Security Settings for dedicated Web site servers (1)

IIS settings:

Delete the virtual directory of the default site, stop the default web site, delete the corresponding file directory c: inetpub, configure public settings for all sites, and set the connection limit, bandwidth settings, Performance Settings, and other settings. Configure application ing and delete all unnecessary Application Extensions. Only asp, php, cgi, pl, and aspx Application Extensions are retained. For php and cgi, it is recommended to use isapi for parsing, and exe for security and performance impact. The user program debugging settings send text error messages to the customer.

For databases, use the mdb suffix whenever possible. You do not need to change it to asp. You can set an mdb extension ing in IIS to use an unrelated dll file such as C: WINNTsystem32inetsrvssinc. dll to prevent the database from being downloaded. Set the IIS log storage directory to adjust the log record information. Set to send text error message. Modify the 403 error page and redirect it to another page to prevent some scanners from detecting the page. In addition, to hide system information and prevent system version information leaked by telnet to port 80, you can modify the banner information of IIS. You can use winhex to manually modify the information or use relevant software such as banneredit.

For the directory where the user site is located, the user's FTP root directory should store site files for three files: wwwroot, database, and logfiles, database backup and log of the site. If an intrusion event occurs, you can set specific permissions for the directory where the user site is located. The directory where the image is located only gives the column directory permissions, if the directory where the program is located does not need to generate files, such as html programs, write permissions are not granted. It is because virtual hosts usually have no way to detail Script Security.

Method

User Privilege Escalation from script:

ASP Security Settings:

After permissions and services are set, you need to do the following to prevent asp Trojans. Run the following command in the cmd window:
Regsvr32/u C: \ WINNT \ System32 \ wshom. ocx
Del C: \ WINNT \ System32 \ wshom. ocx
Regsvr32/u C: \ WINNT \ system32 \ shell32.dll
Del C: \ WINNT \ system32 \ shell32.dll

You can uninstall the WScript. Shell, Shell. application, and WScript. Network components to effectively prevent asp trojans from executing commands through wscript or shell. application and viewing sensitive system information using Trojans. In addition, you can cancel the permissions of the users of the preceding files and restart IIS to take effect. This method is not recommended.

In addition, the FSO component can not be deregistered on the server because the user program needs to be used. Here we only mention the FSO prevention, but it does not need to be used on the virtual merchant server that automatically opens the space. It is only suitable for manually opened sites. You can set two groups for sites that require both FSO and FSO, and grant the execution permission for the c: winntsystem32scrrun. dll file to user groups that require FSO, without permissions. Restart the server to take effect.

If this setting is combined with the above permission settings, you will find that the Haiyang trojan has lost its role here!

PHP security settings:

Note the following when installing php by default:
C: \ winnt \ php. ini only grants users read permission. In php. ini, you need to make the following settings:
Safe_mode = on
Register_globals = Off
Allow_url_fopen = Off
Display_errors = Off
Magic_quotes_gpc = On [the default value is on, but you need to check it again]
Open_basedir = web directory
Disable_functions = passthru, exec, shell_exec, system, phpinfo, get_cfg_var, popen, chmod

By default, com. allow_dcom = true is set to false. [cancel the previous modification before modification.]

MySQL Security Settings:

If the MySQL database is enabled on the server, note the following security settings for the MySQL database:
Delete all default users in mysql, retain only the local root account, and add a complex password to the root user. Grant the updatedeletealertcreatedrop permission to a common user and limit it to a specific database. In particular, avoid having the common user the permission to operate the mysql database. Check the mysql. user table and cancel unnecessary shutdown_priv, reload_priv, process_priv, and File_priv permissions. These permissions may leak more server information including non-mysql information. You can set a startup user for mysql. This user only has permissions on the mysql directory. Set the permission of the data database in the installation directory (this directory stores the data information of the mysql database ). Add read, column directory, and execution permissions to users in the mysql installation directory.

Serv-u security questions:

The installer should use the latest version whenever possible. Avoid using the default installation directory, set the permissions of the serv-u directory, and set a complicated administrator password. Modify the banner information of serv-u and set the port range of passive mode to 4001-4003.) Set security in the local server, including checking anonymous passwords and disabling anti-Timeout scheduling, intercept FTP bounce attacks and FXP. Intercept 10 minutes for users who have been connected for more than 3 times within 30 seconds. The complex password is required. The directory only uses lowercase letters. In advanced settings, the date on which the MDTM command is allowed to change the file is disabled.

Change the start user of serv-u: Create a new user in the system and set a password for the complex node, which does not belong to any group. Grant the user full control permission to the installation directory of The servu. To create an FTP root directory, you must grant the user full control permission on the directory because all ftp users upload, delete, and change files all inherit the permissions of the user; otherwise, the file cannot be operated. In addition, you need to grant the user the read permission to the parent directory above this directory. Otherwise, 530 Not logged in and home directory does not exist will appear during connection. For example, if the ftp root directory is d: soft during the test, you must grant the read permission to the user of drive d. In order to safely cancel the inherited permissions of other folders on drive d. In general, using the default system to start does not have these problems, because system generally has these permissions.

Database Server Security Settings

For dedicated MSSQL database servers, follow the settings described above to set TCP/IP filtering and IP policies, and only open ports 1433 and 5631 to the outside. For MSSQL, you must first set a strong password for sa, use Hybrid Authentication, strengthen database log records, and review database Login Events "Success and Failure ". delete unnecessary and dangerous OLE Automatic stored procedures (which may render some functions unavailable in the Enterprise Manager). These procedures include:

Sp_OAcreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty
Sp_OAMethod Sp_OASetProperty Sp_OAStop

Remove unnecessary registry access processes, including:

Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue
Xp_regenumvalues Xp_regread Xp_regremovemultistring
Xp_regwrite

Remove other system stored procedures. If you think there are threats, be careful to drop these processes. You can test them on the testing machine to ensure that the normal system can complete the work. These processes include:

Xp_mongoshell xp_dirtree xp_dropwebtask sp_addsrvrolemember
Xp_makewebtask xp_runwebtask xp_subdirs sp_addlogin
Sp_addextendedproc

Select the TCP/IP protocol attribute from the instance attributes. Select to hide the SQL Server instance to prevent port 1434 from being detected. You can modify the default port 1433. Except for the database's guest account, unauthorized user data is excluded. The exception is the master and tempdb databases, because they are required for their guest accounts. In addition, pay attention to setting the permissions of each database user, and grant only some permissions to the database where these users are located. Do not use the sa user to connect to any database in the program. We recommend that you use protocol encryption on the network. Do not do this. Otherwise, you can only reinstall MSSQL.