|
Install and configure Windows Server 2003.
|
1. Move <systemroot> System32cmd.exe to another directory or rename it; 2. As few system accounts as possible, change the default account name (such as Administrator) and description, and the password should be as complex as possible; 3. Access to the computer through the network is denied (anonymous login; Built-in Administrator account; Support_388945a0; Guest; all non-operating system service accounts) 4. we recommend that you only grant the read permission to the general user, but only give the Administrator and System full control permissions. However, this may make some normal script programs unexecutable, or some write operations cannot be completed. In this case, you need to change the permission of the folder where these files are located. We recommend that you test the permission on the test machine before making the changes, and then make the changes with caution. 5. NTFS file permission settings (note that the File Permission level is higher than the folder permission level ):
File Type
|
Recommended NTFS permissions
|
CGI File (.exe,. dll,. cmd,. pl) Script file (. asp) Include File (.inc0000.shtm0000.shtml) Static content (.txt).gif%.jpg%.htm%.html)
|
Everyone (execution) Administrators (full control) System (full control)
|
6. Disable default sharing for category C $ and D $. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters AutoShareServer, REG_DWORD, 0x0 7. Do not share ADMIN $ by default. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServiceslanmanserverparameters Autoscaling wks, REG_DWORD, 0x0 8. Restrict IPC $ default sharing HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlLsa Restrictanonymous REG_DWORD 0x0 default 0x1 anonymous users cannot list local users 0x2 anonymous users cannot connect to the local IPC $ share Note: 2 is not recommended; otherwise, some of your services may fail to start, such as SQL Server. 9. Only grant users the permissions they really need. The principle of minimizing permissions is an important guarantee of security. 10. Open the corresponding audit in the Local Security Policy-> Audit Policy. The recommended audit is: Account Management failed Logon Event successful failed Object Access failed Policy Change failed Failed to use privilege System Event success/failure Directory Service Access failed Account Logon event failed The disadvantage of review projects is that if you want to see that there are no records, there will be no difference at all. Too many review projects will not only occupy system resources, but also cause you to have no time to look at them, in this way, the meaning of the review is lost. It is related: Set in Account Policy> password policy: Password complexity must be enabled Minimum Password Length: 6 Characters Force password five times Maximum Retention Period: 30 days In account policy-> account lock policy, set: Account locked 3 times error Login Lock time: 20 minutes Reset lock count 20 minutes 11. Configure security audit in Terminal Service Configration (remote Service configuration)-permission-advanced. Generally, you only need to record logon and logout events. 12. Unbind NetBios from TCP/IP protocol Control Panel -- Network -- bind -- NetBios interface -- disable 2000: control Panel -- network and dial-up connections -- local network -- properties -- TCP/IP -- properties -- Advanced -- WINS -- disable NETBIOS on TCP/IP 13. Enable TCP/IP filtering in the network connection protocol, and only open necessary ports (such as 80) 14. Disable the 139 null connection by changing the Registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1 15. Modify the TTL value of a data packet HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters DefaultTTL REG_DWORD 0-0xff (0-255 decimal, default value: 128) 16. Prevent SYN flood attacks HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters SynAttackProtect REG_DWORD 0x2 (default value: 0x0) 17. Disable response to ICMP route notification packets HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParametersInterfacesinterface Invalid mrouterdiscovery REG_DWORD 0x0 (default value: 0x2) 18. Prevent ICMP redirection packet attacks HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters EnableICMPRedirects REG_DWORD 0x0 (default value: 0x1) 19. IGMP protocol not supported HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServicesTcpipParameters IGMPLevel REG_DWORD 0x0 (default value: 0x2) 20. Set the arp cache aging time HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices: TcpipParameters ArpCacheLife REG_DWORD 0-0xffffff (seconds, default value: 120 seconds) ArpCacheMinReferencedLife REG_DWORD 0-0xFFFFFFFF (seconds, default value: 600) 21. Disable dead gateway monitoring technology HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices: TcpipParameters EnableDeadGWDetect REG_DWORD 0x0 (ox1 by default) 22. The routing function is not supported. HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices: TcpipParameters IPEnableRouter REG_DWORD 0x0 (default value: 0x0) |
|
Install and configure the IIS service:
|
1. Install only necessary IIS components. (Disable unwanted FTP and SMTP services) 2. Only necessary services and Web Service extensions are enabled. We recommend that you:
Component name in the UI
|
Set
|
Set Logic
|
Backend smart Transmission Service (BITS) server Expansion
|
Enable
|
BITS is the background file transfer mechanism used by Windows Updates and "automatic update. If you use Windows Updates or "Auto Update" to automatically apply the Service Pack and hotfix on the IIS server, you must have this component.
|
Public files
|
Enable
|
IIS must enable these files on the IIS server.
|
File Transfer Protocol (FTP) Service
|
Disable
|
Allows IIS to provide FTP services. This service is not required for dedicated IIS servers.
|
FrontPage 2002 Server Extensions
|
Disable
|
Provides FrontPage support for managing and publishing Web sites. If you do not use the FrontPage extension Web site, disable this component on the dedicated IIS server.
|
Internet Information Service Manager
|
Enable
|
IIS management interface.
|
Internet Printing
|
Disable
|
Provides Web-based printer management, allowing printer sharing through HTTP. This component is not required for the dedicated IIS.
|
NNTP service
|
Disable
|
Distribute, query, retrieve, and post Usenet news articles over the Internet. This component is not required for dedicated IIS servers.
|
SMTP Service
|
Disable
|
|