Server anti-hacker and Trojan attack security Settings Summary _win server

Security Policy:

Open Administrative Tools

Locate local security settings. Local policy. Security options
1. Interactive Landing. Do not need to press Ctrl+alt+del to enable [according to individual needs, enable relatively good, but I personally do not need to enter the password to log in directly]
2. Network access. Do not allow anonymous enumeration of SAM accounts to be enabled
3. Network access. Anonymous sharing deletes subsequent values
4. Network access. A named pipe that can be anonymous deletes the following values
5. Network access. A remotely accessible registry path removes the following values
6. Network access. A subdirectory of the remote access registry deletes the following values
7. Network access. Restrict anonymous access to Named Pipes and shares
8. Rename guest account guest [better write a Chinese name you can remember] let the hacker to guess the guest, but also have to delete this account, followed by a detailed explanation]
9. Account. Rename system administrator account [recommended Chinese name]

Plan E. User Rights Assignment Policy:
Open Administrative Tools
Locate local security settings. Local Policy. User Rights Assignment
1. From the network access to the computer inside the general default has 5 users, in addition to admin outside we delete 4, of course, we have to build a own ID
2. Forced shutdown from remote system, Admin account also deleted, no one left
3. Deny access to this computer from the network remove ID
4. Access this computer from the network, admin can also delete if you do not use similar 3389 services
5. Allow login via terminal to delete remote Desktop Users

Plan F. Terminal Services Configuration
Open Administrative Tools
Terminal Services Configuration
1. After opening, point connection, right button, properties, remote control, point does not allow remote control
2. General, encryption level, high, on the use of standard Windows verification dot √!
3. Network card, set the maximum number of connections to 0
4. Advanced, will also remove the permissions inside. [I didn't set]
Then click Server Settings, on Active Desktop, set disabled, and restrict each session using a

Plan G. User and Group Policy
Open Administrative Tools
Computer Management-Local Users and groups. User
Delete Support_388945a0 users and so on
Leave only your adminisrator permission to change your name.
Computer Management-Local Users and Groups-group
Group. We don't have a group. Experience (whatever he. Default setting)

X plan. DIY strategy [according to personal needs]
1. When the landing time is used up automatically log off users (local) to prevent hacker password infiltration.
2. The landing screen does not show the last login (remote) If the opening of 3389 services, other people landing, there will be no residue of your login username. Let him guess your username.
3. Additional restrictions on anonymous connections
4. No press Alt+crtl+del
5. Allow shutdown before landing [prevent remote shutdown/start, Force shutdown/boot]
6. Access to CD-ROM is available only to local login users
7. Only local login users can access the floppy drive
8. Tips for canceling the shutdown reason

1, open the Control Panel window, double-click the "Power Options" icon, in the subsequent Power Properties window, into the "Advanced" tab page;
2, on the page of the "power button" settings, will be "when the computer power button" set to "Shutdown", click the "OK" button to exit the settings box;
3, after the need to shut down, you can directly press the power button, you can directly shut down the computer. Of course, we can also enable the Sleep function key to achieve fast shutdown and boot;
4, if the system does not enable the sleep mode, you can in the Control Panel window, open the Power options, go to the Hibernate tab page, and in which the "Enable Hibernate" option to select it.
9. Disable Shutdown Event tracking
Starts "Start->" runs "Run"-> enter "Gpedit.msc", in the left part of the window that appears,
Select Computer Configuration (Computer Configuration)-> "Administrative Templates"
(Administrative Templates)-> "System", double-click on the right window
"Shutdown Event Tracker" in the dialog box that appears, select "Prohibit" (Disabled).
Click then "OK" to save back out so that you will see a shutdown window similar to Windows 2000

