Security Hardening for WIN2003 IIS SQL Server _ Web surfing

1. Transfer <systemroot>\system32\cmd.exe to other directories or rename them;

2. Minimum system account number, change the default account name (such as Administrator) and description, the password as complex as possible;

3. Deny access to the computer over the network (anonymous logon; built-in administrator account; support_388945a0;guest; all non-operating system service accounts)

4. It is recommended that only read access be given to the general user, with full control of the administrator and system, but that this may cause some normal scripting programs to fail, or that some of the operations that need to be written cannot be completed, and that the folder permissions for those files need to be changed. It is recommended that you test your test machine before making changes and then change it carefully.

5. NTFS file permission settings (Note that the file has a higher privilege precedence than the folder's permissions):

File type

CGI files (. exe,. dll,. cmd,. pl)

Script file (. asp)

Include Files (. Inc,. shtm,. shtml)

Static content (. txt,. gif,. jpg,. htm,. html)

Recommended NTFS Permissions

Everyone (Execute)

Administrators (Full Control)

System (Full Control)

6. Prohibit default sharing of C $ and d$ class

Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters

AutoShareServer, REG_DWORD, 0x0

7. Prohibit admin$ default sharing

Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters

AutoShareWks, REG_DWORD, 0x0

8. Limit ipc$ default sharing

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

RestrictAnonymous REG_DWORD 0x0 Default

0x1 Anonymous users cannot enumerate the list of native users

0x2 Anonymous users cannot connect to the native ipc$ share

Description: It is not recommended to use 2, or it may cause some of your services to fail to start, such as SQL Server

9. To the user only really need the right, the principle of minimizing the privilege of security is an important guarantee

10. In the local Security policy-> Audit policy to open the appropriate audit, the recommended audit is:

Account Management failed successfully

Logon event failed successfully

Object access failed

Policy Change failed successfully

Privilege usage failed

System Event failed successfully

Directory Service access failed

Account Logon event failed successfully

The disadvantage of auditing a project is that if you want to see it, there's no record of it. Too much auditing will not only take up system resources but will cause you to not be able to see it, so you lose the meaning of auditing. Related to this is:

Set in the Account policy-> password policy:

Password complexity requirements Enabled

Minimum password length 6 bits

Enforce password history 5 times

Maximum surviving period of 30 days

In the account strategy-> account lockout policy set:

Account lockout 3 times Error Login

Lock time 20 minutes

Reset lock Count 20 minutes

11. Configure security audits in the Terminal Service configration (remote services Configuration)-permissions-advanced, generally as long as you log in and log off events.

12. Unbind the NetBIOS from the TCP/IP protocol

Control Panel--network--bound--netbios interface--Disable 2000: Control Panel--Network and dial-up connections--local network--Properties--tcp/ip--Properties--Advanced--wins--disabling NetBIOS on TCP/IP

13. Enable TCP/IP filtering in a network-attached protocol, opening only the necessary ports (for example, 80)

14. By changing registry local_machine\system\currentcontrolset\control\lsa-restrictanonymous = To prevent 139 null connection

15. Modify packet time to Live (TTL) value

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

DefaultTTL REG_DWORD 0-0xff (0-255 decimal, default value 128)

16. Prevent SYN Flood attack

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

SynAttackProtect REG_DWORD 0x2 (default value is 0x0)

17. Prohibit responding to ICMP routing notification messages

Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface

PerformRouterDiscovery REG_DWORD 0x0 (default value is 0x2)

18. Prevent ICMP redirect packets from attacking

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Enableicmpredirects REG_DWORD 0x0 (default value is 0x1)

19. IGMP protocol not supported

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

IGMPLevel REG_DWORD 0x0 (default value is 0x2)

20. Set the ARP cache aging time setting

Hkey_local_machine\system\currentcontrolset\services:\tcpip\parameters

ArpCacheLife REG_DWORD 0-0xffffffff (seconds, default value is 120 seconds)

ArpCacheMinReferencedLife REG_DWORD 0-0xffffffff (number of seconds, default value is 600)

21. Prohibition of dead Gateway monitoring technology

Hkey_local_machine\system\currentcontrolset\services:\tcpip\parameters

EnableDeadGWDetect REG_DWORD 0x0 (default value is Ox1)

22. Does not support the routing function

Hkey_local_machine\system\currentcontrolset\services:\tcpip\parameters

IPEnableRouter REG_DWORD 0x0 (default value is 0x0)

To install and configure the IIS service:

1. Install only the necessary IIS components. (Disable unwanted FTP and SMTP services, for example)

2. Only enable the necessary services and WEB service extensions, recommended configuration:

Component names in the UI

Set up

Set logic

Background Intelligent Transfer Service (BITS) Server Extensions

Enable

BITS is the background file transfer mechanism used by Windows updates and Automatic Updates. If you use Windows updates or Automatic Updates to automatically apply the Service Pack and hot fixes to an IIS server, you must have that component.

Common Files

Enable

IIS requires these files, and you must enable them in the IIS server.

File Transfer Protocol (FTP) service

Disable

Allow the IIS server to provide the FTP service. The service is not required for a dedicated IIS server.

FrontPage 2002 Server Extensions

Disable

Provides FrontPage support for managing and publishing Web sites. If you are not using a FrontPage-extended Web site, disable the component in the dedicated IIS server.

Internet Information Services Manager

Enable

The administrative interface for IIS.

Internet Printing

Disable

Provides web-based printer management that allows printers to be shared over HTTP. This component is not required for a dedicated IIS server.

NNTP Service

Disable

Distribute, query, retrieve, and post Usenet news articles on the Internet. This component is not required for a dedicated IIS server.

SMTP Service

Disable

Supports the transfer of e-mail messages. This component is not required for a dedicated IIS server.

World Wide Web Services

Enable

Provides WEB services, static, and dynamic content for clients. This component is required for a dedicated IIS server.

World Wide Web Service subcomponents

Component names in the UI

Installation options

Set logic

Active Server Page

Enable

Provides ASP support. If neither the Web site nor the application in the IIS server uses ASP, disable the component, or disable it by using the Web service extension.

Internet Data Connectors

Disable

Provides dynamic content support through a file with an. idc extension. If the Web sites and applications in the IIS server do not include the. idc extension file, disable the component, or disable it by using the Web service extension.

Remote Administration (HTML)

Disable

Provides an HTML interface for managing IIS. Using IIS Manager instead can make administration easier and reduce the attack surface of the IIS server. This feature is not required for dedicated IIS servers.

Remote Desktop Web Connection

Disable

Includes Microsoft ActiveX for managing Terminal Services client connections? Control and an example page. Using IIS Manager instead can make administration easier and reduce the attack surface of the IIS server. This component is not required for a dedicated IIS server.

The server side includes

Disable

Provides support for. shtm,. shtml and. stm files. If both WEB sites and applications running on the IIS server do not use the included files for the extension above, disable the component.

WebDAV

Disable

WebDAV extends the http/1.1 protocol, allowing clients to publish, lock, and manage resources in the Web. The dedicated IIS server disables the component, or disables the component by using a WEB service extension.

World Wide Web Services

Enable

Provides WEB services, static, and dynamic content for clients. This component is required for a dedicated IIS server

3. Separate the IIS directory & data from the system disk and save it in a dedicated disk space.

4. Delete any unmapped mappings that are not required in IIS Manager (keep the necessary mappings such as ASP)

5. HTTP404 Object not found error page is redirected to a custom HTM file via URL in IIS

6. Web site permissions settings (recommended)

Web Site Permissions:

Granted permissions:

Read

Allow

Write

Not allowed

Script Source Access

Not allowed

Directory browsing

Recommended shutdown

Log access

Recommended shutdown

Index Resources

Recommended shutdown

Perform

Recommended option "Script only"

7. It is recommended to use the expanded log file format of the WWW to record customer IP address, username, server port, method, Uri root, HTTP status, user agent, and daily review log. (It is best not to use the default directory, it is recommended to replace a log path, and to set access to the log, allowing only administrators and system for full Control).

8. Program Security:

1 involves the user name and password of the program is best encapsulated in the server side, as little as possible in the ASP file, involving the database connection with the user name and password should be given the minimum authority;

2 need to verify the ASP page, you can track the file name of the previous page, only from the previous page to enter the session to read this page.

3 Prevent ASP homepage. inc File leakage problem;

4) to prevent the UE and other editors to generate Some.asp.bak file leakage problem.

Security update

Apply all the Service packs required and regularly update the patches manually.

Installing and configuring Antivirus protection

Recommended nav 8.1 virus firewall (configured to upgrade at least once a week).

Installing and Configuring firewall protection

Recommend the latest version of the BlackICE Server Protection firewall (simple configuration, more practical)

Monitoring Solutions

Install and configure the MOM agent or similar monitoring solution as required.

Strengthen data backup

Web data is scheduled to be backed up to ensure that you can revert to the nearest state after a problem occurs.

Consider implementing IPSEC filters

Blocking Ports with IPSEC filters

Internet Protocol security (IPSEC) filters provide an effective way to enhance the level of security required by your server. This guide recommends the use of this option in the High Security environment defined in the Guide to further reduce the attack surface of the server.

For more information about using IPSEC filters, see the module, "Additional member server hardening procedures."

The following table lists all the IPSEC filters that can be created on the IIS server in the Advanced Security environment defined in this guidance.

Service

Agreement

Source Port

Target Port

Source Address

Destination Address

Operation

Mirror

Terminal Services

Tcp

All

3389

All

ME

Allow

Is

HTTP Server

Tcp

All

80

All

ME

Allow

Is

HTTPS Server

Tcp

All

443

All

ME

Allow

Is

When you implement the rules listed in the previous table, you should mirror them all. This ensures that any network traffic that enters the server can also be returned to the source server.

SQL Server Security Hardening

Steps

Description

MDAC Upgrade

Install the latest MDAC (http://www.microsoft.com/data/download.htm)

Password Policy

Since SQL Server cannot change the SA user name or remove the superuser, we must protect the account most strongly, including, of course, using a very strong password, preferably not using the SA account in the database application. Create a new super user with the same permissions as SA to manage the database. At the same time develop a good habit of changing passwords regularly. The database administrator should periodically see if there are any accounts that do not meet the password requirements. For example, use the following SQL statement:

Use master

Select Name,password from syslogins where Password is null

Records of database logs

"Failure and success" of the Nuclear database logon event, select Security in the instance properties, and select the audit level as a whole, so that in the database system and the operating system log, the logon events for all accounts are recorded in detail.

Managing extended stored Procedures

xp_cmdshell is the best way to get into the operating system, which is a big back door for the database. Please get rid of it. Use this SQL statement:

Use master

Sp_dropextendedproc ' xp_cmdshell '

If you need this stored procedure, please use this statement to recover.

Sp_addextendedproc ' xp_cmdshell ', ' Xpsql70.dll '

OLE Automatic stored procedures (which can cause some features in the manager to not be used) include the following (no need to be removed altogether:

sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty

sp_OAMethod sp_OASetProperty sp_OAStop

Removing unwanted registry access stored procedures, the registry stored procedure can even read out the password of the operating system administrator as follows:

Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues

Xp_regread xp_regremovemultistring xp_regwrite

Anti-TCP/IP Port detection

Select the properties of the TCP/IP protocol in the instance properties. Choose to hide the SQL Server instance.

On the basis of the previous configuration, change the original default port 1433.

When IPSec filtering rejects 1434-port UDP traffic, you can hide your SQL Server as much as possible.

IP Restrictions on Network connections

The security of IP packets can be achieved by using the operating system's own IPSec. Restrict the IP connection to ensure that only its own IP is accessible and deny port connectivity to other IP.

Attached: Win2003 system recommended to disable list of services

Name

Service Name

Recommended settings

Automatic Updates

Wuauserv

Disable

Background Intelligent Transfer Service

BITS

Disable

Computer Browser

Browser

Disable

DHCP Client DHCP

Disable

NTLM Security Support Provider NTLMSSP

Disable

Network Location Awareness

NLA

Disable

Performance Logs and Alerts SysmonLog

Disable

Remote Administration Service Srvcsurg

Disable

Remote Registry Service RemoteRegistry

Disable

Server LanManServer

Disable

TCP/IP NetBIOS Helper Service LmHosts

Disable

DHCP Client DHCP

Disable

NTLM Security Support Provider NTLMSSP

Disable

Terminal Services

TermService

Disable

Windows Installer MSIServer

Disable

Windows Management instrumentation Driver Extensions Wmi

Disable

WMI Performance Adapter Wmiapsrv

Disable

Error Reporting

Errrep

Disable