1. Transfer <systemroot>\system32\cmd.exe to other directories or rename them;
2. Minimum system account number, change the default account name (such as Administrator) and description, the password as complex as possible;
3. Deny access to the computer over the network (anonymous logon; built-in administrator account; support_388945a0;guest; all non-operating system service accounts)
4. It is recommended that only read access be given to the general user, with full control of the administrator and system, but that this may cause some normal scripting programs to fail, or that some of the operations that need to be written cannot be completed, and that the folder permissions for those files need to be changed. It is recommended that you test your test machine before making changes and then change it carefully.
5. NTFS file permission settings (Note that the file has a higher privilege precedence than the folder's permissions):
File type
CGI files (. exe,. dll,. cmd,. pl)
Script file (. asp)
Include Files (. Inc,. shtm,. shtml)
Static content (. txt,. gif,. jpg,. htm,. html)
Recommended NTFS Permissions
Everyone (Execute)
Administrators (Full Control)
System (Full Control)
6. Prohibit default sharing of C $ and d$ class
Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
AutoShareServer, REG_DWORD, 0x0
7. Prohibit admin$ default sharing
Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
AutoShareWks, REG_DWORD, 0x0
8. Limit ipc$ default sharing
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
RestrictAnonymous REG_DWORD 0x0 Default
0x1 Anonymous users cannot enumerate the list of native users
0x2 Anonymous users cannot connect to the native ipc$ share
Description: It is not recommended to use 2, or it may cause some of your services to fail to start, such as SQL Server
9. To the user only really need the right, the principle of minimizing the privilege of security is an important guarantee
10. In the local Security policy-> Audit policy to open the appropriate audit, the recommended audit is:
Account Management failed successfully
Logon event failed successfully
Object access failed
Policy Change failed successfully
Privilege usage failed
System Event failed successfully
Directory Service access failed
Account Logon event failed successfully
The disadvantage of auditing a project is that if you want to see it, there's no record of it. Too much auditing will not only take up system resources but will cause you to not be able to see it, so you lose the meaning of auditing. Related to this is:
Set in the Account policy-> password policy:
Password complexity requirements Enabled
Minimum password length 6 bits
Enforce password history 5 times
Maximum surviving period of 30 days
In the account strategy-> account lockout policy set:
Account lockout 3 times Error Login
Lock time 20 minutes
Reset lock Count 20 minutes
11. Configure security audits in the Terminal Service configration (remote services Configuration)-permissions-advanced, generally as long as you log in and log off events.
12. Unbind the NetBIOS from the TCP/IP protocol
Control Panel--network--bound--netbios interface--Disable 2000: Control Panel--Network and dial-up connections--local network--Properties--tcp/ip--Properties--Advanced--wins--disabling NetBIOS on TCP/IP
13. Enable TCP/IP filtering in a network-attached protocol, opening only the necessary ports (for example, 80)
14. By changing registry local_machine\system\currentcontrolset\control\lsa-restrictanonymous = To prevent 139 null connection
15. Modify packet time to Live (TTL) value
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
DefaultTTL REG_DWORD 0-0xff (0-255 decimal, default value 128)
16. Prevent SYN Flood attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
SynAttackProtect REG_DWORD 0x2 (default value is 0x0)
17. Prohibit responding to ICMP routing notification messages
Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface
PerformRouterDiscovery REG_DWORD 0x0 (default value is 0x2)
18. Prevent ICMP redirect packets from attacking
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Enableicmpredirects REG_DWORD 0x0 (default value is 0x1)
19. IGMP protocol not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
IGMPLevel REG_DWORD 0x0 (default value is 0x2)
20. Set the ARP cache aging time setting
Hkey_local_machine\system\currentcontrolset\services:\tcpip\parameters
ArpCacheLife REG_DWORD 0-0xffffffff (seconds, default value is 120 seconds)
ArpCacheMinReferencedLife REG_DWORD 0-0xffffffff (number of seconds, default value is 600)
21. Prohibition of dead Gateway monitoring technology
Hkey_local_machine\system\currentcontrolset\services:\tcpip\parameters
EnableDeadGWDetect REG_DWORD 0x0 (default value is Ox1)
22. Does not support the routing function
Hkey_local_machine\system\currentcontrolset\services:\tcpip\parameters
IPEnableRouter REG_DWORD 0x0 (default value is 0x0)
To install and configure the IIS service:
1. Install only the necessary IIS components. (Disable unwanted FTP and SMTP services, for example)
2. Only enable the necessary services and WEB service extensions, recommended configuration:
Component names in the UI
Set up
Set logic
Background Intelligent Transfer Service (BITS) Server Extensions
Enable
BITS is the background file transfer mechanism used by Windows updates and Automatic Updates. If you use Windows updates or Automatic Updates to automatically apply the Service Pack and hot fixes to an IIS server, you must have that component.