Third, modify the rights to prevent viruses or trojans and other damage systems
WinXP, windows2003 the above version is suitable for this method.
Because the current Trojan or virus are like to reside in the System32 directory, if we use the command to restrict system32 write and Modify permissions
Then they have no way to write it. Look at the order.
a command
cacls c:windowssystem32/g administrator:r prohibit modification, write to c:windowssystem32 directory
cacls c:windowssystem32/g administrator:f Restore Modify, write C:windowssystem32 directory
Oh, so the virus can not go into the, if you think this is not safe enough,
can also be modified to think of other dangerous directories, such as directly modify the rights of C disk, but modify the C modify, write, install the software need to restore the right to come before the line
b command
cacls c:/g administrator:r prohibit modification, write to C disk
cacls c:/g administrator:f restore modify, write to C disk
This method prevents viruses,
If you think some virus firewalls are consuming too much memory,
This method can be solved a little bit hope everybody likes this method ^_^
X command
The following commands are recommended for senior administrators to use [because the win version is different, please modify the parameters yourself]
cacls%systemroot%system32cmd.exe/e/d iusr_comspec prevents network users, local users from using CMD under the command line and GUI
cacls%systemroot%system32cmd.exe/e/d iusr_lsa Restore network users, local users to use CMD under the command line and GUI
cacls%systemroot%system32tftp.exe/e/d Iusr_lsa prohibits network users, local users from using the command line and GUI Tftp.exe
cacls%systemroot%system32tftp.exe/e/d iusr_lsa Restore network users, local users to use under the command line and GUI Tftp.exe
cacls%systemroot%system32tftp32.exe/e/d Iusr_lsa prohibits network users, local users from using the command line and GUI Tftp32.exe
cacls%systemroot%system32tftp32.exe/e/d iusr_lsa Restore network users, local users to use under the command line and GUI Tftp32.exe

Iv. important file name encryption [NTFS format]
The purpose of this command is to encrypt Windows password file, QQ password file and so on ^.^
Command Line method
Encryption: In DOS window or "Start" | "Run", enter "cipher/e filename (or folder name)" On the command line.
Decrypting: In a DOS window or "Start" | "Run", enter "cipher/d filename (or folder name)" On the command line.

V. Modify the Registration Form Defense D.d.o.s
Changing the following values in registry Hklmsystemcurrentcontrolsetservicestcpipparameters can help you defend against a certain intensity of Dos attacks
SynAttackProtect REG_DWORD 2
EnablePMTUDiscovery REG_DWORD 0
NoNameReleaseOnDemand REG_DWORD 1
EnableDeadGWDetect REG_DWORD 0
KeepAliveTime REG_DWORD 300,000
PerformRouterDiscovery REG_DWORD 0
Enableicmpredirects REG_DWORD 0
More new defense techniques please search for additional information,
Because I dare not take my hard drive to joke, therefore did not do the experiment ...

Vi. creating a more secure firewall
Open only the necessary ports and close the remaining ports. Because after the system is installed by default, there are generally default ports open to the outside,
Hackers use scanning tools to scan those ports for use, which is a serious threat to security. I hereby publish the Port I know as follows (if you think there is any danger to be filtered, please contact me: OICQ 13946296

Port Protocol Application
TCP FTP
-TCP SMTP
TCP DNS
TCP HTTP SERVER
1433 TCP SQL SERVER
5631 TCP PCANYWHERE
5632 UDP PCANYWHERE
6 (non-port) IP protocol
8 (non-port) IP protocol
Well, based on our own experience, the following ports are closed
Tcp
21st
22
23
-TCP SMTP
TCP DNS
80
135 Epmap
138 [Shockwave]
139 SMB
445
1025 dce/1ff70682-0a51-30e8-076d-740be8cee98b
1026 Dce/12345778-1234-abcd-ef00-0123456789ac
1433 TCP SQL SERVER
5631 TCP PCANYWHERE
5632 UDP PCANYWHERE
3389
4444[Shockwave]
4489
Udp
67[Shockwave]
137 Netbios-ns
161 An SNMP agent is Running/default community names of the SNMP agent
About UDP generally only Tencent OICQ will open 4000 or 8000 ports, then we only run this machine using 4000 ports on the line

Vii. Protection of personal privacy
1, TT browser
Choose to use a different browser to browse the site. I recommend TT, and using TT makes sense.
TT can identify the script in the Web page, Java programs, can be very good against some malicious script and so on, and TT even if infected, you remove and reinstall the one is. [TT is Tencent's browser] (However, some people like to use Myie, because I use the time and the understanding of him is not very deep, it does not feel that he has any advantage on the security of a ~, hope to support Myie friend don't beat me, otherwise I will cry ...)

2. Move "My Documents"
Go to Explorer, right-click My Documents, select Properties, and click the Move button in the Target Folder tab.
Select the target disk and press OK. "My Documents" are hard to find in Windows 2003, the desktop, the beginning, and so on,
It is recommended that friends who often use a shortcut to put on the desktop.

3, mobile IE temporary files
Go to the Start → Control Panel →internet option, and on the General tab, in the Internet files bar, click the Set button.
In the pop-up form, click the Move Folder button, select the destination folder, click OK, and in the pop-up dialog box, select Yes.
The system will automatically log on again.
Point local connection, advanced, Security month log, change the directory of the monthly records specifically assigned to the directory,
Do not recommend C: and then reassign the size of the monthly log store value, I was set 10000KB

Viii. help from third party software
Firewall: Skynet firewall (recommended) [Two-way merchants Note: WinXP above you can consider the system with the firewall, Win2000 can consider using IPSec, is a training opportunity)
Antivirus software: Kaspersky
Two-way merchants after note:
Now hackers have moved from traditional system vulnerabilities to your browser, so be aware of your browser while upgrading some traditional patches.
Security settings for Windows 2000 servers
Set disable, build first line of defense c_
After installing Windows 2000, you should first install the latest system patches. But even if installed, on the Internet on any machine just enter "\ Your IP address \c", and then enter the user name Guest, password empty, you can enter your C disk, you still completely exposed. The solution is to disable the Gerst account, set a secure password for the administrator, and share the drives without sharing them. You also need to turn off unwanted services. You can set them to be disabled in the service of the administrative tools, but be sure to be cautious and some services cannot be disabled. Services that can generally be disabled are Telnet, Task Scheduler (allowing programs to run at specified times), Remote registration services (allowing remote registry operations), and so on. This is the first line of defense for the server you build. -Set second, build a second line of defense <*i
? As a campus network server, many schools will be the server as a Web server, and the second vulnerability is also a thorny issue. In fact, you can complete the site's vulnerabilities by simply setting it up. You can stop the second default service (Figure 1,ftp Service you are not needed, if you want to, I recommend using Serv-u; "Manage site points" and "default site points" can cause problems for you; Simple Mail Transfer Protocol is not generally used), and then create a new site point &h

? After setting the general content, set the application mappings in the properties → home directory configuration to remove unwanted mappings (Figure 2), which are the direct cause of the second attack. If you need CGI and PHP, refer to some data to set up lb

In this way, with the general settings, you can safely run the second, your server has a second line of defense. > #_t1)
Use scanners to plug security vulnerabilities [j=

? To achieve a comprehensive solution to the security problem, you need to scan the program for help. I recommend using x browsing (Figure 3), which can help you detect server security issues. Rmp
After the scan is complete, you need to see if there is a password loophole, if there is, then immediately to modify password settings; Look for a second vulnerability, and if so, check the second setting. Other vulnerabilities are rarely present, and I would like to remind you that you are aware of the open ports and that you can log the scanned ports to facilitate the next step. VY)

? Block the port and build a perimeter yd_\1
? "Hackers are mostly hacked through ports, so your server can only open the ports you need, so what ports do you need?" The following are commonly used ports, you can choose according to the need: 7e|
80 for Web site services, 21 for FTP service, 25 for e-mail Simple Mail Transfer Protocol service, 110 for email to POP3 service.? [U
? There are other SQL Server port 1433 and so on, you can find the relevant information online. Those unused ports must be closed! To close these ports, we can proceed through the Windows 2000 security policy. B

