Security Configuration of website anti-Trojan permission settings for IIS Virtual Hosts

I have made some practices on the security settings of WIN2003 on the Internet and have compiled these security settings articles, hoping to help you, in addition, I would like to give you some advice on the shortcomings and then add them. Thank you!

1. System Installation

1. Install IIS6.0 in the system by default as instructed by Windows2003.

2. Installation of IIS6.0
Start Menu-> Control Panel-> add or delete programs-> Add/delete Windows Components
Application --- ASP. NET (optional)
| -- Enable Network COM + Access (required)
| -- Internet Information Service (IIS) --- Internet Information Service Manager (required)
| -- Public file (required)
| -- World Wide Web Service --- Active Server pages (required)
| -- Internet data connector (optional)
| -- WebDAV release (optional)
| -- World Wide Web Service (required)
| -- Contains files on the server (optional)
Then click OK-> next to install.

3. Update System Patches: Choose Start> All Programs> Windows Update to install patches as prompted.

4. Backup System: Use GHOST to back up the system.

5. Install common software, such as anti-virus software and decompressed software. After installation, configure anti-virus software, scan for system vulnerabilities, and use GHOST to back up the system again.

6. disable unnecessary ports first. Enable Firewall to import IPSEC policies
In "network connection", delete unnecessary protocols and services. Here, only basic Internet protocols (TCP/IP) are installed. To control bandwidth traffic services, additionally, Qos packet scheduler is installed. In advanced TCP/IP settings -- "NetBIOS" Settings "Disable NetBIOS (S) on TCP/IP )". In advanced options, use "Internet Connection Firewall", which is a firewall built on windows 2003, which is not available in the 2000 system. Although there is no function, it can shield ports, this basically achieves an IPSec function.

Modify the remote connection port 3389
Modify the registry.
Start -- run -- regedit
Expand HKEY_LOCAL_MACHINE/SYSTEM/CURRENTCONTROLSET/CONTROL/
Terminal server/WDS/RDPWD/TDS/TCP
Change PortNumber in the key value on the right to the port number you want to use. Use decimal (for example, 10000)

HKEY_LOCAL_MACHINE/SYSTEM/CURRENTCONTROLSET/CONTROL/terminal server/
WINSTATIONS/RDP-TCP/
Change PortNumber in the key value on the right to the port number you want to use. Use decimal (for example, 10000)
Note: Do not forget to add port 10000 to the Windows Firewall.
Modification completed. Restart the server. The setting takes effect.

Ii. User Security Settings

1. Disable the Guest account
Disable the Guest account in a computer-managed user. For the sake of insurance, it is best to add a complicated password to Guest. You can open notepad, enter a long string containing special characters, numbers, and letters, and copy it as the password of the Guest user.

2. restrict unnecessary users
Remove all Duplicate User Users, test users, and shared users. The User Group Policy sets the corresponding permissions and regularly checks the users of the system to delete users that are no longer in use. These users are often a breakthrough for hackers to intrude into the system.

3. Rename the system Administrator account
As we all know, the Administrator user of Windows 2003 cannot be deactivated, which means that others can try the user's password over and over again. Try to disguise it as a common user, for example, change it to Guesycludx.

4. Create a trap user
What is a trap user? Create a local user named "Administrator", set its permissions to the lowest level, and add a super complex password with more than 10 digits. In this way, hackers can be busy for a while to discover their intrusion attempts.

5. Change the Shared File Permission from the Everyone group to an authorized user.
Do not set users of shared files to the "Everyone" group at any time, including print sharing. The default attribute is the "Everyone" group, so do not forget to change it.

