|
Install and configure Windows Server 2003.
|
1. Move <systemroot> System32cmd.exe to another directory or rename it;
2. As few system accounts as possible, change the default account name (such as Administrator) and description, and the password should be as complex as possible;
3. Access to the computer through the network is denied (anonymous login; Built-in Administrator account; Support_388945a0; Guest; all non-operating system service accounts)
4. we recommend that you only grant the read permission to the general user, but only give the Administrator and System full control permissions. However, this may make some normal script programs unexecutable, or some write operations cannot be completed. In this case, you need to change the permission of the folder where these files are located. We recommend that you test the permission on the test machine before making the changes, and then make the changes with caution.
5. NTFS file permission settings (note that the File Permission level is higher than the folder permission level ):
File Type
|
Recommended NTFS permissions
|
CGI File (.exe,. dll,. cmd,. pl)
Script file (. asp)
Include File (.inc0000.shtm0000.shtml)
Static content (.txt).gif%.jpg%.htm%.html)
|
Everyone (execution)
Administrators (full control)
System (full control)
|
6. Disable default sharing for category C $ and D $.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters
AutoShareServer, REG_DWORD, 0x0
7. Do not share ADMIN $ by default.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters
Autoscaling wks, REG_DWORD, 0x0
8. Restrict IPC $ default sharing
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa
Restrictanonymous REG_DWORD 0x0 default
0x1 anonymous users cannot list local users
0x2 anonymous users cannot connect to the local IPC $ share
Note: 2 is not recommended; otherwise, some of your services may fail to start, such as SQL Server.
9. Only grant users the permissions they really need. The principle of minimizing permissions is an important guarantee of security.
10. Open the corresponding audit in the Local Security Policy-> Audit Policy. The recommended audit is:
Account Management failed
Logon Event successful failed
Object Access failed
Policy Change failed
Failed to use privilege
System Event success/failure
Directory Service Access failed
Account Logon event failed
The disadvantage of review projects is that if you want to see that there are no records, there will be no difference at all. Too many review projects will not only occupy system resources, but also cause you to have no time to look at them, in this way, the meaning of the review is lost. It is related:
Set in Account Policy> password policy:
Password complexity must be enabled
Minimum Password Length: 6 Characters
Force password five times
Maximum Retention Period: 30 days
In account policy-> account lock policy, set:
Account locked 3 times error Login
Lock time: 20 minutes
Reset lock count 20 minutes
11. Configure security audit in Terminal Service Configration (remote Service configuration)-permission-advanced. Generally, you only need to record logon and logout events.
12. Unbind NetBios from TCP/IP protocol
Control Panel -- Network -- bind -- NetBios interface -- disable 2000: control Panel -- network and dial-up connections -- local network -- properties -- TCP/IP -- properties -- Advanced -- WINS -- disable NETBIOS on TCP/IP
13. Enable TCP/IP filtering in the network connection protocol, and only open necessary ports (such as 80)
14. Disable the 139 null connection by changing the Registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1
15. Modify the TTL value of a data packet
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
DefaultTTL REG_DWORD 0-0xff (0-255 decimal, default value: 128)
16. Prevent SYN flood attacks
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
SynAttackProtect REG_DWORD 0x2 (default value: 0x0)
17. Disable response to ICMP route notification packets
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface
Invalid mrouterdiscovery REG_DWORD 0x0 (default value: 0x2)
18. Prevent ICMP redirection packet attacks
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
EnableICMPRedirects REG_DWORD 0x0 (default value: 0x1)
19. IGMP protocol not supported
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters
IGMPLevel REG_DWORD 0x0 (default value: 0x2)
20. Set the arp cache aging time
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices: TcpipParameters
ArpCacheLife REG_DWORD 0-0xffffff (seconds, default value: 120 seconds)
ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (seconds, default value: 600)
21. Disable dead gateway monitoring technology
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices: TcpipParameters
EnableDeadGWDetect REG_DWORD 0x0 (ox1 by default)
22. The routing function is not supported.
HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices: TcpipParameters
IPEnableRouter REG_DWORD 0x0 (default value: 0x0) |
|
Install and configure the IIS service:
|
1. Install only necessary IIS components. (Disable unwanted FTP and SMTP services)
2. Only necessary services and Web Service extensions are enabled. We recommend that you:
Component name in the UI
|
Set
|
Set Logic
|
Backend smart Transmission Service (BITS) server Expansion
|
Enable
|
BITS is the background file transfer mechanism used by Windows Updates and "automatic update. If you use Windows Updates or "Auto Update" to automatically apply the Service Pack and hotfix on the IIS server, you must have this component.
|
Public files
|
Enable
|
IIS must enable these files on the IIS server.
|
File Transfer Protocol (FTP) Service
|
Disable
|
Allows IIS to provide FTP services. This service is not required for dedicated IIS servers.
|
FrontPage 2002 Server Extensions
|
Disable
|
Provides FrontPage support for managing and publishing Web sites. If you do not use the FrontPage extension Web site, disable this component on the dedicated IIS server.
|
Internet Information Service Manager
|
Enable
|
IIS management interface.
|
Internet Printing
|
Disable
|
Provides Web-based printer management, allowing printer sharing through HTTP. This component is not required for the dedicated IIS.
|
NNTP service
|
Disable
|
Distribute, query, retrieve, and post Usenet news articles over the Internet. This component is not required for dedicated IIS servers.
|
SMTP Service
|
Disable
|
|