? "With its security policy, it is entirely possible to prevent intruders from attacking. You can access it through the administrative tools → Local Security policy, right-click IP Security Policy, and choose Create IP Security Policy, click Next. Enter the name of the security policy, point [next], until you are done, and you create a security policy okqcy
The next thing you do is right-click IP Security Policy, go to manage IP filters and filter actions, and in the Manage IP filter list You can add ports to block, for example, to turn off ICMP and port 139. b]}

When ICMP is turned off, the hacker software cannot scan your machine without force scanning, nor does it pop to your machine. The details of turning off ICMP are as follows: Click Add, and then enter "Turn off ICMP" in the name, add to the right of the point, and then click [Next]. In the source address, select any IP address, point [next]. Select My IP address in the destination address, and click Next. Select ICMP in the protocol, point [next]. Back to the Close ICMP Properties window, the ICMP is turned off. Sf7 FQ

Next we set off 139, also in the Admin IP Filter List midpoint "Add", the name is set to "Close 139", point to the right of "add", point [next]. Select any IP address in the source address, and click Next. Select My IP address in the destination address, and click Next. Select "TCP" in the protocol, point [next]. In the Settings IP protocol port Select from any port to this port, enter 139 in this port, click Next. The 139 port is closed and the other ports are set, as shown in Figure 5. F6wl
In particular, the closure of the UDP4000 can prohibit the campus network of machines using QQ. Q

? Then go to the Settings Management filter action, click "Add", click Next, enter "reject" in the name, and click Next. Select block, point [next]. U then close the property page, right-click the new IP Security policy security, and open the property page. Select Add in the rule, point [next]. Select "This rule does not specify a tunnel" and click Next. Select all network Connections in the Select network type and click Next. Select "Turn off ICMP" in the IP filter list, and click Next. Select Reject in the filter action to click Next. This allows you to add the "Turn off ICMP" filter to the IP security policy named security. In the same way, you can join other filters, such as "Close 139". The results are added as shown in Figure 7. (8
? "The last thing I want to do is assign this policy, and it will work only when assigned." Right-click Security, select All tasks from the menu, and select Assign. IP Security is set to end, you can set the appropriate policy according to your own situation. 2

? After the setup is complete, you can use X-Scan to check and find the problem again. 9g
With the above settings, your Windows 2000 server can be said to be very safe. I hope you will build up the security shelterbelt of the server soon.
Detailed permissions settings under Windows
With the wide application of the mobile network Forum and the discovery of the vulnerability on the Internet, as well as the more and more use of SQL injection attacks, Webshell makes the firewall useless, and a Web server that only makes 80 ports open to all Microsoft patches will escape the fate of being hacked. Do we really have nothing to do? In fact, as long as you understand the NTFS system permissions to set the problem, we can say to the crackers: no! To build a secure Web server, you must use NTFS and Windows nt/2000/2003 for this server. As we all know, Windows is a multi-user, multitasking operating system, which is the basis of permission settings, all permissions are based on users and processes, different users will have different permissions when accessing this computer. DOS is a single task, single user operating system. But can we say DOS does not have permission? No! When we open a computer with a DOS operating system, we have administrator privileges on the operating system, and the permissions are everywhere. Therefore, we can only say that DOS does not support the setting of permissions, can not say that it does not have permissions. As people's awareness of security increased, permission settings were born with the release of NTFS.

In Windows NT, users are grouped into groups with different permissions between groups and groups, and of course, users and users of a group can have different permissions. Now let's talk about the common user groups in NT. Administrators, the Administrators group, by default, users in Administrators have unrestricted full access to the computer/domain. The default permissions assigned to this group allow full control of the entire system. Therefore, only trusted people can become members of the group.

Power Users, advanced user groups, Power users can perform any operating system tasks other than those reserved for the Administrators group. The default permissions assigned to the Power Users group allow members of the Power Users group to modify the settings for the entire computer. However, Power Users do not have the right to add themselves to the Administrators group. In permission settings, the permissions of this group are second to administrators.

