Windows NT/2000 Server Optimization

Many people now think that Microsoft has too many things and vulnerabilities, and Microsoft's system security is very poor. However, I have summed up some experience during the security configuration of various systems, we share this with you. In fact, there are many vulnerabilities in various systems, but Microsoft has the most users, and the general level is not very high. We will not make any security settings, therefore, it makes people feel that the security of the NT/2000 Service on the Internet is poor. In fact, if the NT/2000 Server has completed various security settings, its security is definitely not worse than that of the nix system. If you follow the instructions below, I can ensure that you are more than 95% secure, and 100% can not be guaranteed, of course, you must promptly install various patches, big and small, from Microsoft !! Well, let's just talk about it. 1. Preliminary article: custom installation and related settings of NT/2000 System Web sites created with NT (2000) account for a large proportion of all websites, mainly because of their ease of use and ease of management, so that the company no longer has to invest a lot of money in server management, this is better than the UNIX system, do not have to ask a very professional administrator, do not have to pay a save high salary, haha, of course, Unix administrators will not be unemployed, because of the unparalleled speed of their open source code and Windows systems, so that almost all large servers now use Unix systems. However, Windows is sufficient for small and medium-sized enterprises, but nt security issues have always been prominent, making every website based on NT feel like a thin ice, here, I will provide a security solution that contributes to China's network security business (Note: This solution is mainly designed for the security of NT and 2000 servers for web sites, it is not suitable for servers in the LAN .) 1. Customize your own NT/2000 Server 1. Version selection: Win2000 has versions in various languages. For us, you can select either the English or Simplified Chinese version. I strongly recommend that you use the English version if the language is not an obstacle. You know, Microsoft products are known for bugs and patches. The Chinese version has more bugs than the English version, the patch is usually at least half a month late (that is to say, after microsoft announces the vulnerability, your machine will be unprotected for half a month) 2. Component customization: Win2000 installs some common components by default, but it is extremely dangerous to install them by default. You should know exactly what services you need and only install the services you actually need, according to the security principle, minimum service + minimum permission = maximum security. The minimum components required for a typical web server are: Install only the iis com files, IIS snap-in, and WWW server components. If you do need to install other components, be careful, especially the Indexing Service, FrontPage 2000 Server Extensions, and Internet Service Manager (HTML) Dangerous services. 2. Correctly install the NT/2000 Server Whether it is NT or 2000, hard disk partitions are NTFS partitions; Note: (1) NTFS provides more security control functions than fat partitions. You can set different access permissions for different folders to improve security. (2) It is recommended that you install all the partitions in NTFS at a time, instead of installing the partitions as fat and then converting them into NTFS partitions. If SP5 and SP6 are installed, the conversion may fail, even system crashes. (3) there is a potential danger to install NTFS partitions. At present, most anti-virus software does not provide detection and removal of the NTFS partition virus after a floppy disk is started, in this way, once a virus is detected in the system and the system cannot be started normally, the consequences are serious. Therefore, we recommend that you do a good job of anti-virus at ordinary times. (4) Partition and Logical Disk allocation. Some friends just divide the hard disk into one logical disk to save trouble, and all the software is mounted on the C drive. This is very bad. We recommend that you create at least two partitions, one system partition and one application.ProgramPartition. This is because Microsoft's IIS often has the source code/overflow vulnerability. If you place the system and IIS on the same drive, the system file may leak and even intruders can remotely obtain the admin. The recommended security configuration is to create three logical drives, the first is greater than 2 GB, used to install the system and important log files, the second is IIS, and the third is FTP, in this way, no matter whether IIS or FTP has a security vulnerability, the system directory and system files will not be directly affected. You must know that IIS and FTP are external services and are prone to problems. The main purpose of separating IIS from ftp is to prevent intruders from uploading programs and running them from IIS. (5) installation sequence Selection: Win2000 must