-all network connections-next--Select the new Web filter in the IP filter List--Next--Select license in Filter *--next---Finish-- Select the new block filter in the IP filter List--Next--Select block in Filter *--next--Finish--OK
6, right-click on the new packet filter in the right window of IP Security policy, click Assign, do not need to restart, IPSec can take effect.
IX. recommendations
If you follow this article, it is recommended to test the server for each change, and to undo the change if there is a problem. If you change the number of items, only to find the problem, it is difficult to determine the question is which step.
X. Running the server records the current program and open ports
1, the current server process capture or record down, save it, convenient later check whether there is an unknown program.
2, the current open port capture or record down, save, convenient later check whether open the unknown port. Of course, if you can identify each process, and the port this step can be omitted.
Windows Server 2003 anti-Trojan, permissions settings, IIS server Security Configuration grooming
Refer to the network on a lot of WIN2003 on the security settings and do some of their own hands-on to do some practice, combined with these security settings article collation, hope to everyone has help, in addition there are shortcomings in the place also please a lot of advice, and then to fill up, thank you!
First, the installation of the system
1, according to the WINDOWS2003 installation CD prompt installation, by default 2003 did not put IIS6.0 installed in the system.
2, the installation of IIS6.0
Add/Remove Windows components, add or Remove Programs, Start menu, Control Panel
The application ——— ASP. NET (optional)
|--Enabling network COM + access (required)
|--internet Information Services (IIS) ——— Internet Information Services Manager (required)
|--public files (required)
|--World Wide Web service ——— Active Server pages (required)
|--internet data connector (optional)
|--webdav Publishing (optional)
|--World Wide Web Service (required)
|--include files on the server side (optional)
Then click OK and next to install. (see annex 1 of this document for details)
3, the System Patch update
Click Start menu, All Programs->windows Update
Follow the prompts to install the patch.
4. Backup system
Back up the system with ghost.
5, install the common software
For example: Anti-virus software, decompression software, etc., after installation, configure anti-virus software, scanning system vulnerability, after installation with Ghost again back up the system.
6. Turn off the ports you do not need to open the firewall import IPSec policy
In "Network connection", delete unnecessary protocols and services, only basic Internet Protocol (TCP/IP) is installed, and QoS Packet Scheduler is installed to control bandwidth traffic service. In the Advanced TCP/IP Settings--"NetBIOS" setting "Disable NetBIOS (S) on TCP/IP". In the advanced option, use "Internet Connection Firewall", this is the Windows 2003 comes with the firewall, in the 2000 system does not have the function, although does not have the function, but can block the port, this already basically has achieved one IPSec function.
Modify 3389 Remote connection port
Modify the registry.
Start-run--regedit
Expand hkey_local_machine/system/currentcontrolset/control/
TERMINAL server/wds/rdpwd/tds/tcp
In the right-hand key value, change the portnumber to the port number you want to use. Note Using decimal (example 10000)
Hkey_local_machine/system/currentcontrolset/control/terminal server/
winstations/rdp-tcp/
In the right-hand key value, change the portnumber to the port number you want to use. Note Using decimal (example 10000)
Note: Do not forget to bring your own firewall to the + 10000 port on the WINDOWS2003
The modification is complete. Restart the server. The settings take effect.
Second, user security settings
1. Disable Guest Account
Disable the Guest account in a computer-managed user. For the sake of insurance, it is best to add a complex password to guest. You can open Notepad, enter a string containing special characters, numbers, and letters, and then copy it as a guest user's password.
2. Restrict unnecessary users
Remove all duplicate user users, test users, share users, and so on. User Group Policy sets the appropriate permissions and frequently checks the users of the system to remove users who are no longer in use. These users are often a breach of the hacker's intrusion system.
3. Renaming the system administrator account
As you all know, Windows 2003 administrator users cannot be deactivated, which means that others can try the user's password over and over again. Try to disguise it as a normal user, such as changing to GUESYCLUDX.
4. Create a trap user
What is a trap user? That is, create a local user named "Administrator", set its permissions to the lowest, do nothing, and add a super complex password of more than 10 bits. This will allow the hacker to be busy for a while to discover their intrusion attempts.
5. Change the permissions of the shared file from the Everyone group to the authorized user
At any time, do not set the user to share files as "Everyone" group, including print sharing, the default property is "Everyone" group, must not forget to change.