6. Enable User Policy
Use the user policy to set the reset user lock counter time to 20 minutes, the user lock time to 20 minutes, and the user lock threshold to 3 times. (Optional)

7. Do not allow the system to display the user name of the last logon.
By default, the user name of the last logon is displayed in the logon dialog box. This makes it easy for others to get some user names of the system and then guess the password. Modify the registry so that the user name of the last logon is not displayed in the dialog box. Method: Open the Registry Editor and find the Registry "HKLMSoftwareMicrosoftWindows TCurrentVersionWinlogonDont-DisplayLastUserName", and change the key value of REG_SZ to 1.

8. Password Security Settings

A. Use a Security Password
Some company administrators often use the company name and computer name as user names when creating accounts, and then set the passwords of these users too easily, such as "welcome. Therefore, pay attention to the complexity of the password and remember to change the password frequently.
 
B. Set screen saver password
This is a simple and necessary operation. Setting Screen Protection passwords is also a barrier to prevent internal personnel from damaging the server.

C. Enable Password Policy
Apply the password policy. For example, to enable password complexity, set the minimum password length to 6 bits, set the force password to 5 times, and the time is 42 days.

D. Consider using a smart card instead of a password.
For passwords, the security administrator is always in a dilemma. The password settings are simple and vulnerable to hacker attacks, and the password settings are complex and easy to forget. If conditions permit, it is a good solution to replace complex passwords with smart cards.

3. system permission settings

1. Disk Permissions
SYSTEM disks and all disks are only granted full control permissions to the Administrators group and SYSTEM.
The SYSTEM disk Documents and Settings directory only gives full control permissions to the Administrators group and SYSTEM.
The SYSTEM disk Documents and SettingsAll Users directory only gives full control permissions to the Administrators group and SYSTEM.
Allow, netstat.exe、regedit.exe、at.exe、attrib.exe, format.com, and del files only give full control permissions to the Administrators group and SYSTEM.
In addition, transfer <systemroot> system32).exe%format.com%ftp.exe to another directory or rename it
All directories under Documents and Settings are set to only grant the adinistrators permission. You need to view all the subdirectories in one directory.
Delete the c: inetpub directory

2. Local Security Policy Settings
Choose Start> Administrative Tools> Local Security Policy
A. Local Policies --> Audit policies
Audit Policy Change failed
Login event review successful failed
Audit Object Access failure audit process trail not reviewed
Failed to Audit Directory Service Access
Failed to Audit privilege usage
System Event Review successful failed
Account Logon review successful failed
An error occurred while reviewing account management

B. Local Policies --> User permission allocation
Shut down the system: only the Administrators group and all others are deleted.
Allow logon through Terminal Services: only join the Administrators and Remote Desktop Users Groups, and delete all others

C. Local Policies --> Security Options
Interactive login: do not display the Last User Name Enabled
Network Access: do not allow enabling of SAM Accounts and shared Anonymous Enumeration
Network Access: do not enable the storage credential for network Identity Authentication
Network Access: All Shares that can be accessed anonymously are deleted.
Network Access: delete all anonymous access attempts
Network Access: delete all registry paths that can be remotely accessed
Network Access: delete all registry paths and sub-paths that can be remotely accessed.
Account: Rename Guest Account Rename an account
Account: rename a System Administrator Account Rename an account

3. disable unnecessary services to start-run-services. msc
TCP/IPNetBIOS Helper provides support for NetBIOS on the TCP/IP service and NetBIOS name resolution on the network client, enabling users to share files, print and log on to the network.
Server allows this computer to share files, prints, and named pipes over the network.
The Computer Browser maintains the latest list of computers on the network and provides this list.
Task scheduler allows programs to run at a specified time.
Messenger transmits the net send and alarm service messages between the client and server
Distributed File System: allows you to manage shared files on a LAN. You do not need to disable this function.
Distributed linktracking client: Used to update connection information on the LAN. It can be disabled without any need.
Error reporting service: forbidden to send Error reports
Microsoft Serch: provides quick word search and does not need to be disabled.
NTLMSecuritysupportprovide: used by the telnet service and Microsoft Serch. It can be disabled without any need.
PrintSpooler: Disable it if no printer is available