IIS and SQL Server Security reinforcement

Install and configure Windows
Server
2003.
1. Transfer system32cmd.exe to another directory or rename it;

2. As few system accounts as possible, change the default account name (such as Administrator) and description, and the password should be as complex as possible;

3. Access to the computer through the network is denied (anonymous login; Built-in Administrator account; Support_388945a0; Guest; all non-operating system service accounts)

4. we recommend that you only grant the read permission to the general user, but only give the Administrator and System full control permissions. However, this may make some normal script programs unexecutable, or some write operations cannot be completed. In this case, you need to change the permission of the folder where these files are located. We recommend that you test the permission on the test machine before making the changes, and then make the changes with caution.

5. NTFS file permission settings (note that the File Permission level is higher than the folder permission level ):

File Type
Recommended NTFS permissions

CGI File (.exe,. dll,. cmd,. pl)
Script file (. asp)
Include File (.inc0000.shtm0000.shtml)
Static content (.txt).gif%.jpg%.htm%.html)
Everyone (execution)
Administrators (full control)
System (full control)

6. Disable default sharing for category C $ and D $.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters
AutoShareServer, REG_DWORD, 0x0

7. Do not share ADMIN $ by default.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters
Autoscaling wks, REG_DWORD, 0x0

8. Restrict IPC $ default sharing
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
Restrictanonymous REG_DWORD 0x0 default
0x1 anonymous users cannot list local users
0x2 anonymous users cannot connect to the local IPC $ share
Note: 2 is not recommended; otherwise, some of your services may fail to start, such as SQL Server.

9. Only grant users the permissions they really need. The principle of minimizing permissions is an important guarantee of security.

10. Open the corresponding audit in the Local Security Policy-> Audit Policy. The recommended audit is:
Account Management failed
Logon Event successful failed
Object Access failed
Policy Change failed
Failed to use privilege
System Event success/failure
Directory Service Access failed
Account Logon event failed
The disadvantage of review projects is that if you want to see that there are no records, there will be no difference at all. Too many review projects will not only occupy system resources, but also cause you to have no time to look at them, in this way, the meaning of the review is lost. It is related:
Set in Account Policy> password policy:
Password complexity must be enabled
Minimum Password Length: 6 Characters
Force password five times
Maximum Retention Period: 30 days
In account policy-> account lock policy, set:
Account locked 3 times error Login
Lock time: 20 minutes
Reset lock count 20 minutes

11. Configure security audit in Terminal Service Configration (remote Service configuration)-permission-advanced. Generally, you only need to record logon and logout events.

12. Unbind NetBios from TCP/IP protocol
Control Panel -- Network -- bind -- NetBios interface -- disable 2000: control Panel -- network and dial-up connections -- local network -- properties -- TCP/IP -- properties -- Advanced -- WINS -- disable NETBIOS on TCP/IP

13. Enable TCP/IP filtering in the network connection protocol, and only open necessary ports (such as 80)

14. Disable the 139 null connection by changing the Registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1

15. Modify the TTL value of a data packet
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
DefaultTTL REG_DWORD 0-0xff (0-255 decimal, default value: 128)

16. Prevent SYN flood attacks
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
SynAttackProtect REG_DWORD 0x2 (default value: 0x0)

17. Disable response to ICMP route notification packets
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
Interfacesinterface
Invalid mrouterdiscovery REG_DWORD 0x0 (default value: 0x2)

18. Prevent ICMP redirection packet attacks
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
EnableICMPRedirects REG_DWORD 0x0 (default value: 0x1)

19. IGMP protocol not supported
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
IGMPLevel REG_DWORD 0x0 (default value: 0x2)

20. Set the arp cache aging time
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices: TcpipParameters
ArpCacheLife REG_DWORD 0-0xffffff (seconds, default value: 120 seconds)
ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (seconds, default value: 600)

21. Disable dead gateway monitoring technology
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices: TcpipParameters
EnableDeadGWDetect REG_DWORD 0x0 (ox1 by default)

22. The routing function is not supported.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices: TcpipParameters
IPEnableRouter REG_DWORD 0x0 (default value: 0x0)

Install and configure the IIS service:

1. Install only necessary IIS components. (Disable unwanted FTP and SMTP services)

2. Only necessary services and Web Service extensions are enabled. We recommend that you:

Component name in the UI
Set
Set Logic

Backend smart Transmission Service (BITS) server Expansion
Enable
BITS is the background file transfer mechanism used by Windows Updates and "automatic update. If you use Windows Updates or automatic update to automatically apply the Service Pack and hotfix on the IIS server, you must have this component.

Public files
Enable
IIS must enable these files on the IIS server.

File Transfer Protocol (FTP) Service
Disable
Allows the IIS server to provide FTP services. This service is not required for dedicated IIS servers.

FrontPage 2002 Server Extensions
Disable
Provides FrontPage support for managing and publishing Web sites. If you do not use the FrontPage extension Web site, disable this component on the dedicated IIS server.

Internet Information Service Manager
Enable
IIS management interface.

Internet Printing
Disable
Provides Web-based printer management, allowing printer sharing through HTTP. This component is not required for dedicated IIS servers.

NNTP service
Disable
Distribute, query, retrieve, and post Usenet news articles over the Internet. This component is not required for dedicated IIS servers.

SMTP Service
Disable
Email transmission is supported. This component is not required for dedicated IIS servers.

World Wide Web Service
Enable
Provides the client with Web Services, static and dynamic content. This component is required for a dedicated IIS server.

Child components of the World Wide Web Service

Component name in the UI
Installation Options
Set Logic

Active Server Page
Enable
Provides ASP support. If neither the Web site nor application on the IIS server uses ASP, disable this component or use Web service extensions to disable it.

Internet

Data Connector
Disable
Provides dynamic content support for. idc files with the extension. If neither the Web site nor application on the IIS server includes a. idc extension file, disable this component or use Web service extension to disable it.

Remote Management (HTML)
Disable
Provides an HTML interface for managing IIS. Using the IIS manager can make management easier and reduce the attack surface of the IIS server. This function is not required for dedicated IIS servers.

Remote Desktop Web connection
Disable
Includes the Microsoft ActiveX & reg; control and Example page for managing terminal service client connections. Using the IIS manager can make management easier and reduce the attack surface of the IIS server. This component is not required for dedicated IIS servers.

The server includes
Disable
Supports .shtm、.shtml and. stm files. If neither the Web site nor application running on the IIS server uses the preceding Extended Files, disable this component.

WebDAV
Disable
WebDAV extends the HTTP/1.1 protocol to allow clients to publish, lock, and manage Web resources. The private IIS server disables this component, or uses Web service extensions to disable this component.

World Wide Web Service
Enable
Provides the client with Web Services, static and dynamic content. This component is required for dedicated IIS servers.

 

3. Separate the IIS Directory & data from the system disk and save it in a dedicated disk space.

4. Delete unnecessary mappings in IIS Manager (retain necessary mappings such as asp)

5. Redirect the HTTP404 Object Not Found error page in IIS to a custom HTM file through URL

6. Web site permission settings (recommended)

Web site permissions:
Granted permissions:

Read
Allow

Write
Not Allowed

Script Source Access
Not Allowed

Directory Browsing
Disable

Log Access
Disable

Index Resources
Disable

Run
We recommend that you select "script only"

7. W3C extension is recommended.