6. Turn on user policy
With user policies, the Reset user lockout counter is set to 20 minutes, the user lockout time is 20 minutes, and the user lockout threshold is 3 times. (this option is optional)
7. Do not let the system display the last logged on user name
By default, the logon dialog box displays the last logged-on user name. This makes it easy for others to get some user names from the system and then make password guesses. Modify the registry to allow the dialog box to display the last logged-in user name. To do this: Open Registry Editor and locate the registry "HKLM\Software\Microsoft\Windows T\currentversion\winlogon\dont-displaylastusername" to Reg_ SZ's key value is changed to 1.
Password security settings
1. Use the security password
Some of the company's administrators create accounts often use the company name, computer name to do the user name, and then the user's password is set too simple, such as "Welcome" and so on. Therefore, pay attention to the complexity of the password, but also remember to change the password frequently.
2. Set screen protection password
This is a very simple and necessary operation. Setting a screen saver password is also a barrier to preventing internal personnel from damaging the server.
3. Open Password Policy
Note Apply a password policy, such as enable password complexity requirements, set the minimum password length to 6 bits, set the mandatory password history to 5 times, and the time to 42 days.
4. Consider using a smart card instead of a password
For passwords, always make security administrators dilemma, password settings are easy to be attacked by hackers, password settings are complex and easy to forget. It is a good solution to use smart cards instead of complex passwords if conditions permit.
Third, the System permissions settings
1. Disk Permissions
system disk and all disks only give full control to the Administrators group and system
System disk \documents and Settings directory only gives full control to Administrators group and system
System disk \documents and Settings\All The Users directory only gives full Control permissions to Administrators group and system
System disk \windows\system32\cacls.exe, Cmd.exe, Net.exe, Net1.exe, Ftp.exe, Tftp.exe, Telnet.exe, Netstat.exe, Regedit.exe, At.exe, Attrib.exe, format.com, del files give full control to the Administrators group and system only
Transfer <systemroot>\system32\cmd.exe, Format.com, Ftp.exe to another directory or rename
Some directories under Documents and settings are set only to adinistrators permissions. and a directory to view, including all subdirectories below.
Delete C:\Inetpub Directory
2. Local Security policy settings
Start menu, Administrative Tools, local security policy
A, Local Policies---Audit policy
Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed
Audit process Tracking No audits
Audit directory service access failed
Audit privilege use failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management Success failure
B, Local Policies--User rights Assignment
Shut down system: Only Administrators group, all other delete.
Allow login via Terminal Services: Only join Administrators,remote Desktop Users group, all other delete
C, Local Policies--security options
Interactive login: Do not display the last user name enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares enabled
Network access: Does not allow for network authentication storage credentials to be enabled
Network access: All shares that can be accessed anonymously are deleted
Network access: Anonymous access can be deleted all the life
Network access: Remotely accessible registry paths are all removed
Network access: Remotely accessible registry paths and sub-paths are all deleted
Account: Rename a Guest account to rename an account
Account: Rename the system Administrator account to rename an account
3. Disable unnecessary service start-run-services.msc
Tcp/ipnetbios Helper provides support for NetBIOS on the TCP/IP service and NetBIOS name resolution for clients on the network, enabling users to share
file, print, and log on to the network
Server supports file, print, and named pipes sharing for this computer over the network
Computer Browser maintains an up-to-date list of computers on the network and provides this list
Task Scheduler allows the program to run at a specified time
The NET SEND and alarm service messages between Messenger transport client and server
Distributed File System: LAN manages shared files and does not need to be disabled
Distributed linktracking client: For LAN update connection information, no need to disable
Error Reporting Service: Prohibit sending bug reports
Microsoft serch: Provides fast word search without the need to disable
Ntlmsecuritysupportprovide:telnet Services and Microsoft Serch, no need to disable
Printspooler: If no printer can be disabled
Remote Registry: Prohibit remotely modifying the registry
Remote Desktop help Session Manager: Prohibit remoting
Remote NET command does not list the user group if Workstation is closed
These are disabled in the services that are started by default on Windows Server 2003 systems, and services that are disabled by default do not start if they are not specifically required.
