IIS and SQL Server Security reinforcement

Personal Opinion: we can say that the setting below should prevent normal attacks!
The security settings are relatively bt! I think it would be hard for the Destroyer to mix up with this setting! Pai_^
---------------------------
Steps:
Install and configure Windows Server 2003.
1. Transfer \ System32 \ cmd.exe to another directory or rename it;

2. As few system accounts as possible, change the default account name (such as Administrator) and description, and the password should be as complex as possible;

3. Access to the computer through the network is denied (anonymous login; Built-in Administrator account; Support_388945a0; Guest; all non-operating system service accounts)

4. we recommend that you only grant the read permission to the general user, but only give the Administrator and System full control permissions. However, this may make some normal script programs unexecutable, or some write operations cannot be completed. In this case, you need to change the permission of the folder where these files are located. We recommend that you test the permission on the test machine before making the changes, and then make the changes with caution.

5. NTFS file permission settings (note that the File Permission level is higher than the folder permission level ):

File Type
Recommended NTFS permissions

CGI File (.exe,. dll,. cmd,. pl)
Script file (. asp)
Include File (.inc0000.shtm0000.shtml)
Static content (.txt).gif%.jpg%.htm%.html)
Everyone (execution)
Administrators (full control)
System (full control)

6. Disable default sharing for category C $ and D $.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lanmanserver \ parameters
AutoShareServer, REG_DWORD, 0x0

7. Do not share ADMIN $ by default.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ lanmanserver \ parameters
Autoscaling wks, REG_DWORD, 0x0

8. Restrict IPC $ default sharing
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Control \ Lsa
Restrictanonymous REG_DWORD 0x0 default
0x1 anonymous users cannot list local users
0x2 anonymous users cannot connect to the local IPC $ share
Note: 2 is not recommended; otherwise, some of your services may fail to start, such as SQL Server.

9. Only grant users the permissions they really need. The principle of minimizing permissions is an important guarantee of security.

10. Open the corresponding audit in the Local Security Policy-> Audit Policy. The recommended audit is:
Account Management failed
Logon Event successful failed
Object Access failed
Policy Change failed
Failed to use privilege
System Event success/failure
Directory Service Access failed
Account Logon event failed
The disadvantage of review projects is that if you want to see that there are no records, there will be no difference at all. Too many review projects will not only occupy system resources, but also cause you to have no time to look at them, in this way, the meaning of the review is lost. It is related:
Set in Account Policy> password policy:
Password complexity must be enabled
Minimum Password Length: 6 Characters
Force password five times
Maximum Retention Period: 30 days
In account policy-> account lock policy, set:
Account locked 3 times error Login
Lock time: 20 minutes
Reset lock count 20 minutes

11. Configure security audit in Terminal Service Configration (remote Service configuration)-permission-advanced. Generally, you only need to record logon and logout events.

12. Unbind NetBios from TCP/IP protocol
Control Panel -- Network -- bind -- NetBios interface -- disable 2000: control Panel -- network and dial-up connections -- local network -- properties -- TCP/IP -- properties -- Advanced -- WINS -- disable NETBIOS on TCP/IP

13. Enable TCP/IP filtering in the network connection protocol, and only open necessary ports (such as 80)

14. Disable null connection 139 by changing the Registry Local_Machine \ System \ CurrentControlSet \ Control \ LSA-RestrictAnonymous = 1

15. Modify the TTL value of a data packet
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters
DefaultTTL REG_DWORD 0-0xff (0-255 decimal, default value: 128)

16. Prevent SYN flood attacks
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters
SynAttackProtect REG_DWORD 0x2 (default value: 0x0)

17. Disable response to ICMP route notification packets
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters
\ Interfaces \ interface
Invalid mrouterdiscovery REG_DWORD 0x0 (default value: 0x2)

18. Prevent ICMP redirection packet attacks
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters
EnableICMPRedirects REG_DWORD 0x0 (default value: 0x1)

