Getting Started with Win2000 server security

server| Security Author: Shotgun

WIN2000 server is currently one of the more popular server operating systems, but it is not easy to configure Microsoft's operating system securely. This paper attempts to make a preliminary discussion on the security configuration of Win2000 Server.
First, customize their own WIN2000 SERVER;
1. Version of the choice: WIN2000 have a variety of languages, for us, you can choose the English version or Simplified Chinese version, I strongly recommend: in the case of language does not become an obstacle, please be sure to use the English version. You know, Microsoft's products are known as Bugs & Patch, the Chinese version of the bug far more than the English version, and the patch is usually late at least half a month (that is, the general Microsoft released a loophole after your machine will be in unprotected condition for half a month)
2. Component customization: Win2000 installs some common components by default, but it is extremely dangerous for this default installation (Mitnico said he could go to any server that was installed by default, but if your host is the default installation of WIN2000 server, I can tell you that you're dead. You should know exactly what services you need, and just install the services you really need, according to security principles, minimal Service + minimum privileges = maximum security. The minimum component selection required for a typical Web server is to install only the COM Files,iis snap-in,www server component of IIS. If you do need to install additional components, be careful, especially: Indexing Service, FrontPage Server Extensions, Internet service Manager (HTML), these are some of the dangerous services.
3. Managing the selection of applications
Choosing a good remote management software is very important, not only the security requirements, but also the application needs. WIN2000 's Terminal service is a remote control software based on RDP (Remote Desktop Protocol), which is fast, easy to operate and more suitable for routine operation. However, Terminal service also has its shortcomings, because it uses the virtual desktop, plus Microsoft programming is not rigorous, when you use the Terminal service to install software or restart the server and the real desktop interactive operation, often will appear in distress phenomenon, For example: the use of Terminal Service to restart the Microsoft certification server (COMPAQ, IBM, etc.) may be directly off the machine. So, to be on the safe side, I suggest that you be equipped with a remote control software as a supplement, and terminal Service complementary, like pcanywhere is a good choice.

Second, the correct installation of WIN2000 SERVER
1. Partitioning and Logical disk allocation, some friends for the sake of convenience, it is not good to divide the hard disk into a logical disk, all software is installed on C drive, it is very bad, it is recommended to establish a minimum of two partitions, a system partition, an application partition, because Microsoft's IIS often have leaks source/overflow vulnerabilities, If you put the system and IIS on the same drive, it can cause the system files to leak and even the intruder will get admin remotely. The recommended security configuration is to create three logical drives, the first larger than 2G, to install the system and important log files, the second to put IIS, the third place FTP, so that no matter whether IIS or FTP out of security vulnerabilities will not directly affect the system directory and system files. You know, IIS and FTP are external services and are more prone to problems. The main purpose of separating IIS from FTP is to prevent intruders from uploading programs and running them from IIS. (This may cause the program developers and editors to worry about him, anyway, you are Administrator J)
2. Selection of installation order: Don't think: What's important in order? As long as the installation is good, how to install all can. Wrong! There are several sequences of Win2000 in the installation that must be noted:
First, when to access the network: Win2000 in the installation of a vulnerability, after you enter the administrator password, the system has established a admin$ share, but did not use the password you have just entered to protect it, this situation continues until you start again, during this period, Anyone can enter your machine through admin$, and as soon as the installation completes, the various services will automatically run, and at this time the server is covered with loopholes, very easy to enter, therefore, in the fully installed and configured Win2000 Server, must not connect the host to the network.
Second, the installation of patches: patches should be installed after all applications installed, because the patch is often to replace/modify some system files, if the first installation of the patch and then install the application may cause the patch can not play a due effect, For example, the hotfix of IIS requires that every change in the configuration of IIS be installed (not abnormal?). ）