be installed in several sequence: first, when to access the network: Win2000 has a vulnerability during installation. After you enter the administrator password, the system has established the ADMIN $ share, but it does not use the password you just entered to protect it. This situation continues until after you start again, during this period, anyone can access your machine through ADMIN $. At the same time, as long as the installation is complete, various services will run automatically, and the server is vulnerable to access. Therefore, do not connect the host to the network until the Win2000 Server is fully installed and configured. Second, patch installation: The patch installation should be completed after all applications are installed, because the patch often needs to replace/modify some system files, if you install a patch before installing the application, the patch may not work properly. For example, the hotfix of IIS requires that you install it every time you change the IIS configuration. Iii. Security Configuration NT/2000 Server Even if the Win2000 Server is correctly installed, the system still has many vulnerabilities and requires further configuration. 1. port: the port is the logical interface connecting a computer to an external network and the first barrier of a computer. Whether the port is correctly configured directly affects the security of the host. Generally, it is safer to open only the port you need. The configuration method is to enable TCP/IP filtering in the NIC properties-TCP/IP-advanced-Option-TCP/IP filtering, however, for Win2000 port filtering, there is a bad feature: You can only specify which ports are opened, but not which ports are closed, which is more painful for users who need to open a large number of ports. 2.iis: IIS is the most vulnerable component in Microsoft. On average, one vulnerability is generated in two or three months, microsoft's IIS installation by default is not flattering, so the configuration of IIS is our focus. Now we will come with you: first, we will delete the inetpub directory of drive C, create an inetpub on disk D (you can change the name if you are not sure about using the default directory name, but remember it). in IIS manager, point the main directory to D: \ inetpub. Second, the default virtual directories such as scripts are all deleted during IIS installation. If you need any permission, you can create the directories by yourself and what permissions are needed. (Pay special attention to the write permission and the execution program permission, so there is no absolute need to do not give it to) Third, application configuration: delete any unnecessary mappings that must be excluded from the IIS manager, ASP, ASA, and other file types that you actually need, such as stml (Server Side Include ), in fact, it is enough for 90% of hosts to have the above two mappings. Almost every other ing has a miserable story: HTW, HTR, idq, Ida ...... Want to know these stories? Check the previous vulnerability list. In the IIS manager, right-click host> Properties> WWW Service Edit> Home Directory configuration> application ing, and delete the files one by one (no selection is available, ). Then, change the script error message to send text in the application debugging bookmarks in the window (unless you want to know your program/Network/database structure when ASP errors occur) what are error texts written? If you like it, do it yourself. When you click OK to exit, do not forget to let the Virtual Site inherit the attributes you set. After the new Service Pack is installed, the application ing of IIS should be reset. (Note: after a new service pack is installed, some application ing occurs again, resulting in security vulnerabilities. This is a point that administrators can easily ignore .) To deal with the increasing number of CGI vulnerability scanners, you can also refer to the following tips: redirect the http404 object not found error page in IIS to a custom HTM file through URL, this vulnerability can cause most CGI vulnerability scanners to malfunction. In fact, the reason is very simple. Most CGI scanners use the HTTPCodeIn the ghost file, all scans will return http200 regardless of whether the vulnerability exists. 90% of CGI scanners will think that you have all the vulnerabilities, but the results will cover up your real vulnerabilities, it makes intruders confused, but from a personal point of view, I still think that it is more important to do a solid security setting than such tips. Finally, you can use the backup function of IIS to back up all the settings you just set so that you can restore the security configuration of IIS at any time. In addition, if you are afraid that the IIS load is too high, causing the server to crash at full load, you can also enable the CPU limit in performance, for example, limiting the maximum CPU usage of IIS to 70%. 3. Account Policy: (1) Use as few accounts as possible and use as few accounts as possible to log on;
Note: website accounts are generally used only for system maintenance. Do not use one redundant account, because one account is at risk of being cracked.