4. Modify the Registration Form
Make your system stronger by modifying the registry
1. Hide important files/Directories you can modify the registry implementation to completely hide
Hkey_local_machine\software\microsoft\windows\ Current-version\explorer\advanced\folder\hi-dden\showall ", right-click" CheckedValue ", select Modify, change the value from 1 to 0
2. Prevent SYN flood attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named SynAttackProtect, with a value of 2
New EnablePMTUDiscovery REG_DWORD 0
New NoNameReleaseOnDemand REG_DWORD 1
New EnableDeadGWDetect REG_DWORD 0
New KeepAliveTime REG_DWORD 300,000
New PerformRouterDiscovery REG_DWORD 0
New Enableicmpredirects REG_DWORD 0
3. Disable response to ICMP routing notification messages
Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface
New DWORD value, named PerformRouterDiscovery value of 0
4. Attacks against ICMP Redirect messages
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the Enableicmpredirects value to 0
5. IGMP protocol not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named IGMPLevel value of 0
6, prohibit the IPC NULL connection:
Cracker can use the net using command to establish an empty connection, and then the intrusion, as well as the net View,nbtstat these are based on an empty connection, prohibit null connection.
Local_machine\system\currentcontrolset\control\lsa-restrictanonymous change this value to "1".
7. Change the TTL value
Cracker can roughly determine your operating system based on the TTL value of the ping-back, such as:
ttl=107 (WINNT);
TTL=108 (Win2000);
ttl=127 or (Win9x);
ttl=240 or 241 (Linux);
ttl=252 (Solaris);
ttl=240 (Irix);
You can actually change it yourself: Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters:defaultttl REG_DWORD 0-0xff ( 0-255 Decimal, default value 128) changed to a puzzling figure such as 258, at least let those little rookie halo half, so give up the invasion you don't necessarily OH
8. Delete the default share
Someone asked me to share all the disks on the boot, change back later, the restart has become a share of what is going on, this is 2K for the management and set the default share, hkey_local_machine\system\currentcontrolset\services\ Lanmanserver\parameters:autoshareserver type is REG_DWORD change the value to 0
9. Prohibit the establishment of an empty connection
By default, any user who connects to the server via an empty connection, then enumerates the accounts and guesses the password. We can disable the establishment of an empty connection by modifying the registry:
The value of the local_machine\system\currentcontrolset\control\lsa-restrictanonymous is changed to "1".
10. Create a notepad and fill in the following code. Save as *.bat and add to startup Project
NET share C $/del
NET share d$/del
NET share e$/del
NET share f$/del
NET share ipc$/del
NET share admin$/del
5. IIS Site Settings:
1. Separate the IIS directory and data from the system disk and save it in the private disk space.
2. Enable Parent Path
3. Remove any unused mappings that must be in IIS Manager (preserving the necessary mappings such as ASP)
4. HTTP404 Object not Found error page in IIS redirect to a custom HTM file via URL
5, Web site permission settings (recommended)
Read allow
Write not allowed
Script source access is not allowed
Directory browsing Recommendations Close
Log access Recommendations closed
Index Resource recommendation Close
Perform the recommended selection "script only"
6, recommended to use the expanded log file format, Daily Record customer IP address, user name, server port, method, Uri Word root, HTTP status, user agent, and every day to review the log. (It is best not to use the default directory, it is recommended to replace a log path, while setting the log access permissions, only allow administrators and system to full Control).
7, program security:
1) Procedures involving user names and passwords are best encapsulated on the server side, as little as possible in the ASP file, involving with the database connection to the user name and password should be given the minimum permissions;
2) A validated ASP page that tracks the file name of the previous page can only be read by a session that has been forwarded from the previous page.
3) Prevent leakage of ASP home page. inc files;
4) to prevent the UE and other editors to generate Some.asp.bak file leakage problem.
6. The idea of IIS permission setting
? To create a system user for each individual to be protected, such as a Web site or a virtual directory, so that the site has the unique ability to set permissions on the system.
? In IIS, "Site properties or virtual directory properties → directory security → Anonymous access and authentication control → edit → anonymous access → edit" fill in the username that you just created.
? Set all partitions prohibit this user access, and just this site's home directory corresponding to the folder settings allow this user access (to remove the inherited parent permissions, and to add the hyper-pipe group and the system group).
7. Uninstall the most unsafe components
The simplest way is to remove the corresponding program files after uninstalling directly. Save the following code as one. BAT file, (WIN2000 For example, if you use 2003, the System folder should be C:\WINDOWS\)
Regsvr32/u C:\WINDOWS\System32\wshom.ocx
Del C:\WINDOWS\System32\wshom.ocx
Regsvr32/u C:\WINDOWS\system32\shell32.dll
Del C:\WINNT\WINDOWS\shell32.dll
Then run it, Wscript.Shell, Shell.Application, Wscript.Network will be uninstalled. You may be prompted not to delete the file, do not care about it, restart the server, you will find that these three are prompted "x security".