The above is all fart words, embellish Lun just. (I also literati once)
Changed a turn. The actual operation stage of system permission setting and Security Configuration
System settings on the Internet there is a word is "minimal permissions + minimum service = maximum security." This sentence is basically an individual has seen, but I seem to
I have not seen a more detailed and comprehensive article, the following on my personal experience to make a teaching attempt!
How is the minimum privilege implemented?
NTFS system permissions are set to use each hard drive root plus the Administrators user for all permissions before using (optionally join system user)
To delete another user, enter the system disk: permissions are as follows
C:\WINDOWS Administrators System users full privileges Users default permissions are not modified
Other directories Remove everyone user, and remember the all Users\default user directory and its subdirectories under C:\Documents and settings
such as C:\Documents and Settings\All Users\Application The Data directory default configuration retains everyone user rights
The permissions under the C:\WINDOWS directory must also be noted, such as C:\WINDOWS\PCHealth, C:\windows\Installer also retains the Everyone permission.
Deletes the C:\WINDOWS\Web\printers directory, which causes IIS to add a. printers extension, an overflow attack
The default IIS error page is largely not used by many people. It is recommended that you delete the C:\WINDOWS\Help\iisHelp directory
Delete C:\WINDOWS\system32\inetsrv\iisadmpwd, which is used to manage IIS passwords, such as some 500 because of a password not synchronized
Use OWA or Iisadmpwd to modify the sync password at the wrong time, but you can delete it here, the settings described below will eliminate the system
The settings cause a password synchronization problem.
Open C:\Windows Search
net.exe;cmd.exe;tftp.exe;netstat.exe;regedit.exe;at.exe;attrib.exe;cacls.exe;format.com;
Regsvr32.exe;xcopy.exe;wscript.exe;cscript.exe;ftp.exe;telnet.exe;arp.exe;edlin.exe;
Ping.exe;route.exe;finger.exe;posix.exe;rsh.exe;atsvc.exe;qbasic.exe;runonce.exe;syskey.exe
Modify permissions, delete all users only save administrators and system for all permissions
Close port 445
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters
New "DWORD Value" value named "smbdeviceenabled" data is the default value of "0"
prohibit the establishment of an empty connection
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
New DWORD value value named "RestrictAnonymous" Data value is "1" [2003 defaults to 1]
prevent system from automatically starting server sharing
Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
New DWORD value value named "AutoShareServer" data value is "0"
prevent system from automatically starting administrative shares
Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
New DWORD value value named "AutoShareWks" data value is "0"
preventing small-scale DDoS attacks by modifying the registry
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value value named "SynAttackProtect" Data value is "1"
prohibit the generation of dump file
Dump files are a useful resource for finding problems when the system crashes and blue screens. However, it can also provide hackers with some sensitive
Information such as the password for some applications. Control Panel > System Properties > Advanced > Startup and failback to change write debug information to none.
Close Dr. Dr.Watson of China
Enter "DrWtsn32" in Start-run, or start-Program-attachment-System Tools-System Information-tools-DR Watson, pull up the system
Dr. Watson Dr.Watson, only the "Dump all thread context" option is retained, otherwise the hard drive will be read for a long time if the program goes wrong, and account for
Use a lot of space. If this is the case, look for the User.dmp file, which saves dozens of MB of space after deletion.
Local Security policy configuration
Start > Program > Management Tools > Local Security Policy
Account strategy > Password Policy > Password minimum age change to 0 days [that is, the password is not available, I mentioned above will not cause IIS password is not synchronized]
Account Strategy > account lockout policy > account lockout threshold 5 times account lockout time 10 minutes [personal recommendation configuration]
Local Policies > Audit Policies >
Account Management failed successfully
Logon event failed successfully
Object access failed
Policy Change failed successfully
Privilege usage failed
System Event failed successfully
Directory Service access failed
Account Logon event failed successfully
Local Policies > Security Options > Clear virtual Memory paging file change to Enabled
> Do not show last user name changed to Enabled
> Do not need to press Ctrl+alt+del to change to Enabled
> Do not allow anonymous enumeration of SAM accounts to change to Enabled
> does not allow anonymous enumeration of SAM accounts and shares to be changed to Enabled
> Rename guest account change into a complex account name
> Rename the system administrator account to change a personal account [and create a Administrat account with no user group]
Group Policy Editor
Run gpedit.msc Computer Configuration > Administrative Templates > System show Shutdown Event Tracker change to Disabled
removing unsafe components
Wscript.Shell, shell.application These two components generally some ASP Trojan horse or some malicious program will use.