19. IGMP protocol not supported
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services \ Tcpip \ Parameters
IGMPLevel REG_DWORD 0x0 (default value: 0x2)

20. Set the arp cache aging time
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services: \ Tcpip \ Parameters
ArpCacheLife REG_DWORD 0-0xffffff (seconds, default value: 120 seconds)
ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (seconds, default value: 600)

21. Disable dead gateway monitoring technology
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services: \ Tcpip \ Parameters
EnableDeadGWDetect REG_DWORD 0x0 (ox1 by default)

22. The routing function is not supported.
HKEY_LOCAL_MACHINE \ SYSTEM \ CurrentControlSet \ Services: \ Tcpip \ Parameters
IPEnableRouter REG_DWORD 0x0 (default value: 0x0)

Install and configure the IIS service:

1. Install only necessary IIS components. (Disable unwanted FTP and SMTP services)

2. Only necessary services and Web Service extensions are enabled. We recommend that you:

Component name in the UI
Set
Set Logic

Backend smart Transmission Service (BITS) server Expansion
Enable
BITS is the background file transfer mechanism used by Windows updates and "automatic update. If you use Windows updates or "Auto Update" to automatically apply the Service Pack and hotfix on the IIS server, you must have this component.

Public files
Enable
IIS must enable these files on the IIS server.

File Transfer Protocol (FTP) Service
Disable
Allows the IIS server to provide FTP services. This service is not required for dedicated IIS servers.

FrontPage 2002 Server Extensions
Disable
Provides FrontPage support for managing and publishing Web sites. If you do not use the FrontPage extension Web site, disable this component on the dedicated IIS server.

Internet Information Service Manager
Enable
IIS management interface.

Internet Printing
Disable
Provides Web-based printer management, allowing printer sharing through HTTP. This component is not required for dedicated IIS servers.

NNTP service
Disable
Distribute, query, retrieve, and post Usenet news articles over the Internet. This component is not required for dedicated IIS servers.

SMTP Service
Disable
Email transmission is supported. This component is not required for dedicated IIS servers.

World Wide Web Service
Enable
Provides the client with Web Services, static and dynamic content. This component is required for a dedicated IIS server.

Child components of the World Wide Web Service

Component name in the UI
Installation Options
Set Logic

Active Server Page
Enable
Provides ASP support. If neither the Web site nor application on the IIS server uses ASP, disable this component or use Web service extensions to disable it.

Internet

Data Connector
Disable
Provides dynamic content support for. idc files with the extension. If neither the Web site nor application on the IIS server includes a. idc extension file, disable this component or use Web service extension to disable it.

Remote Management (HTML)
Disable
Provides an HTML interface for managing IIS. Using the IIS manager can make management easier and reduce the attack surface of the IIS server. This function is not required for dedicated IIS servers.

Remote Desktop Web connection
Disable
Includes the Microsoft ActiveX & reg; control and Example page for managing terminal service client connections. Using the IIS manager can make management easier and reduce the attack surface of the IIS server. This component is not required for dedicated IIS servers.

The server includes
Disable
Supports .shtm、.shtml and. stm files. If neither the Web site nor application running on the IIS server uses the preceding Extended Files, disable this component.

WebDAV
Disable
WebDAV extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage Web resources. The private IIS server disables this component, or uses Web service extensions to disable this component.

World Wide Web Service
Enable
Provides the client with Web Services, static and dynamic content. This component is required for dedicated IIS servers.

3. Separate the IIS Directory & data from the system disk and save it in a dedicated disk space.

4. Delete unnecessary mappings in IIS Manager (retain necessary mappings such as asp)

5. Redirect the HTTP404 Object Not Found error page in IIS to a custom HTM file through URL

6. Web site permission settings (recommended)

Web site permissions:
Granted permissions:

Read
Allow

Write
Not Allowed

Script Source Access
Not Allowed

Directory Browsing
Disable

Log Access
Disable

Index Resources
Disable

Run
We recommend that you select "script only"

7. We recommend that you use W3C to expand the log file format and record the customer's IP address, user name, server port, method, URI root, HTTP status, and user proxy every day. (It is recommended that you do not use the default directory. We recommend that you change the log recording path and set the Log Access permission to only allow the Administrator and system to be Full Control ).

