Port restrictions and disk permission settings for Windows 2003 Server security settings

Install a lot of IIS SERV-U SQL2000 php mysql above.
Ordinary people, that is, using these services ???

1. Local security policies or Nic port restrictions
Local security policy:
External> Local 80
-> Local 20
-> Local 21
Outside-> Some ports used by the local PASV (SERV-U, usually open 9000-9049 these 50 ports)
-> Local 3389
Then, open the ports of SQL SERVER and MYSQL according to the actual situation.
-> Local 1433
-> Local 3306
Local> external 80
This is the key to security rules.
-> All local protocols are blocked.


Nic port restrictions:

Enter the corresponding TCP port, such as WEB port 80, SERV-U port 21, remote desktop port 3389, SQLSERVER open Internet connection, Port 1433, MYSQL open remote connection,

To Port 3306,
Remember: if the remote connection is enabled, you must enable port 3389. Otherwise, you cannot connect to the remote connection. (if you change port 3389, enter the one you changed)

2. Change the account name of the default administrator.
Rename the administrator as a memorable name. The password must be long and contain at least 8 characters, uppercase and lowercase letters, and characters.

3. Disk permission settings ..
Change all the drive letter permissions (such as C, D, E) to only
All permissions for the administrators group
All system permissions
As shown in the following figure:


Set the C drive permission:
All sub-directories and sub-files of drive C inherit the administrator (group or user) and SYSTEM permissions of drive C.
Modify
C:/Program Files/Common Files enable the default Everyone permission to read and run the list file directories.
C:/WINDOWS/open the default three permissions for reading and running the list file directory of Everyone
C:/WINDOWS/Temp open Everyone for modification, reading and running, listing file directories, reading and writing permissions
As shown in the following figure:

These three directory permissions are set in this way.


Everyone permissions are available in many places. Now, we can find them one by one and delete them !!

C: The All Users/Default User directory and its sub-directories under/Documents and Settings are annoying. Please look for them carefully.
C:/WINDOWS/PCHealth
C:/windows/Installer


Now WebShell cannot write any files in the system directory, such as Trojans and EXE files.
You can also use stricter permissions.
In WINDOWS, set permissions for directories.
But it is relatively complicated. The effect is not obvious. Moreover, it will also be very dizzy. (for example, I ^ O ^)

4. Set system EXE file permissions
Open c:/windows search:
Break;
Break;
Runonce.exe1_syskey.exe

Modify permissions to delete all users. Only save the permissions of Administrators and SYSTEM.
As shown in the following figure: