Server security Settings _ System port Security Configuration _win Server

Third, System port security Configuration
Here is a brief introduction to some of the basics of ports, mainly to facilitate our next security configuration to lay the groundwork, if
You have a deeper understanding of the port and you can skip this step.
The port is the logical interface between the computer and the external network, and the first barrier of the computer, the port configuration is correct or not straight
Connected to the security of the host, generally speaking, only open you need to use the port will be more secure, the configuration is in the network card is
Sex-tcp/ip-Advanced-options-TCP/IP filtering is enabled for TCP/IP filtering.
The basics of the port are described below. In Network technology, ports (port) generally have two meanings: first, the physical meaning
Ports, such as ADSL modems, hubs, switches, routers, and interfaces for connecting to other network devices, such as
RJ-45 ports, SC ports, and more. The second is a logical port, generally refers to the TCP/IP protocol port, port number
range from 0 to 65535, such as 80 ports for browsing Web services, 21 ports for FTP services, and so on.
(i) Distribution by port number:
(1) Well-known ports (well-known Ports)
Well-known ports, known as port numbers, range from 0 to 1023, and these port numbers are generally fixed to some services.
For example, 21 ports are assigned to the FTP service, 25 ports are assigned to the SMTP (Simple Mail Transfer Protocol) service, and 80 port assignments
To the HTTP service, 135 ports are assigned to the RPC (Remote Procedure Call) service, and so on.
(2) dynamic port (Ports)
Dynamic ports range from 1024 to 65535, and these port numbers are generally not fixed to a service, which means that many
Services can use these ports. As long as the running program to the system to provide access to the network application, then the system can be from these
The port number is assigned one for use by the program. For example, port 1024 is assigned to the first program to issue a request to the system. In
When the program process is closed, the port number that is occupied is freed.
However, dynamic ports are often used by virus trojan programs, such as the glacier default connection port is 7626, WAY 2.4 is 8011, Netspy 3.0 is 7306, Yai virus is 1024 and so on.
(ii) By type of agreement:
Can be divided into ports such as TCP, UDP, IP, and ICMP (Internet Control Message Protocol). The following are mainly about TCP and
UDP port.
(1) TCP port
The TCP port, the Transmission Control protocol port, requires a connection between the client and the server to provide a reliable
of data transfer. Common includes 21 ports for FTP services, 23 ports for Telnet Service, 25 ports for SMTP service,
and the HTTP service 80 ports, and so on.
(2) UDP port
UDP port, the user Packet protocol port, does not need to establish a connection between the client and the server, security is not guaranteed
Disabled Common 53 port with DNS service, SNMP (Simple Network Management Protocol) service of 161 ports, QQ use
8000 and 4000 ports, and so on.
After introducing the basics of the port, let's start the port security configuration for the server.
On a generic Web+email server, it is recommended to use both PcanyWhere and Terminal Services for remote control.
To modify Terminal Services 3389 ports to 6868 ports based on security considerations, as follows:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal
Server\wds\repwd\tds\tcp, find the PortNumber item, double-click Select Decimal, enter the end you want to change
, here we enter 6868. And then find the key value:
Hkey_local_machine\system\currentcontrolset\control\terminalserver\win
Stations, locate the portnumber in the right window and enter 6868 in the above method, set to the new port.
In this way, when you use MSTSC to access Remote Desktop, IP or URL after add: 6868 that is the port number. As shown in figure (1):
Then set up TCP/IP filtering based on the services you want to open. To view port usage, you can use the Netstat
Command line status, click "Start → run", type "cmd" and enter, open a command Prompt window. In
At the command prompt, type "netstat-a-n", and when you press ENTER, you can see a digital display of TCP and
The port number and state of the UDP connection.
We use TCP/IP filtering settings based on server port usage we need open ports, right click on Network Neighborhood
Property--> Right-click Local Connection Properties--> (double-click TCP/IP)--> advanced--> option--> property to enable TCP/IP filtering.
In TCP port filtering allows only 21, 25,110,
80,1433,3000,5631,6868,8735,
10001,10002,10003,10004,10005
And so related must use the port (please according to your actual situation
The TCP/IP port contains a few regular
Some well-known ports, 10001-10005 is set
Serv-u's PASV mode uses the port, 3000 is
MDaemon Default Web landing port, 6868
is the custom modified MSTSC Remote Desktop port, and of course it can be used otherwise. The IP protocol and UDP ports are based on your needs
To make the appropriate configuration, I did not carefully studied, please according to your actual application for screening.
Next, we're going to uninstall all the other protocols in the local connection properties, leaving only Internet Protocol (TCP/IP),
Uninstall the default share and printer.
Figure (6): Delete Sharing and printer sharing
Then, double-click Internet Protocol (TCP/IP) to enter the Advanced Options window, select the WINS tab, and select the Disable
NetBIOS entries on TCP/IP to effectively prevent others from acquiring computer-related information from the Network NetBIOS protocol.