programme I:
regsvr32/u Wshom.ocx Uninstall Wscript.Shell component
regsvr32/u Shell32.dll Uninstall Shell.Application component
If you follow the settings mentioned above, you do not have to delete these two files
Programme II:
Delete Registry Hkey_classes_root\clsid\{72c24dd5-d70a-438b-8a42-98424b88afb8} corresponds to Wscript.Shell
Delete Registry hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540000} corresponds to Shell.Application
User Management
Create another standby administrator account to prevent special situations from happening.
Servers with Terminal Services and SQL Services installed disable TsInternetUser, SQLDebugger these two accounts
User Group description
In future IIS to be used, IIS users typically use the Guests group, or they can re-establish a separate group for use by IIS, but
To assign this group to the C:\Windows directory for Read permission [single read] individuals do not recommend using a separate directory, too petty.
The least service if implemented
Black for automatic Green for manual red for disabled
Alerter
Application Experience Lookup Service
Application Layer Gateway Service
Application Management
Automatic Updates [Windows Automatic Updates, optional]
Background Intelligent Transfer Service
ClipBook
COM + Event System
COM + System Application
Computer Browser
Cryptographic Services
DCOM Server Process Launcher
DHCP Client
Distributed File System
Distributed Link Tracking Client
Distributed Link Tracking Server
Distributed Transaction Coordinator
DNS Client
Error Reporting Service
Event Log
File Replication
Help and Support
HTTP SSL
Human Interface Device Access
IIS Admin Service
IMAPI cd-burning COM Service
Indexing Service
Intersite Messaging
IPSEC Services [Optional action if IP Security policy is used, if none is disabled]
Kerberos Key Distribution Center
License Logging
Logical Disk Manager [Optional, multiple hard drives recommended automatically]
Logical Disk Manager Administrative Service
Messenger
Microsoft Search
Microsoft Software Shadow Copy Provider
MSSQLServer
MSSQLServerADHelper
Net Logon
NetMeeting Remote Desktop Sharing
Network Connections
Network DDE
Network DDE DSDM
Network Location Awareness (NLA)
Network Provisioning Service
NT LM Security Support Provider
Performance Logs and Alerts
Plug and Play
Portable Media serial number Service [Microsoft Anti-Piracy tool, currently only for multimedia classes]
Print Spooler
Protected Storage
Remote Access Auto Connection Manager
Remote Access Connection Manager
Remote Desktop Help Session Manager
Remote Procedure Call (RPC)
Remote Procedure Call (RPC) Locator
Remote Registry
Removable Storage
Resultant Set of Policy Provider
Routing and Remote Access
Secondary Logon
Security Accounts Manager
Server
Shell Hardware Detection
Smart Card
Special Administration Console Helper
SQLServerAgent
System Event Notification
Task Scheduler
TCP/IP NetBIOS Helper
Telephony
Telnet
Terminal Services
Terminal Services Session Directory
Themes
Uninterruptible Power Supply
Upload Manager
Virtual Disk Service
Volume Shadow Copy
WebClient
Windows Audio [Server does not need to use sound]
Windows firewall/internet Connection Sharing (ICS)
Windows Image Acquisition (WIA)
Windows Installer
Windows Management Instrumentation
Windows Management Instrumentation Driver Extensions
Windows time
Windows User Mode Driver Framework
WinHTTP Web Proxy auto-discovery Service
Wireless Configuration
WMI Performance Adapter
Workstation
World Wide Web Publishing Service
Is the above operation completed after the "Minimum permissions + minimum service = maximum security"? No, everything is relative.
I personally see that the above settings are only the most basic things, if there are omissions, later to fill up!
