Security Configuration for Windows Server 2003 virtual hosts _windows2003

I last worked in a network company. Responsible for the maintenance of the server. Now unemployed.
After a period of understanding. I think I have experience on the component Windows Server platform.
Now many friends are starting to plan their own virtual host. and.
Online related articles are very old ones. So I ventured to write a series.
I hope you have a lot of pointers. There are problems with mistakes and lots of treatise. Thank you.
The beginning is very serious. Well, it's a little easier down there. Hey, I'm going to have lunch with GF. Hey, old burp.
This man is the same as the machine. It's good to be quick. But stabilize. The stability of the server is like the stability of love.
Otherwise, three fights a day. plus a snack. Then don't think of a better job. To establish a stable relationship.
Well, first of all, the basics are important. Character, personality, hobby, right? Let's talk about the hardware first.
Of course recommend brand server. DELL. IBM. All very well. If you are as poor as I am.
Motherboard is not IWLL.ASUS.INTEL. The CPU is of course HT P4. The DDR.
I have been using a PC for a period of time testing. If the hardware quality all pass through. It's actually very strong.
Then it is an important server operating system. In view of the limitations of my level. We don't discuss redhat for the time being.
The Windwos Server 2003, especially security and IIS. Much stronger than W2K. High efficiency. Stable and safe.
Before formally entering the subject. Apply Fire's words as a prologue to the whole project:
"Please do not attempt to attack any one host. Because you never know.
Your opposite of the admin. Is it a genius or a genius disguised as an idiot.
The system is expected to be installed by everyone. I don't say much. Before installing. Let's talk about partitioning the server.
It's a bit different from a PC partition. I'll just make a list of the zoning settings I've made myself. The following are more important.
The system partition is set to the C disk. Personally think 8G enough. 10G is also OK. Because it's under 2003. Non-NTFS cannot install IIS.
Permissions are persisted by default. Because I have modified the default permissions on the system disk once. The results don't know why the system collapsed. 55555.
The software partition is set in D disk 8G to 10G. Main installation of auxiliary software-WINRAR. Log detection software-network detection software-Commview such etc.
As for MSN Oh. QQ Oh what. In fact, do not recommend installation. Of course, there's a little danger. The NTFS format is recommended.
Permissions keep the Admin group and the system group. Altogether two. All the rest are Del. Especially what everyone.
Why. Because the system must be installed in systems. Then the administrator wants to operate. So want to admin group.
E disk We do the installation partition for the server software. Size is defined by itself. including Cgi.php.zend.mysql.mssql.imail.serv-u.
The file format is NTFS. Permissions are reserved for the Admin group. System Group. and "Iwan_ your computer name," This account. Altogether three. The other Del.
Explain this. This "Iwan_ your computer name" account. The main responsibility is to operate the application address pool and server software, such as PHP scripts.
F disk can be used as an external service partition. For example, Web Services for IIS. FTP space. IMail Mail account space.
It is recommended that you create three folders: WEB. FTP and IMAIL. Then categorize the directory of each account for each software.
And does not inherit the parent permissions of the F disk. Independent to customize the operation permissions for these three directories. Specifically we say below.
The recommended permissions are reserved for the following three groups: the admin group and the System group, and the "User_ your computer name" account group.
"User_ Your computer name" This account group. Permissions are guests. Is the default account for anonymous access to the Web server.
If you need to have write permission to create an additional account. You can refer to the FSO distribution of such articles.
G disk is FTA32 format. Place the system installation files. Installation procedures for daily tools software-system backups, policies, etc.
Note that sensitive content is encrypted by Third-party software. To avoid virus infection or to be bundled back doors and trojans by hackers.
Make offsite backups if conditions permit. CD-ROM or tape drive backup. It is recommended to install a ghost 2003. You can do mirrored files for important content.
Here is basically a reasonable allocation of space. and also consider the future expansion. We can get ready for the next step.
Now let's install. Hey, you, sit down. Although I went out for a while. Just a little bit out of the way.
You should also pay attention to discipline. What? Say I only know to accompany mm not to write a tutorial. You know what?
The condition of the installation. this. In general, there are two kinds of. There is no rule of abnormal nth possibility.
That's right. There is a science fiction world where there is a nineth possible article. It's pretty good. Oh, stop.
The first is the upgrade. Windows 2003 does not seem to support upgrades on Windows Pro.
Personal recommendation or not the whole upgrade of the good. Direct reinstallation. Eliminates many of the "D" version of the demon different problems.
Literacy: Demon Different problem is some do not know how to make a bad end do not know how to do their own well or other people casually do a good job.
Direct installation. If your system is good. I mean, you can access the system and use the CD-ROM.
You can choose to install directly on the existing system. Then choose Reinstall. Enter the SN serial number. Direct Next is OK.
Notice when installing. If you are an external server, select the system disk as NTFS. partition scheme see above.
If you're using it yourself. Do local debugging or test. Then do whatever you want. As long as you feel comfortable.
OK. Here is the installation of the pure DOS. Although it is very old content.
In DOS, use a command called Smartdrv.exe.