8. Program security:
1) programs involving user names and passwords should preferably be encapsulated on the server and appear in as few ASP files as possible. The minimum permissions should be granted to the user names and passwords that are connected to the database;
2) For an ASP page that requires verification, you can trace the file name of the previous page. Only sessions that are transferred from the previous page can read this page.
3) Prevent ASP homepage. inc file leakage;
4) prevent leakage of some. asp. bak files generated by UE and other editors.

Security updates.
Apply all Service packs required and regularly update patches manually.

Install and configure anti-virus protection.
We recommend that you upgrade the virus firewall of NAV 8.1 or later versions at least once a week ).

Install and configure firewall protection.
The latest version of BlackICE Server Protection firewall is recommended (simple and practical)

Monitoring solution.
Install and configure the MOM agent or similar monitoring solution as required.

Strengthen data backup.
The Web data is backed up regularly to ensure that it can be restored to the nearest state after a problem occurs.

Consider implementing an IPSec filter.
Use IPSec filter to block ports

The Internet Protocol Security (IPSec) filter can provide an effective way to enhance the security level required by the server. This option is recommended in the high security environment defined in this Guide to further reduce the attack surface of the server.

For more information about using IPSec filters, see other Member Server enhancement processes in the module.

The following table lists all IPSec filters that can be created on the IIS server in the advanced security environment defined in this Guide.

Service
Protocol
Source Port
Target Port
Source Address
Target address
Operation
Images

Terminal Services
TCP
All
3389
All
ME
Allow
Yes

HTTP Server
TCP
All
80
All
ME
Allow
Yes

HTTPS Server
TCP
All
443
All
ME
Allow
Yes

Image processing should be performed on all the rules listed in the above table. This ensures that any network communication that enters the server can also be returned to the source server.

SQL Server Security reinforcement

Procedure
Description

MDAC upgrade
Install the latest MDAC (http://www.microsoft.com/data/download.htm)

Password Policy
Because SQL Server cannot change the sa user name or delete this super user, we must provide the strongest protection for this account, including using a very strong password, it is best not to use the sa account in database applications. Create a new super user with the same permissions as sa to manage the database. At the same time, develop a good habit of regularly changing passwords. The database administrator should regularly check whether there are accounts that do not meet the password requirements. For example, use the following SQL statement:
Use master
Select name, Password from syslogins where password is null

Database log records
For "Failure and Success" of the logon event of the core database, select "security" in the instance properties and set the audit level to all. In this way, in the database system and operating system logs, the logon events of all accounts are recorded in detail.

Manage Extended Stored Procedures
Xp_mongoshell is the best way to enter the operating system and a large backdoor left by the database to the operating system. Remove it. Use this SQL statement:
Use master
Sp_dropextendedproc 'xp _ export shell'
If you need this stored procedure, use this statement to restore it.
Sp_addextendedproc 'xp _ external shell', 'sqlsql70. dll'

OLE Automatic stored procedures (which may cause some features in the manager to be unavailable) include the following (you can remove them all without having:
Sp_OAcreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty
Sp_OAMethod Sp_OASetProperty Sp_OAStop

Remove unnecessary stored procedures for registry access. The Registry Stored Procedures can even read the password of the Operating System Administrator as follows:
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue Xp_regenumvalues Xp_regread Xp_regremovemultistring Xp_regwrite

Protection against TCP/IP Port Detection
Select the TCP/IP protocol attribute from the instance attributes. Select to hide the SQL Server instance.
Modify the default port 1433 on the basis of the previous configuration.
When using IPSec to filter out UDP communication that rejects port 1434, you can hide your SQL Server as much as possible.

Restrict IP addresses for Network Connections
You can use the operating system's own IPSec to implement the security of IP packets. Restrict IP connections to ensure that only your own IP addresses can be accessed and port connections from other IP addresses are denied.