Windows 2003 Server Security Configuration Ultimate Tips Tutorial _win Server

The network circulated a lot about the security configuration of the Windows Server 2003 system, but the careful analysis found that many are not comprehensive, and many still configured not reasonable, and there is a lot of security risks, today I decided to carefully do under the extreme BT 2003 server Security Configuration, Let more network management friends sit on the pillow.
The servers we configure need to provide the following components: (ASP, ASPX, CGI, PHP, FSO, JMail, MYSQL, SMTP, POP3, FTP, 3389 Terminal Services, Remote Desktop Web Connection Management services, etc.), provided that the system is already installed, IIS , including FTP server, mail server and so on, these specific configuration methods are no longer repeated, and now we focus on the main description of the security configuration.
About regular security installation systems, setting up and managing accounts, shutting down redundant services, auditing policies, modifying terminal management ports, configuring MS-SQL, removing dangerous stored procedures, connecting with the least privileged public account, etc.
First of all, about the system of NTFS disk permissions settings, we may see more, but 2003 server some detail places to pay attention to, I see a lot of articles have not written completely.
C Disk only to administrators and system permissions, other permissions do not give, the other disk can also be set up here, the system authority given here does not necessarily need to give, just because some third-party applications are launched in the form of services, need to add this user, otherwise it will not start.

Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run. Previously have friends to set INSTSRV and temp directory permissions, in fact, there is no such need.

In addition, it is important here in C:/Documents and settings/that the permissions in the following directory will not inherit from the previous settings, if only set the C disk to administrators permissions, and in all users/application The Everyone user has full control in the data directory, so the intrusion can jump to this directory, write script or file only, and then combine other vulnerabilities to elevate permissions, such as using serv-u local overflow to elevate permissions, or systems missing patches, database weaknesses, Even the social engineering and so on n many methods, once not have the bull person to send a squall to say: "As long as gives me a webshell, I can get system", this also certainly is possible. In systems that are used as WEB/FTP servers, it is recommended that these directories be set up for lock-dead. The table of contents for each of the other disks is set in this way, and none of the disks give adinistrators permissions.

In addition, you will: Net.exe,cmd.exe,tftp.exe,netstat.exe,regedit.exe,at.exe,attrib.exe,cacls.exe, these files are set to allow only administrators access.
Prohibit unnecessary services, although these may not be used by attackers, but in accordance with security rules and standards, superfluous things do not need to open, reduce a hidden danger.
In "Network Connections", delete all the unwanted protocols and services, install only basic Internet Protocol (TCP/IP), and install the QoS Packet Scheduler in addition to the bandwidth flow service. In Advanced TCP/IP Settings--"NetBIOS" setting disables NetBIOS (S) on TCP/IP. In the advanced option, use Internet Connection Firewall, which is a firewall with Windows 2003, not in the 2000 system, although not functional, but can screen ports, so that has basically reached an IPSec function.



Here we follow the required services to open the response port. In the 2003 system, TCP/IP filtering is not recommended in the port filtering function, such as the use of FTP server, if only open 21 ports, due to the specificity of the FTP protocol, FTP transmission, due to FTP-specific port mode and passive mode, In the data transmission, the need to dynamically open the high-end port, so in the case of TCP/IP filtering, often the connection can not be listed after the directory and data transfer problems. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the NIC.
Serv-u FTP Server settings:
Generally speaking, do not recommend the use of Srev-u to do FTP server, is mainly the vulnerability appears too often, but it is because of its simple operation, powerful, too popular, attention to more people, only to be found out of the bug, for other FTP server software is also not necessarily safe where to go.
Of course, there is also a function of the same powerful as serv-u, more secure FTP software: Ability FTP Server
setting is also very simple, but we still have to cater to the public appetite, talk about Serv-u security settings.
First of all 6.0 more than the previous 5.x version of the modified local localadministrtaor password function, in fact, in the 5.x version can be modified with ULTRAEDIT-32 editor Serv-u program body to modify the password port, 6.0 to repair the hidden dangers, alone to take out the convenience of everyone. However, modified the management password Serv-u is the same security risks, two months ago, the Smelly Beggar wrote a new local sniff method to obtain Serv-u management password exploit, is selling online fire, but this sniff method, It is also necessary to have a "execute" permission in the directory after obtaining the Webshell condition, and to be successful when the administrator logs on again to run Serv-u administrator. So our administrator should try to avoid above several factors, also can protect.

