VPS Security Settings reference

Vps Security Settings

1. Disable default sharing.
Method 1:
Create a notebook and fill in the following code. Save as *. bat and add it to the startup project
Net share c $/del
Net share d $/del
Net share e $/del
Net share f $/del
Net share ipc $/del
Net share admin $/del
Method 2: Modify the Registry. (You must back up the registry before modifying the registry. In "run"> "regedit", select "file" and export the file name. If the registry fails to be modified, double-click the exported registry file .)
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesLanmanServerParameters
Create a "DWORD Value" value named "AutoShareServer" and set the data value to "0"

Ii. Remote Desktop Connection configuration.
Start> program> Administrative Tools> terminal service configuration> connection
Select "RDP-tcp" on the right and right-click Properties> delete permissions (except system). Add a single administrator account for all user groups, even if the server is created with other administrators. and cannot use the terminal service.

3. serv_u Security Settings (Be sure to set the management password; otherwise, the server will be Elevation of Privilege)

Open serv_u, click "local service", and click "set/Change Password" on the right. If no password is set, "the old password is blank, fill in the new password, and click" OK ".

4. disable ports 139 and 445

① Control panel-Network-Local Link-properties (uncheck "network file and printer sharing" Here)-TCP/IP protocol properties-advanced-WINS-Netbios settings-Disable Netbios, you can disable port 139.
② Close port 445 (make sure to back up the registry and backup the method before modifying the registry. In "run"> "regedit", select "file" and export the file name. If the registry fails to be modified, double-click the exported registry file .)
HKEY_LOCAL_MACHINESystemCurrentControlSetServicesetBTParameters
Create a "DWORD Value" value named "SMBDeviceEnabled". The default value is "0"

5. Delete insecure Components
The WScript. Shell and Shell. application components are generally used by some ASP Trojans or malicious programs.
Method: Enter the following commands in "run ":
① Regsvr32/u wshom. ocx uninstall the WScript. Shell component
② Regsvr32/u shell32.dll uninstall the Shell. application component.
③ Regsvr32/u % windir % system32Wshext. dll

6. Set iis permissions.
Create a user for each website.
① First, right-click "my computer"> "manage" Local Computer and group "users, and then on the right. Right-click "new user", create a new user, and set the password.

For example, add test as the user accessing a website.

② Set site folder Permissions
Then, open the internet Information Service Manager. Find the site. Right-click and select "permission"

After selecting permissions, for example:

Only one super administrator (which can be customized) is retained, instead of the administrator group "administrators. And system users. Click "add" to add the user (such as test) created in the system. Then, select the user (test) to read and run, list folder directories, read and write permissions. Super administrator "full control" and system users "full control. And select user (test )? "Advanced" appears, as shown in figure

Click "application" and wait for the folder permission to be transferred.
Click "OK ".
Note:
③ Set the access user.
Right-click the site attribute = "Directory Security =" edit, and add the user you just added (such as test) to the anonymous user. The password is the same as the password used to add a user.

④ Set site access permissions.
Right-click the site you want to set. Attribute = "home directory": select only the read records under the local path to access index resources.
Do not select others. Select "Pure script" for execution permission. Do not select "script and Executable File ". :

Other settings are the general settings of the iis Site.

Note: For ASP. NET programs, you must set the account permissions of the IIS_WPG group and the upload directory permissions. In this case, you must set the execution permission of the upload directory to "NONE" and select the write permission for the folder. Even if you have uploaded scripts such as ASP and PHP or exe programs, it will not trigger execution in the user's browser,
For pure static websites (all html), change (pure script) to (none ).
Some programs may require that everyone have full control permissions. You can set full control permissions for folders by website Access Users (such as test users, you do not need to add everyone to set full control.

VII. Database Security Settings

You must set the Database Password.
In addition. We recommend that you uninstall the Extended Stored Procedure xp_mongoshell for SQL databases.
Xp_mongoshell is the best way to enter the operating system and a large backdoor left by the database to the operating system. Remove it. Use this SQL statement:
Use master
Sp_dropextendedproc xp_cmdshell
If you need this stored procedure, use this statement to restore it.
Sp_addextendedproc xp_cmdshell, xpsql70.dll

8. Prevent access Database downloads

Add the following content in IIS properties-main directory-configuration- ing-application extension. The application parsing of the mdb file. Note that do not select asp. dll for the d ll selected here. Find a dll file not used in the ing.

 

9. Use the firewall to restrict ports.

Open only the port you need. For vps users, you need to open the website service port 80, remote login port 3389, And the password modification service port 6088 provided by Jingan, if you are using ftp service software such as serv_u, open port 21.
For specific port opening instructions, refer to the following:
1. Right-click the network neighbor and select "properties", ==> local connection ==? Attribute =? Advanced? Set

Select "enable.
2. Click "exception" = "to add a port. Add external ports as needed. Note: select the port you want to add.
3. After adding the port, click OK "? OK

10. Prevent listing user groups and System Processes
If the list of users uploading asp Trojans may be exploited by hackers, we should hide them:
Choose Start> program> Administrative Tools> service. Find Workstation, stop it, and disable it.

11. install anti-virus software
Although anti-virus software sometimes cannot solve the problem, anti-virus software can avoid many problems and kill some Trojans. We recommend that you install anti-virus software that consumes a small amount of memory resources. In addition, you must upgrade the software frequently.