It means the supplemental disk cache. What do you mean? I don't want to talk about technical issues with IQ < 70 people.
This command can be found in the Windows 98 installation directory. Direct execution is OK. No additional parameters are required.
What will be the result of the execution? You'll see the effect a few more times. You know what?
Then execute FORMAT C:/s/q remember.
If you want to make sure that your WINDOWS 2003 can have a DOS boot into MS-dos in the future.
Please be sure to do as I said above. Once you have the system FORMAT installed before you install WINDOWS 20003.
After you install WINDOWS 2003 later. You can enter a pure DOS environment without requiring additional bootable discs by using the following methods.
Start the computer. Press F8. Enter the operating system Advanced Selection menu for WINDOW 2003 SERVER.
Select Safe Mode with commands and then select MICROSOFT windwos.
Another command. To be honest, I don't know what to do with it. A command named Lock.exe.
It seems to be locked. The general usage is to perform a Lock.exe after the execution of Smartdrv.exe C: Suppose you want to install to C disk.
Lock.exe Command-Explanation:
Execute this program to effectively lock your optical drive.
Temporarily invalidates the eject key on the optical drive until it is unlocked with a UNLOCK.EXE or RESET.EXE program.
Restarting the computer also enables the eject key to take effect again.
LOCK. EXE is applied in the following format:
LOCK [Device]
Where device is the CD-ROM number. The default is the first optical drive.
Summarize the process. HOHO.
1. Modify CMOS for CD-ROM boot. No, that side's cool.
2. Put in the Windows 98 boot CD. Enter DOS mode. Enter the Windows 98 installation directory. Perform Smartdrv.exe and Lock.exe C:
3. Eject the disc. Replace the installation CD for Windows 2003 Server. Enter I386 directory. Execute Winnt.exe
All right, let's start the installation. Please do not set the password for the administrator when installing. Null and void.
Why, why. You don't listen to me. Come up with a problem later. Don't blame me for not saying it.
The next step is to enter the most critical link. Everybody cheer up.
If you have enough hard disk space. And now the time is also more adequate. Then I recommend the following steps.
1. Reboot the system. Press F8. Enter the mode of the command prompt. Select MICROSOFT windwos.
2. After entering the DOS. Start GHOST. Make a GHO file in WINDOWS 2003 C disk. Put it on the FAT32 partition.
About the 1th. Please refer to the above about entering pure DOS on WINDOWS 2003.
If you didn't do what I told you to do. Use CD-ROM to boot. Then modify the CMOS boot. Enter the DOS environment.
After doing well the Gho file. I'm not afraid of the trouble of reinstalling after the crash.
Of course, you can also make the "small white" update to do Gho after Windows update.
I recommend a clean system by updating Windows update after. Do nothing. Then direct ghost to do gho. But if you know the system better.
Continue below. GOGO.
Turn NIC card. That is, the NIC. Disable. Then set up IP and Dns.gateway. Do not enable.
Why? because if you server. Well, of course, once you've set up your NIC information, you'll be able to surf the Internet. However, the ADMINISTRATORS password was not set at the time of installation.
So it's not safe to connect to the network. Don't say it's all right. We can't guarantee that boring people are peering into your network. It's not good to meet a blind cat.
The server is now temporarily unable to connect to any network.
This prevents the bare metal from being scanned by shock waves or hacker.
It can be said to be safe. Recommend this time operators do not leave the workbench. hehe.
The following holds up the registry and Group Policy Dafa. Start our core journey.
Before we begin. What I'm trying to say is that. We have to understand the purpose of this server.
Each use is for different settings and deployment strategies. Only the most suitable ones are likely to be the safest.
Continue with my example below. Go.
I chose a more typical example. Like a server. Ready to serve as web+ftp+mail.
The details are listed below:
1. The Web, of course, uses IIS 6.0 to support ASP. Php. CGI script.
2. FTP Use SERV-U 5.0 Chinese version
3. Mail use IMAIL 8.02 Chinese version
4. The database uses the MYSQL database. 5.0 version of course. PHP also uses 5.0.
5. Others, such as Zend.jmail, use the latest official version.
The above software is recommended for download on the official website. or to Www.SKYCN.NET.
Follow the list above. We can get the final result. The open ports are as follows:
=> WEB
=> FTP
=> MAIL
=> MAIL
3389 => Terminal Services
8383 => MAIL WEB
We can follow the above. Make a reliable IP and port policy later.
That is, except for the TCP PORT above.
Of course. The recommendation also turns ICMP echo off.
If you need remote management, use PCANYWHERE or win Terminal Services or WINVNC.
This example uses Terminal Services for WINDOWS 2003. So it opens up 3389 ports.
Just say it. There's a lot of people on the web. Many textbooks recommend modifying Terminal Services ports through the registry.
What I'm trying to say here is that. There is no need at all. It's a total alarmist.
For the current SP4 W2K or WINDOWS 2003.
Terminal Services are already very well and secure. If an administrator passes a reasonable and correct configuration.
Can completely let the server. I mean, bare-metal. Exposure to the internet to withstand a daily 10W scan and attempt to attack.
In addition to scripting vulnerabilities. There's almost no security.