Server Security Settings (1)

Many people now think that Microsoft has too many things and vulnerabilities, and Microsoft's system security is very poor. However, I have summed up some experience during the security configuration of various systems, we share this with you. In fact, there are many vulnerabilities in various systems, but Microsoft has the most users, and the general level is not very high. We will not make any security settings, therefore, it makes people feel that the security of the NT/2000 Service on the Internet is poor. In fact, if the NT/2000 Server has completed various security settings, its security is definitely not worse than that of the nix system.

1. Preliminary article: custom installation and related settings of NT/2000 System

WEB sites created with NT (2000) account for a large proportion of all websites, mainly because of their ease of use and ease of management, so that the company no longer has to invest a lot of money in server management, which is better than the nix system, do not have to ask a very professional administrator, do not have to pay a save high salary, haha, of course, nix administrators will not be unemployed, because of the unparalleled speed in their open source code and windows systems, so that almost all large servers now use the nix system. However, windows is sufficient for small and medium-sized enterprises, but NT security issues have always been prominent, making every website based on NT feel like a thin ice, here, I will provide a security solution that contributes to China's network security business (Note: This solution is mainly designed for the security of NT and 2000 servers for Web sites, it is not suitable for servers in the LAN .)

1. Customize your own NT/2000 SERVER

1. Version selection:
WIN2000 has versions in various languages. For us, you can select either the English or Simplified Chinese version. I strongly recommend that you use the English version if the language is not an obstacle. You know, Microsoft products are known for bugs and patches. The Chinese version has more bugs than the English version, the patch is usually at least half a month late (that is to say, after microsoft announces the vulnerability, your machine will be unprotected for half a month)

2. Component customization:
Win2000 installs some common components by default, but it is extremely dangerous to install them by default. You should know exactly what services you need and only install the services you actually need, according to the security principle, minimum service + minimum permission = maximum security. The minimum components required for a typical WEB Server are: Install only the IIS Com Files, IIS Snap-In, and WWW Server components. If you do need to install other components, be careful, especially the Indexing Service, FrontPage 2000 Server Extensions, and Internet Service Manager (HTML) Dangerous services.

2. Correctly install the NT/2000 SERVER

Whether it is NT or 2000, hard disk partitions are NTFS partitions;
Note:
(1) NTFS provides more security control functions than FAT partitions. You can set different access permissions for different folders to improve security.
(2) It is recommended that you install all the partitions in NTFS at a time, instead of installing the partitions as FAT and then converting them into NTFS partitions. If SP5 and SP6 are installed, the conversion may fail, even system crashes.

(3) there is a potential danger to install NTFS partitions. At present, most anti-virus software does not provide detection and removal of the NTFS partition virus after a floppy disk is started, in this way, once a virus is detected in the system and the system cannot be started normally, the consequences are serious. Therefore, we recommend that you do a good job of anti-virus at ordinary times.
(4) Partition and Logical Disk allocation
Some friends just divide the hard disk into one logical disk to save trouble, and all the software is mounted on the C drive. This is very bad. We recommend that you create at least two partitions and one system partition, an application partition. This is because Microsoft's IIS often has the source code/overflow vulnerability, if you place the system and IIS on the same drive, system files may leak and even intruders may remotely obtain the ADMIN. The recommended security configuration is to create three logical drives, the first is greater than 2 GB, used to install the system and important log files, the second is IIS, and the third is FTP, in this way, no matter whether IIS or FTP has a security vulnerability, the system directory and system files will not be directly affected. You must know that IIS and FTP are external services and are prone to problems. The main purpose of separating IIS from FTP is to prevent intruders from uploading programs and running them from IIS.
(5) installation sequence selection:
There are several steps to install win2000: first, when to access the network: Win2000 has a vulnerability during installation. After you enter the Administrator password, the system has established the ADMIN $ share, but it does not use the password you just entered to protect it. This situation continues until after you start again, during this period, anyone can access your machine through ADMIN $. At the same time, as long as the installation is complete, various services will run automatically, and the server is vulnerable to access. Therefore, do not connect the host to the network until the win2000 SERVER is fully installed and configured. Second, patch installation: The patch installation should be completed after all applications are installed, because the patch often needs to replace/modify some system files, if you install a patch before installing the application, the patch may not work properly. For example, the HotFix of IIS requires that you install it every time you change the IIS configuration.

Iii. Security Configuration NT/2000 SERVER
Even if the WIN2000 SERVER is correctly installed, the system still has many vulnerabilities and requires further configuration.