Users: Normal user group, the user of this group cannot make intentional or unintentional changes. As a result, users can run validated applications, but they cannot run most legacy applications. The Users group is the safest group because the default permissions assigned to the group do not allow members to modify the operating system settings or user data. The Users Group provides an environment in which the most secure programs run. On NTFS-formatted volumes, the default security setting is designed to prevent members of this group from compromising the integrity of the operating system and installed programs. Users cannot modify system registry settings, operating system files, or program files. Users can shut down the workstation, but not the server. Users can create local groups, but can only modify local groups that they create.
Guests: Guest group, by default, guests have equal access to members of the regular users, but the Guest account has more restrictions.

Everyone: As the name implies, all users, all users on this computer belong to this group.
In fact, there is a group is also very common, it has the same as administrators, even higher than the permissions, but this group does not allow any user to join, in view of the user group, it will not be displayed, it is the system group. The permissions required for system and system-level services to function properly are vested in it. Since this group has only one user system, it may be more appropriate to classify the group as a user.

Permissions are high and low, and users with elevated privileges can operate on users with lower privileges, but in addition to administrators, users of other groups cannot access other user data on NTFS volumes unless they are authorized by those users. Users with low privileges cannot do anything with highly privileged users.

Our usual use of the computer does not feel that there is permission to prevent you from doing something, because we use the computer in the administrators of the user logged in. It's good and bad, and, of course, you can do anything you want to do without having access to the restrictions. The disadvantage is that running the computer as a member of the Administrators group makes the system vulnerable to Trojan horses, viruses, and other security risks. Simple actions to access an Internet site or open an e-mail attachment can damage the system. Unfamiliar Internet sites or e-mail attachments may have Trojan Horse code that can be downloaded to the system and executed. If you are logged on as an administrator on the local computer, the Trojan may reformat your hard disk with administrative access, causing immeasurable damage, so it is best not to log in administrators users without the necessary circumstances. Administrators has a default user that is created at System installation----Administrator,administrator account has Full control of the server, and can assign user rights and access control rights to users as needed. It is therefore strongly recommended that this account be set to use strong passwords. You can never delete an Administrator account from the Administrators group, but you can rename or disable the account. Because everyone knows that "admin" exists on many versions of Windows, renaming or disabling this account makes it more difficult for a malicious user to try and access the account. For a good server administrator, they usually rename or disable this account. Under the Guests user group, there is also a default user----Guest, but by default it is disabled. You do not need to enable this account if it is not particularly necessary. We can view user groups and users under this group through the Control Panel-Administrative Tools-Computer Management-users and user groups.

We right click a directory under an NTFS volume or NTFS volume. Select Properties-Security to set permissions on a volume, or the directory under a volume, and we see the following seven types of permissions: Full Control, modify, read and run, List folder directories, read, write , and special permissions. Full Control is the unrestricted full access to this volume or directory. Status is like the position of administrators in all groups. Full Control is selected, and the following five properties are automatically selected. "Modify", like Power Users, selects modify, and the following four properties are automatically selected. If any of the following items are not selected, the "modify" condition will no longer be established. Read and run is any file that is allowed to read and run under this volume or directory, and "List folder Directory" and "read" are necessary for read and run. "List Folder Directory" means that only subdirectories under the volume or directory can be browsed, cannot be read, and cannot be run. Read is the ability to read data in the volume or directory. "Write" is the ability to write data to the volume or directory. and "Special" is to the above six kinds of permissions are subdivided. Readers can do a deeper study of "special" on their own, and I will not dwell on them here.