(2) In addition to administrator, it is necessary to add an account belonging to the Administrator group;
Note: Accounts in two administrator groups prevent the administrator from having forgotten the password of one account and a backup account. In addition, once a hacker breaks an account and changes the password, we also have the opportunity to regain control in the short term. (3) the permissions of all accounts must be strictly controlled and special permissions should not be granted to the accounts;
(4) Rename the Administrator and change it to a name that is difficult to guess. Other general accounts should follow this principle.
Note: This adds an obstacle to hacker attacks.
(5) disable the Guest account, rename it as a complex name, add a password, and delete it from the guest group;
Note: Some hacking tools Leverage the weakness of guest to escalate accounts from common users to administrator groups.
(6) give all user accounts a complex password (the system account is used outside). The password must contain at least 8 characters and contain letters, numbers, and special characters. Do not use familiar words (such as Microsoft), familiar keyboard sequence (such as qwert), and familiar numbers (such as 2000.
Note: passwords are the focus of hacker attacks. Once the passwords are broken, there will be no system security at all. This is often overlooked by many network administrators. According to our tests, the five-digit password with only letters and numbers will be cracked in a few minutes, and the recommended solution is much safer.
(7) The password must be changed on a regular basis (at least once every two weeks) and should be kept in mind. do not record the password anywhere. In addition, if an account is continuously tried during log review, you must change the account (including the user name and password) immediately );
(8) set the number of locks in the account attributes. For example, if the number of failed logon attempts exceeds 5, the account is locked. This can prevent some large-scale logon attempts, and also enable the Administrator to be vigilant against this account.
4. Security Log: The default installation of Win2000 does not enable any security review!
Go to the Local Security Policy> Audit Policy to open the corresponding audit. The recommended audit is:
Account Management failed
Logon Event successful failed
Object Access failed
Policy Change failed
Failed to use privilege
System Event success/failure
Directory Service Access failed
Account Logon event failed
The disadvantage of review projects is that if you want to see that there are no records, there will be no difference at all. Too many review projects will not only occupy system resources, but also cause you to have no time to look at them, in this way, the meaning of the review is lost. It is related:
Set in Account Policy> password policy:
Password complexity must be enabled
Minimum Password Length: 6 Characters
Force password five times
Maximum Retention Period: 30 days
In account policy-> account lock policy, set:
Account locked 3 times error Login
Lock time: 20 minutes
Reset lock count 20 minutes
Similarly, the security log of the terminal service is disabled by default. We can configure security audit in the terminal service configration (remote service configuration)-permission-advanced, generally, you only need to record logon and logout events.
5. directory and file permissions: to control the permissions of users on the server and prevent future intrusions and overflow, we must also carefully set the access permissions for directories and files, NT access permissions include read, write, read and execute, modify, column directory, and full control. By default, most folders are fully open to all users (the Everyone group). You need to reset permissions based on application requirements.
When controlling permissions, remember the following principles:
1> the limit is cumulative: if a user belongs to two groups at the same time, the user has all the permissions allowed by the two groups;
2> the denied permission is higher than the permitted permission (the denied policy is executed first). If a user belongs to a group that is denied access to a resource, no matter how many permissions other permissions are granted to him, he cannot access this resource. Therefore, please use rejection with caution. Any improper rejection may cause the system to fail;
3> higher file permissions than Folder Permissions;
4> using user groups for permission control is a good habit for mature system administrators;
5> only grant users the permissions they really need. The principle of minimizing permissions is an important guarantee of security;
6. only one operating system is installed. Note: if two or more operating systems are installed, hackers will be given access to the system, use the attack to restart the system to another operating system without security settings (or the operating system he is familiar with) and then destroy it.
7. Install it into an independent domain controller (stand alone), select a working group member, and do not select a domain;
Note: The primary domain controller (PDC) is a method for managing multiple online machines in the LAN squadron. It is used for website servers to contain security risks, attackers may exploit the vulnerability in the domain to attack the website server.