In addition, several general security requirements for Serv-u are set:
Select "Block" Ftp_bounce "Attack and FXP". What is FXP? Typically, when file transfers are made using the FTP protocol, the client first issues a "port" command to the FTP server that contains the IP address of the user and the port number that will be used for data transmission, and the server receives the user address information provided by the command to establish a connection to the user. In most cases, there is no problem with the above procedure, but when a client is a malicious user, the FTP server may be connected to other non-client machines by adding specific address information to the port command. Although the malicious user may not have the right to direct access to a particular machine, if the FTP server has access to the machine, then the malicious user can use the FTP server as an intermediary, and still be able to finally implement the connection to the target server. This is FXP, also known as Cross server attacks. When selected, this can be prevented.

In addition, the block anti time-out schemes can also be selected. Second, in the Advanced tab, check that Enable security is selected, and if not, select them.

Security for IIS:
Delete the C:/inetpub directory and remove unnecessary mappings for IIS
The first is that each Web site uses a separate IIS user, for example, to create a new name named Www.315safe.com, with permission for guest.


In the site properties in IIS the username password for setting anonymous access to use the following Windows user accounts in the directory security---Authentication and access control uses www.315safe.com This user's information. The Web directory file that corresponds to this site is the default read and write permission to the IIS user only (a more BT setting is described later).

In application configuration, we give some of the necessary script execution permissions: asp.aspx,php,
Asp,aspx By default provide mapping support for PHP, you need to add a new response to the mapping script, and then in the Web service extension will asp,aspx all set to allow, for PHP and CGI support, need to create a new Web service extension, in the extension (X): input PHP, Add the address C:/php/sapi/php4isapi.dll in the requested file (E): And check the setting status to allow (S). Then click OK, so IIS will support PHP. The same is true for CGI support.

To support ASPX, you also need to give the Web root the default permissions for the users user to enable ASPX to execute.


In addition, in the application configuration, set debugging to send custom text information to the client, so that the site with ASP injection vulnerability, can not feedback the program error information, can avoid a certain degree of attack.

In the custom HTTP error option, it is necessary to define the following error, such as 404,500, but sometimes in order to debug the program, good to know where the error in the program, it is recommended to set only 404.


IIS6.0 because of the different operating mechanism, the concept of application pool appears. It is generally recommended that 10 or so sites share an application pool, and that application pools can have default settings for general sites.

You can recycle the work process at the wee hours of the day.

Set up a new station, with the default wizard, in the settings note the following in the application settings: Execute permissions as the default pure script, application pool using a separate program called 315safe: the pool.


The application pool named 315safe can be appropriately set for "Memory recycling": The maximum virtual memory here is 1000M, the maximum use of the physical memory is 256M, such settings are almost no limit to the performance of this site.

In the application pool there is an "identity" option, you can select the application pool security account, the default to use the Network service this account, we do not move it, can try to the minimum permissions to run large, the hidden trouble is even smaller. In some directories of a site, for example, this "UploadFile" directory, do not need to run ASP programs or other scripts inside, remove the directory's Execute script permissions, "Application Settings" in the "Execute permissions" here, the default is "pure script", we changed to "none", This will only use the static page. By analogy, generally do not need the ASP to run the directory, such as database directory, image directory, etc. can do so, this is mainly to avoid the site application script in the case of bugs, such as the emergence of upfile vulnerabilities from the previous, but can to a certain extent to the role of the vulnerability.

By default, the permissions that we typically give to the web directory for each site are read and written by the IIS user, as shown in the figure:

But we are now in order to inject the SQL, upload vulnerabilities are all driven away, we can take the manual approach to the details of the policy settings.
1. The IIS user for the Web root is given read-only permissions. As shown in figure:

Then we respond to the uploadfiles/or other need to have the upload file directory additional write permission, and in IIS to this directory no script to run permissions, so even if the site program has a loophole, the intruder can not be written into the directory ASP trojan, hehe, But it is not so easy to prevent the attack, there is a lot of work to be done. If it is Ms-sql database, this is OK, but Access database, the directory where its database, or database files also have to write permission, and then the database file does not need to be changed to. asp. This kind of consequence everybody also knows to put, once your database path is exposed, this database is a big trojan, enough terrible. In fact, it's all a rule. Use the MDB suffix only, this directory does not give script permissions in IIS. Then set up a mapping rule in IIS Riga, as shown in figure:


Here, you use any DLL file to parse the. mdb suffix name Mapping, as long as you do not need to Asp.dll to parse it, so that others can not download even if the database path is obtained. This method can be said to prevent the database is downloaded the ultimate solution.