Common Files
Enable
IIS requires these files, and you must enable them in the IIS server.
File Transfer Protocol (FTP) service
Disable
Allow the IIS server to provide the FTP service. The service is not required for a dedicated IIS server.
FrontPage 2002 Server Extensions
Disable
Provides FrontPage support for managing and publishing Web sites. If you are not using a FrontPage-extended Web site, disable the component in the dedicated IIS server.
Internet Information Services Manager
Enable
The administrative interface for IIS.
Internet Printing
Disable
Provides web-based printer management that allows printers to be shared over HTTP. This component is not required for a dedicated IIS server.
NNTP Service
Disable
Distribute, query, retrieve, and post Usenet news articles on the Internet. This component is not required for a dedicated IIS server.
SMTP Service
Disable
Supports the transfer of e-mail messages. This component is not required for a dedicated IIS server.
World Wide Web Services
Enable
Provides WEB services, static, and dynamic content for clients. This component is required for a dedicated IIS server.
World Wide Web Service subcomponents
Component names in the UI
Installation options
Set logic
Active Server Page
Enable
Provides ASP support. If neither the Web site nor the application in the IIS server uses ASP, disable the component, or disable it by using the Web service extension.
Internet Data Connectors
Disable
Provides dynamic content support through a file with an. idc extension. If the Web sites and applications in the IIS server do not include the. idc extension file, disable the component, or disable it by using the Web service extension.
Remote Administration (HTML)
Disable
Provides an HTML interface for managing IIS. Using IIS Manager instead can make administration easier and reduce the attack surface of the IIS server. This feature is not required for dedicated IIS servers.
Remote Desktop Web Connection
Disable
Includes Microsoft ActiveX for managing Terminal Services client connections? Control and an example page. Using IIS Manager instead can make administration easier and reduce the attack surface of the IIS server. This component is not required for a dedicated IIS server.
The server side includes
Disable
Provides support for. shtm,. shtml and. stm files. If both WEB sites and applications running on the IIS server do not use the included files for the extension above, disable the component.
WebDAV
Disable
WebDAV extends the http/1.1 protocol, allowing clients to publish, lock, and manage resources in the Web. The dedicated IIS server disables the component, or disables the component by using a WEB service extension.
World Wide Web Services
Enable
Provides WEB services, static, and dynamic content for clients. This component is required for a dedicated IIS server
3. Separate the IIS directory & data from the system disk and save it in a dedicated disk space.
4. Delete any unmapped mappings that are not required in IIS Manager (keep the necessary mappings such as ASP)
5. HTTP404 Object not found error page is redirected to a custom HTM file via URL in IIS
6. Web site permissions settings (recommended)
Web Site Permissions:
Granted permissions:
Read
Allow
Write
Not allowed
Script Source Access
Not allowed
Directory browsing
Recommended shutdown
Log access
Recommended shutdown
Index Resources
Recommended shutdown
Perform
Recommended option "Script only"
7. It is recommended to use the expanded log file format of the WWW to record customer IP address, username, server port, method, Uri root, HTTP status, user agent, and daily review log. (It is best not to use the default directory, it is recommended to replace a log path, and to set access to the log, allowing only administrators and system for full Control).
8. Program Security:
1 involves the user name and password of the program is best encapsulated in the server side, as little as possible in the ASP file, involving the database connection with the user name and password should be given the minimum authority;
2 need to verify the ASP page, you can track the file name of the previous page, only from the previous page to enter the session to read this page.
3 Prevent ASP homepage. inc File leakage problem;
4) to prevent the UE and other editors to generate Some.asp.bak file leakage problem.