1. Port:
A port is a logical interface connecting a computer to an external network and the first barrier of a computer. Whether the port is correctly configured directly affects the security of the host. Generally, it is safer to open only the port you need. The configuration method is to enable TCP/IP filtering in the NIC properties-TCP/IP-advanced-Option-TCP/IP filtering, however, for win2000 port filtering, there is a bad feature: You can only specify which ports are opened, but not which ports are closed, which is more painful for users who need to open a large number of ports.

2. IIS:
IIS is one of the most vulnerable components in Microsoft. On average, one vulnerability may occur in two or three months. Microsoft's default IIS installation is not flattering, therefore, the IIS configuration is our focus, and now everyone is following me: first, delete the Inetpub directory of drive C completely, create an Inetpub on disk D (you can change the name if you are not sure about using the default directory name, but remember). in IIS manager, direct the main directory to D: Inetpub. Secondly, the default virtual directories such as scripts are all deleted during IIS installation. If you need any permission, you can create the directories by yourself and what permissions are needed. (Pay special attention to the write permission and the execution program permission, so there is no absolute need to do not give it to) Third, application configuration: delete any unnecessary mappings that must be excluded from the IIS manager, ASP, ASA, and other file types that you actually need, such as stml (server side include ), in fact, it is enough for 90% of hosts to have the above two mappings. Almost every other ing has a miserable story: htw, htr, idq, ida ...... Want to know these stories? Check the previous vulnerability list. In the IIS manager, right-click host> Properties> WWW Service Edit> Home Directory configuration> application ing, and delete the files one by one (no selection is available, ). Then, change the script error message to send text in the application debugging bookmarks in the window (unless you want to know your program/Network/database structure when ASP errors occur) what are error texts written? If you like it, do it yourself. When you click OK to exit, do not forget to let the Virtual Site inherit the attributes you set. After the new Service Pack is installed, the application ing of IIS should be reset. (Note: after a new Service Pack is installed, some application ing occurs again, resulting in security vulnerabilities. This is a point that administrators can easily ignore .)

To deal with the increasing number of cgi vulnerability scanners, you can also refer to the following tips: redirect the HTTP404 Object Not Found error page in IIS to a custom HTM file through URL, this vulnerability can cause most CGI vulnerability scanners to malfunction. In the ghost file, all scans will return HTTP200 regardless of whether the vulnerability exists. 90% of CGI scanners will think that you have all the vulnerabilities, but the results will cover up your real vulnerabilities, it makes intruders confused, but from a personal point of view, I still think that it is more important to do a solid security setting than such tips.

Finally, you can use the backup function of IIS to back up all the settings you just set so that you can restore the security configuration of IIS at any time. In addition, if you are afraid that the IIS load is too high, causing the server to crash at full load, you can also enable the CPU limit in performance, for example, limiting the maximum CPU usage of IIS to 70%.
3. Account Policy:
(1) Use as few accounts as possible and use as few accounts as possible to log on;
Note: website accounts are generally used only for system maintenance. Do not use one redundant account, because one account is at risk of being cracked.
(2) In addition to Administrator, it is necessary to add an account belonging to the Administrator group;
Note: Accounts in two administrator groups prevent the administrator from returning the password of an account
There is a backup account. In addition, once a hacker breaks an account and changes the password, we also have
Has the opportunity to regain control in the short term.
(3) the permissions of all accounts must be strictly controlled and special permissions should not be granted to the accounts;
(4) Rename the Administrator and change it to a name that is difficult to guess. Other general accounts should follow this principle.
Note: This adds an obstacle to hacker attacks.
(5) disable the Guest account, rename it as a complex name, add a password, and change it from
Delete the Guest group;
Note: Some hacking tools take advantage of the vulnerabilities of guest, which can be used to extract accounts from common users.
Go to the Administrator group.
(6) give all user accounts a complex password (the system account is used outside). The password must contain at least 8 characters and contain letters, numbers, and special characters. Do not use familiar words (such as microsoft), familiar keyboard sequence (such as qwert), and familiar numbers (such as 2000.
Note: passwords are the focus of hacker attacks. Once the passwords are broken, there will be no system security at all. This is often overlooked by many network administrators. According to our tests, the five-digit password with only letters and numbers will be cracked in a few minutes, and the recommended solution is much safer.
(7) The password must be changed on a regular basis (at least once every two weeks) and should be kept in mind. do not record the password anywhere. In addition, if an account is continuously tried during log review, you must change the account (including the user name and password) immediately );

(8) set the number of locks in the account attributes. For example, if the number of failed logon attempts exceeds 5, the account is locked. This can prevent some large-scale logon attempts, and also enable the Administrator to be vigilant against this account.

4. Security Log:

The default installation of Win2000 is not subject to any security review!
Go to the Local Security Policy> Audit Policy to open the corresponding audit. The recommended audit is:
Account Management failed
Logon Event successful failed
Object Access failed
More rules