8. Separate the partition where the operating system file is located from the partition where the Web data includes other applications. It is recommended that you do not use the default system directory during installation, for example, change \ WINNT to another directory;
Note: hackers may exploit web site vulnerabilities to obtain the operating system's execution permissions on certain operating system programs, resulting in greater damage. In addition, if IIS is used, you should delete all useless mappings in its settings, and do not install the Index Service. It is best not to use remote site management and Server Extension, delete the WWW in the default path, and delete the whole file. Do not use the software. Then, create a folder on the hard disk to store your website. Remember to open the W3C log record at the same time, remember (but I suggest using Apache 1.3.24)
During system installation, the principle of least service must be followed. Useless services are not selected to achieve the minimum installation of the system. One more service and one more risk. So do not install useless components!
9. about patches: In NT, if a patch is installed, and if you want to install a new windows program on the NT disc, you must reinstall the patch, 2000.
Note:
(1) the latest patch indicates that the system has a major vulnerability in the past and cannot be supplemented. servers in the LAN may not be the latest, but the site must install the latest patch, otherwise, hackers may exploit the vulnerability of earlier versions to pose a threat to the system. This is a point that administrators can easily ignore;
(2) SP5 and SP6 installed with NT have a potential threat that the system will not recognize NTFS partitions once the system crashes and reinstalls nt, the reason is that Microsoft has improved NTFS in these two patches. NTFS can only be recognized during Windows 2000 installation, which may cause a lot of trouble. We recommend that you back up data at the same time.
(3) install the service pack on the test machine first to prevent the machine from crashing due to exceptions and back up data.
Do not install software unrelated to the Web site service;
Note: Other applications may have well-known security vulnerabilities.
10. Unbind NetBIOS from the TCP/IP protocol. This indicates that netbois is an indispensable function in the LAN and has become the preferred target for hacker scanning tools on the website server. Method: NT: control panel -- Network -- bind -- NetBIOS interface -- disable 2000: control Panel -- network and dial-up connections -- local network -- properties -- TCP/IP -- properties -- Advanced -- wins -- disable NetBIOS on TCP/IP
11. Delete all network shared resources, delete files and print shares in the network connection settings, leaving only the TCP/IP protocol.
Note: by default, NT and 2000 share a lot of network resources and are useful for network management and network communication in the LAN. It is also a serious security risk on the website server. (Uninstall Microsoft network file and printer sharing ". This option is displayed when you view any connection properties in "network and dial-up connections. Click the Uninstall button to delete the component. The clear file and printer sharing on Microsoft Network check box does not work .)
Method:
(1) NT: management tool-Server Manager-shared directory-stop sharing;
2000: Control Panel-management tools-computing and management-shared folders-stop sharing.
However, the above two methods are too troublesome. The administrator must stop each time the server is restarted.
(2) modify the registry:
Run regedit and modify the Registry to add a key under HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ LanmanServer \ parameters.

Name: AutoShareServer
Type: REG_DWORD
Value: 0
Restart your server and remove the disk partition sharing, but the IPC share still exists. You need to manually delete it after each restart.
12. change the security permissions of NTFS. Note: by default, all files in NTFS have full control permissions on everyone (everyone, this makes it possible for hackers to add, delete, and execute files as normal users. It is recommended that the average user be given only the read permission, but only the Administrator and system are given the full control permission, however, this may prevent some normal script programs from being executed, or some write operations may not be completed. In this case, you need to change the folder permissions of these files, we recommend that you perform a test on the testing machine before making the changes, and then make the changes with caution.
13. strengthen data backup; Note: This is very important. The core of the site is data. Once data is damaged, the consequences are unimaginable. This is often something that hackers really care about. Unfortunately, many network administrators are not doing well in this regard, either incomplete backup or delayed backup. Data backup needs to be carefully planned, and a policy should be developed and tested before implementation. As the website is updated, the backup plan also needs to be constantly adjusted.
14. only the TCP/IP protocol is retained, and netbeui and IPX/SPX protocols are deleted. Note: The communication protocol required by the website is only TCP/IP, while netbeui is only applicable to lan, IPX/SPX is an agreement to be eliminated. It is useless to put it on a website and may be used by some hacking tools.