Security update
Apply all the Service packs required and regularly update the patches manually.
Installing and configuring Antivirus protection
Recommended nav 8.1 virus firewall (configured to upgrade at least once a week).
Installing and Configuring firewall protection
Recommend the latest version of the BlackICE Server Protection firewall (simple configuration, more practical)
Monitoring Solutions
Install and configure the MOM agent or similar monitoring solution as required.
Strengthen data backup
Web data is scheduled to be backed up to ensure that you can revert to the nearest state after a problem occurs.
Consider implementing IPSEC filters
Blocking Ports with IPSEC filters
Internet Protocol security (IPSEC) filters provide an effective way to enhance the level of security required by your server. This guide recommends the use of this option in the High Security environment defined in the Guide to further reduce the attack surface of the server.
For more information about using IPSEC filters, see the module, "Additional member server hardening procedures."
The following table lists all the IPSEC filters that can be created on the IIS server in the Advanced Security environment defined in this guidance.
Service
Agreement
Source Port
Target Port
Source Address
Destination Address
Operation
Mirror
Terminal Services
Tcp
All
3389
All
ME
Allow
Is
HTTP Server
Tcp
All
80
All
ME
Allow
Is
HTTPS Server
Tcp
All
443
All
ME
Allow
Is
When you implement the rules listed in the previous table, you should mirror them all. This ensures that any network traffic that enters the server can also be returned to the source server.
SQL Server Security Hardening
Steps
Description
MDAC Upgrade
Install the latest MDAC (http://www.microsoft.com/data/download.htm)
Password Policy
Since SQL Server cannot change the SA user name or remove the superuser, we must protect the account most strongly, including, of course, using a very strong password, preferably not using the SA account in the database application. Create a new super user with the same permissions as SA to manage the database. At the same time develop a good habit of changing passwords regularly. The database administrator should periodically see if there are any accounts that do not meet the password requirements. For example, use the following SQL statement:
Use master
Select Name,password from syslogins where Password is null
Records of database logs
"Failure and success" of the Nuclear database logon event, select Security in the instance properties, and select the audit level as a whole, so that in the database system and the operating system log, the logon events for all accounts are recorded in detail.
Managing extended stored Procedures
xp_cmdshell is the best way to get into the operating system, which is a big back door for the database. Please get rid of it. Use this SQL statement:
Use master
Sp_dropextendedproc ' xp_cmdshell '
If you need this stored procedure, please use this statement to recover.
Sp_addextendedproc ' xp_cmdshell ', ' Xpsql70.dll '
OLE Automatic stored procedures (which can cause some features in the manager to not be used) include the following (no need to be removed altogether:
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop
Removing unwanted registry access stored procedures, the registry stored procedure can even read out the password of the operating system administrator as follows:
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues
Xp_regread xp_regremovemultistring xp_regwrite
Anti-TCP/IP Port detection
Select the properties of the TCP/IP protocol in the instance properties. Choose to hide the SQL Server instance.
On the basis of the previous configuration, change the original default port 1433.
When IPSec filtering rejects 1434-port UDP traffic, you can hide your SQL Server as much as possible.
IP Restrictions on Network connections
The security of IP packets can be achieved by using the operating system's own IPSec. Restrict the IP connection to ensure that only its own IP is accessible and deny port connectivity to other IP.
Attached: Win2003 system recommended to disable list of services
Name
Service Name
Recommended settings
Automatic Updates
Wuauserv
Disable
Background Intelligent Transfer Service
BITS
Disable
Computer Browser
Browser
Disable
DHCP Client DHCP
Disable
NTLM Security Support Provider NTLMSSP
Disable
Network Location Awareness
NLA
Disable
Performance Logs and Alerts SysmonLog
Disable
Remote Administration Service Srvcsurg
Disable
Remote Registry Service RemoteRegistry
Disable
Server LanManServer
Disable
TCP/IP NetBIOS Helper Service LmHosts
Disable
DHCP Client DHCP
Disable
NTLM Security Support Provider NTLMSSP
Disable
Terminal Services
TermService
Disable
Windows Installer MSIServer
Disable
Windows Management instrumentation Driver Extensions Wmi
Disable
WMI Performance Adapter Wmiapsrv
Disable
Error Reporting
Errrep
Disable