The following is a comprehensive analysis of a Web server system and its permissions that have just been installed on the operating system and service software. The server uses Windows Server version, installed SP4 and a variety of patches. The Web services software uses IIS 5.0 with Windows 2000, removing all unnecessary mappings. The entire hard drive is divided into four NTFS volumes, C disk is the system volume, only installed the system and driver, D disk is a software volume, all the software installed on the server in D disk, e disk is a Web application volume, the Web site program is under the volume of the WWW directory; F disk is a Web site data volume, All data in the Web site system call is stored in the Wwwdatabase directory of the volume. This sort of classification is more in line with the standard of a secure server. I hope that each novice administrator can reasonably give your server data classification, this is not only easy to find, but more importantly, this greatly enhances the security of the server, because we can give each volume or each directory to set different permissions, once a network security accident, can also reduce the loss to the minimum. Of course, you can also distribute the site's data on different servers, make it a server farm, each server has a different user name and password and provide a different service, so the security is higher. But people who are willing to do so have a feature----money:). Well, to get to the bottom of this, the server's database for Ms-sql,ms-sql service software SQL2000 installed in the D:\ms-sqlserver2K directory, to the SA account set a strong enough password, installed a SP3 patch. In order to facilitate web page producers to manage the Web, the site also opened the FTP service, FTP service software using the Serv-u 5.1.0.0, installed in the D:\ftpservice\serv-u directory. Antivirus software and firewalls are the Norton Antivirus and BlackICE respectively, the path is D:\nortonAV and D:\firewall\blackice, virus Library has been upgraded to the latest, firewall rule library definition only 80 ports and 21 ports open to the outside. The content of the website is to use 7.0 of the forum of Dynamic Net, the website program is under E:\www\bbs. Attentive readers may have noticed that I have not adopted the default path for installing these service software or just changed the default path of the letter, which is also a security requirement, because a hacker who has access to your server through some means, but does not get administrator privileges, The first thing he does will be to see what services you open up and what software you have installed, because he needs to improve his privileges. A path that is hard to guess and a good permission setting will block him out. It is believed that a Web server configured this way is enough to withstand most of the less refinedA hacker. The reader may ask again, "This is no use to the permissions!" I have done all the other safe work, is the permission set necessary? "Of course there is!" A wise man will have a loss, even if you have now made the system safe and perfect, you must know that the new security vulnerabilities are always being found. Permission will be your last line of defense! Well, let's just do it now. A mock attack on this server without any permissions setting, all with Windows default permissions, to see if it is really impregnable.

Assume that the server extranet domain name is http://www.webserver.com, scan it with scanning software, discover open www and FTP services, and find that its service software uses IIS 5.0 and Serv-u 5.1, and finds invalid after using some overflow tool against them , and then abandon the idea of direct remote overflow. Open the website page, found that the use of the network of the Forum system, so in its domain name after adding a/ Upfile.asp, found that there is a file upload loophole, then grabbed the package, the modified ASP Trojan with NC submission, prompted upload success, successfully get Webshell, open just uploaded ASP Trojan, found that there are ms-sql, Norton Antivirus and BlackICE are running, judging by the restrictions on the firewall, shielding the SQL service port. Through the ASP Trojan check to see the Norton Antivirus and BlackICE PID, and through the ASP Trojan upload a can kill the process of files, after the operation killed Norton Antivirus and BlackICE. Again scan, found that 1433 ports open, there are many ways to get administrator privileges, you can view the site Directory conn.asp get SQL username password, and then log into SQL to execute add user, mention administrator rights. can also catch serv-u under the Servudaemon.ini modified upload, get system administrator privileges. You can also add users directly to administrators, and so on, by passing local overflow serv-u tools. As you can see, once the hacker has found the entry point, in the absence of permission restrictions, hackers will be easy to obtain administrator privileges.

Let's take a look at the default permissions settings for Windows 2000 in the end. For the root directory of each volume, the Everyone group is given full control by default. This means that any user who enters the computer will be unrestricted to do whatever is in the root directory. There are three directories under the system volume that are special, and the system defaults to their restricted permissions, and the three directories are documents and settings, program files, and Winnt. For documents and settings, the default permissions are assigned in this way: Administrators has full control; everyone has read & shipping, column and read permissions, Power Users have read & shipping, column and Read permissions ; system with administrators; Users have read & shipping, column and Read permissions. For program Files,administrators has Full control, Creator owner has special privileges; Power users have full control; System with admin