Third, security configuration WIN2000 SERVER
Even if the WIN2000 SERVER is installed correctly, the system still has a lot of vulnerabilities and needs to be carefully configured.
1. Port: The port is the computer and the external network connection logical interface, is also the computer's first barrier, the port configuration right or not directly affects the host security, generally speaking, only opens you to use the port to be safe, configures the method is in the network card attribute-tcp/ip-advanced-the option-tcp/ TCP/IP filtering is enabled for Win2000, but there is one bad feature for port filtering for ports: it can only specify which ports to open and which ports to shut down, which is more painful for users who need to open a large number of ports.
2. Iis:iis is the most vulnerable component of Microsoft, an average of two or three months will be a loophole, and Microsoft's IIS default installation is really not flattering, so the configuration of IIS is our focus, now everyone follow me:
First of all, the C disk that what Inetpub directory completely deleted, in D set up a inetpub (if you do not trust the default directory name can also change a name, but you should remember) in IIS Manager to point to the main directory D:\Inetpub;
Second, the IIS installation is the default of what scripts virtual directories such as delete all (the source of evil, forget the Http://www.target.com/scripts/..%c1%1c../winnt/system32/cmd.exe?) Although we have moved the Inetpub from the system disk, but is also carefully for the above, if you need any permission directory can be built on their own, what permissions to open what. (Pay special attention to write permission and execute program's permission, do not absolutely need not give)
Third, application configuration: Remove any unwanted mappings that are required in IIS Manager, and must refer to ASP, ASA, and other file types you really need to use, such as stml (using server side include), actually 90% The host has the above two mapping is enough, the rest of the map almost every one has a miserable story: HTW, HTR, IDQ, Ida ... Want to know these stories? Check out the previous vulnerability list. What the? Can't find where to delete? In IIS Manager, right-click the host-> Property->www service Edit-> Home directory configuration-> application mapping, and then start deleting it (it's not all selected, hehe). Then change the script error message to send text in the application debug bookmark in the window just now (unless you want the user to know your program/network/database structure when the ASP goes wrong) what does the error text write? Whatever you like, you can do it yourself. Click OK to exit and don't forget to let the virtual site inherit the attributes you set.
In order to deal with the increasing number of CGI vulnerability scanners, there is also a small trick to refer to, in IIS, the HTTP404 Object not found error page is redirected to a custom HTM file by URL, so that most of the current CGI vulnerability scanners will fail. In fact, the reason is simple, most CGI scanners are written in order to facilitate, by looking at the return page of the HTTP code to determine whether the vulnerability exists, for example, The famous IDQ loophole is generally by taking 1.idq to check, if return HTTP200, it is considered to have this loophole, conversely if return HTTP404 to think that does not, if you through the URL will HTTP404 error information redirect to http404.htm file, then all scan regardless of exists loophole will return Back to Http200,90% 's CGI scanner will think you have any loopholes, the results instead of masking your real loophole, so that intruders at a loss nowhere to start (martial arts novels often say that the loopholes are impeccable, is this the state? But personally, I think it's much more important to do a good job of security than a little trick like that.
Finally, to be on the safe side, you can use the backup function of IIS to back up all the settings you just set up, so you can restore the security configuration of IIS at any time. Also, if you are afraid that the overload of IIS causes the server to panic at full capacity, you can also turn on CPU limits in performance, such as limiting IIS's maximum CPU usage to 70%.

3. Account Security:
WIN2000 's account security is another priority, first of all, Win2000 's default installation allows any user to obtain the system all account/share list through the empty user, this originally is for the convenience of the LAN user to share the file, but a remote user can also obtain your user list and uses the brute force method to crack the user password Many friends know that you can change the registry local_machine\system\currentcontrolset\control\lsa-restrictanonymous = To prevent 139 null connections, In fact, the Win2000 Local Security policy (if the domain server is in Domain Server security and Domain Security Policy) has this option RestrictAnonymous (additional restrictions on anonymous connections), this option has three values:
0:none. Rely on Default permissions (None, depending on the default permissions)
1:do not allow enumeration of SAM accounts and shares (does not allow enumeration of SAM accounts and shares)
2:no access without explicit anonymous permissions (access is not allowed without explicit anonymous permissions)
0 This value is the system default, what restrictions are not, remote users can know all of your machine accounts, group information, shared directories, network transfer list (Netservertransportenum, etc., for the server such a setting is very dangerous.)
1 This value allows only non-null users to access SAM account information and share information.
2 This value is supported in the Win2000, it should be noted that if you use this value, your share estimate will be all finished, so I recommend you or set to 1 better.

OK, the intruder can't get our user list now, our account is secure ... Wait, there is at least one account can run the password, this is the system built the administrator, how to do? I changed, in the Computer Management-> user account Right click on the administrator and then renamed, change what you want, as long as you can remember on the line.
No, I have changed the username, how can someone run my administrator's password? Luckily my password is long enough, but this is not the way? Well, it must have been in the local or Terminal service login interface, okay, let's get hkey_local_machine\software\microsoft\windowsnt\currentversion\ The Winlogon item's don ' t display last user name string data is changed to 1 so the system does not automatically display the previous logon username.
Put the server registry Hkey_local_ machine\software\microsoft\ Windowsnt\currentversion\winlogon Item, don ' t Display last User The name string data is modified to 1 to hide the user name from the last login to the console. (Wow, the world is quiet)
　　
5. Security log: I have encountered such a situation, a host was invaded by others, the system administrator asked me to trace the murderer, I log in to see: The Security log is empty, pour, please remember: Win2000 default installation is not open any security audit! Then please go to the Local Security policy-> Audit policy to open the appropriate audit, the recommended audit is:
Account Management failed successfully
Logon event failed successfully
Object access failed
Policy Change failed successfully
Privilege usage failed
System Event failed successfully
Directory Service access failed
Account Logon event failed successfully
The disadvantage of auditing a project is that if you want to see it, there's no record of it. Too much auditing will not only take up system resources but will cause you to not be able to see it, so you lose the meaning of auditing.

