Securing a Windows 2003 platform-based Web server

Windows-based IIS running Web sites always give people a feeling is fragile. Early IIS does have a lot of problems, but I personally think that since Windows Server 2003 was released, the new security features of IIS6 and Windows Server 2003, improved management capabilities, and system stability have been greatly enhanced. While Microsoft is not ready to develop ASP from Windows Server 2003, especially when it is no longer in good condition for access databases, the advantages of it have forced me to abandon Windows Server. And I don't need to run too many asp+access, because my program is php+mysql (honestly I don't like Microsoft's ASP and ASPNET), and I do trust Windows Server 2003!

Server, website, see these words everyone will think about, not only the performance of more attention is its security issues. Many people can not do a very perfect security reinforcement, because most of the data are from the Internet, and the Internet information is not so detailed, after all, each server's application environment and operating procedures are different.

I am engaged in the Internet industry only 2 years, during which encountered a lot of problems, I managed the server part is open (public), it is open to the Internet users, so I face more problems! Security first when it wants, the second is the stability of the system, the last is the performance. To know that there are many forms of applications on the server, some of the programs themselves are flawed, the light of the server when the machine, serious threat to the server's entire data security.

For example, there is a Windows server running more than 300 web sites, and for a while it often down machines, discovering that memory leaks are particularly fast, In a few minutes, memory usage soared to 900M or even 1.2G, a time when the server was not reachable by remote, but the server system itself was still running. This problem really gave me a headache for a long time, because if you want to troubleshoot the failure to start from these sites, and the number of sites to hinder my resolution progress. Later, through the Filemon monitoring file read to narrow the scope of the investigation, after the suspicious site isolation, and finally find the point of failure and solve. You know, a little bit of code is going to get the Windows server running IIS5 to hang up! The lower-level applications are changed to the program pool in Windows Servers 2003 so that we can set up a pool for memory and CPU protection. It's this feature that makes me lose a lot of work and the system is a lot more stable.

Another serious problem is security, regardless of any article has a purpose is to try to open the server less ports, and open the necessary services, prohibit the installation of server-independent applications. In Windows server, directory permissions are everyone, and many services run with system privileges, such as Serv-u FTP, an excellent FTP server platform that has been a pain to many people, Its overflow vulnerability could allow intruders to easily gain complete control of the system, and if so? Because the Serv-u FTP service runs with system permissions, the system has more rights than the Administrator, and the registry Sam entry is directly accessible and modified So that intruders can use this feature to easily clone a Super Administrator account in the registry and gain full control of the system.

My goal: To strengthen the Web server system to improve and improve its stability and security.

System environment: Windows Server 2003 Enterprise Edition with Service Pack 1 (W2K3SP1), the Web platform is iis6,ftp platform for Serv-u FTP Server

Install the configuration operating system

Install the operating system, before the installation of the first to adjust the server's BIOS settings, to turn off unwanted I/O, so as to save resources and can avoid some hardware-driven problems. Be sure to disconnect the server from the network and do not access the network until the system has completed its security configuration. If the NIC is a PNP type during installation, you should configure only the TCP/IP protocol for its network properties and turn off NetBIOS on TCP/IP, and you should enable TCP/IP filtering and do not open any TCP ports to provide a more secure guarantee. After the installation of the operating system, the first boot W2K3SP1, will eject the security warning interface, mainly let you immediately upgrade the system update the patch, and configure the Automatic update function, this humanized function is unique to the W2K3SP1, in the absence of this warning window, the system is a safe operation of the State, At this time we should complete the system Online update as soon as possible.

Changing the password of both the administrator and the Guest account makes the password more complex and renaming the two sensitive accounts through the Group Policy tool. Modify location in Group Policy computer configuration-windows settings-security setting-local policies-security options, Doing so will prevent intruders from immediately launching a password-lifting attack on this account.

Servers are usually managed remotely, so I use the system's self-contained component Remote Desktop to manage the system remotely. It is selected because it is the system's own component default installation only need to enable it can be used, support drive mapping, clipboard mapping and other applications, and as long as the client is Windows XP Pro will be connected with the component is very convenient, the main point is that it is free. Of course, third party excellent software is also like: PCAnyWhere, use it to solve the remote Desktop can not work in the local environment mode of the shortcomings. To prevent intruders from discovering this service easily and using brute-way attacks, you can modify the Remote Desktop's listening port:

1. Run Regedt32 and go to this item:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp

Note: The above registry entry is a path, it has been wrapped for readability.

2. Find the "PortNumber" subkey, and you will see the value 00000d3d, which is the hexadecimal representation of 3389. Use hexadecimal values to modify this port number and save the new value.

To change the port for a specific connection on the Terminal server, follow these steps: Run Regedt32 and go to this item:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\connection

Note: The above registry entry is a path, it has been wrapped for readability.