Related to this is:
Set in the Account policy-> password policy:
Password complexity requirements Enabled
Minimum password length 6 bits
Enforce password history 5 times
Maximum surviving period of 30 days
In the account strategy-> account lockout policy set:
Account lockout 3 times Error Login
Lock time 20 minutes
Reset lock Count 20 minutes

Similarly, the security log for the Terminal service is not open by default, and we can configure security audits in the Terminal service configration (remote service configuration)-permissions-advanced, generally as long as you log in and log off events.


7. Directory and File permissions:
In order to control the rights of users on the server, but also in order to prevent possible intrusion and overflow, we must also be very careful to set directory and file access rights, NT access rights are divided into: read, write, read and execute, modify, list directory, complete control. By default, most folders are completely open to all users (the Everyone group), and you need to reset permissions according to the needs of the application.
When you are in control of permissions, keep in mind the following principles:
The 1> limit is cumulative: If a user belongs to two groups at the same time, then he has all the permissions allowed by the two groups;
2> denied permissions higher than allowed (Deny policy executes first) if a user belongs to a group that is denied access to a resource, he or she will not be able to access the resource, regardless of how many permissions the other permissions set to him. So please use rejection very carefully, any improper rejection may cause the system not to function properly;
3> file permissions are higher than folder permissions (don't you want to explain this?) ）
4> the use of user groups to control the rights is a mature system administrator must have a good habit;
5> only give the user the real need of the permissions, the principle of minimizing the security is an important guarantee;

8. Prevent DOS:
Changing the following values in registry HKLM\System\CurrentControlSet\Services\Tcpip\Parameters can help you defend against a certain intensity of Dos attacks
SynAttackProtect REG_DWORD 2
EnablePMTUDiscovery REG_DWORD 0
NoNameReleaseOnDemand REG_DWORD 1
EnableDeadGWDetect REG_DWORD 0
KeepAliveTime REG_DWORD 300,000
PerformRouterDiscovery REG_DWORD 0
Enableicmpredirects REG_DWORD 0

ICMP attack: ICMP Storm attack and fragmentation attack is also the NT host more headache attack method, in fact, the method is also very simple, Win2000 with a routing & Remote access tools, this tool is the prototype of the router (Microsoft really, What do you have to do? I heard it's going to be a firewall again. In this tool, we can easily define the input and output packet filters, for example, set the input ICMP code 255 discard means discard all the foreign ICMP message (let you fry?) I lost, lost, lost)

Iv. some things to be noted:
In fact, security and application in many cases is contradictory, so you need to find a balance in it, after all, the server is for users rather than open hack, if the security principle hinders the application of the system, then this security principle is not a good principle.
Network security is a system engineering, it not only has the space span, but also has the time span. Many friends (including some system administrators) think that a security-configured host is secure, in fact, there is a misunderstanding: we can only say that a host in a certain period of time is safe, with the network structure changes, the discovery of new vulnerabilities, Administrator/user operations, The security situation of the host is changing anytime and anywhere, so the security consciousness and security system can be truly safe through the whole process.
In this article, I have read a lot of Win2000 security articles during the writing process, and I would like to express my thanks to these authors.


Eight ways to improve the efficiency of IIS 5.0 Web server execution


Here are eight ways to improve the execution efficiency of the IIS 5.0 Web site server:

1. Enabling HTTP persistence can improve the efficiency of 15~20% execution.

2. Not enabling logging can improve the efficiency of 5~8% execution.

3. The use of a [stand-alone] handler can cost 20% of its execution efficiency.

4. Increasing the number of saved files for cache memory can improve the effectiveness of active Server pages.

5. Do not use CGI programs.

6. Increase the number of IIS 5.0 computer CPUs.

7. Do not enable the ASP debugging function.

8. Static Web pages are compressed by HTTP, which can reduce the transmission volume by 20%.

Briefly described below.

1. Enable HTTP to continue to function

When HTTP persistence is enabled (keep-alive), the connection between IIS and the browser is not disconnected and can improve execution efficiency until the connection is disconnected when the browser is closed. Because the "keep-alive" state is maintained, a new connection is not required for each client request, so the efficiency of the server is improved.

This feature is an HTTP 1.1 preset feature, and HTTP 1.0 plus the Keep-alive header can also provide an ongoing function of HTTP.

2. Enabling HTTP's continued role can improve the efficiency of 15~20% execution.

How do you enable HTTP to continue? The steps are as follows:

In Internet Services Administrator, select the entire IIS computer, or Web site, on the home directory page of content, and check the HTTP persistence option.

3. Do not enable logging

Not enabling logging can improve the efficiency of 5~8% execution.

How do I set a record without enabling it? The steps are as follows:

In Internet Services Administrator, select the entire IIS computer, or Web site, on the home directory page of content, and uncheck the Enable logging option.

Set up a non-independent handler

Using a [standalone] handler loses 20% of the execution efficiency, where the term "standalone" means that the Application Protection option for the home directory, virtual directory page is set to [High (independent)]. Therefore, when application protection is set to low (IIS handlers), the execution is more efficient and the setting screen is as follows:

How do I set up a non "independent" handler? The steps are as follows:

In Internet Services Administrator, select the entire IIS computer, Web site, or the start directory for the application. For the [content] [home directory], [virtual directory] page, set the Application Protection option to [Low (IIS handler)].

4, adjust cache memory

IIS 5.0 temporarily registers static Web page data in cache memory, and IIS 4.0 temporarily saves static Web data in the file. Adjusting cache memory number of saved files can improve execution efficiency.

After the ASP instruction file is executed, it will be stored in cache memory to improve performance. Increasing the number of saved files for cache memory can improve the effectiveness of active Server pages.

You can set the number of cache memory files for all applications that are executed on the entire IIS computer, the standalone "web platform, or the standalone application program.

How to set cache function? The steps are as follows:

In Internet Services Administrator, select the entire IIS computer, the starting directory for the standalone "web platform, or standalone application. In the [content] of the home directory, the virtual directory page, when the [Set] button is pressed, you can set the [command file cache memory] from the [Handler options] page.

How do I set the number of cache memory files? The steps are as follows:

In Internet Services Administrator, select the entire IIS computer, or the start directory for the Web site. On the [Server Extensions] page of [content], press the [Set] button.

You can set the number of cache memory files.

5. Do not use CGI program

When using a CGI program, execution is inefficient because the handler (process) has to be constantly generated and destroyed.

In general, the efficiency of implementation is compared as follows:

Static Web page (static): 100

Isapi:50

Asp:10

Cgi:1

In other words, ASPs can be 10 times times faster than CGI, so don't use CGI programs to improve the efficiency of IIS execution.

In terms of elasticity (flexibility): ASP > CGI > ISAPI > Static Web page (static).

For security purposes: ASP (standalone) = ISAPI (standalone) = CGI > ASP (non-standalone) = ISAPI (not standalone) = static Web page (static).

6, increase the number of IIS 5.0 computer CPU

According to Microsoft's test report, increase the number of IIS 4.0 computer CPU, execution efficiency does not improve how much, but increase the number of IIS 5.0 computer CPU, execution efficiency will be almost proportional to provide, in other words, two CPUs of IIS 5.0 computer execution efficiency is almost twice times the CPU computer, The four-CPU IIS 5.0 computer performs nearly four times times the efficiency of a CPU computer.

IIS 5.0 temporarily registers static Web page data in cache memory, and IIS 4.0 temporarily saves static Web data in the file. Adjusting cache memory number of saved files can improve execution efficiency.

7, Enable ASP debugging features

Do not enable ASP debugging features to improve execution efficiency.

How do you not enable ASP debugging features? The steps are as follows:

In Internet Services Administrator, select the Web site, or the starting directory for the application, right-click to select content, press [home directory], [virtual directory] or [directory] page, press [Set] button, select [Application Debug] page, uncheck [Enable ASP server-side instruction debugging], enable ASP client command debugging option.

8, static Web page using HTTP compression

Static Web pages are compressed with HTTP, which can reduce traffic by 20%.

The HTTP compression feature is enabled or closed and is set for the entire IIS server.

The HTTP compression feature is available to the client using the IE 5.0 browser to connect to the Web server that has HTTP compression IIS 5.0 enabled.

How do I enable the HTTP compression feature? The steps are as follows:

To enable HTTP compression, select [content] for your computer in [Internet Service Admins], and select [WWW service] under [main content]. Then click the [Edit] button, and on the Services page, choose [Compress static files] to compress the static files and not select [Compress application files].

Dynamically generated content files (compressed application files) can also be compressed, but require additional CPU processing time, if% Processor times already 80% or more, it is recommended not to compress.