IIS settings: Delete the virtual directory of the default site, stop the default web site, delete the corresponding file directory c: inetpub, configure public settings for all sites, and set the connection limit, bandwidth settings, Performance Settings, and other settings. Configure application ing and delete all unnecessary Application Extensions. Only asp, php, cgi, pl, and aspx Application Extensions are retained. For php and cgi, it is recommended to use isapi for parsing, and exe for security and performance impact. The user program debugging settings send text error messages to the customer. For databases, use the mdb suffix whenever possible. You do not need to change it to asp. You can set an mdb extension ing in IIS to use an unrelated dll file such as C: WINNTsystem32inetsrvssinc. dll to prevent the database from being downloaded. Set the IIS log storage directory to adjust the log record information. Set to send text error message. Modify the 403 error page and redirect it to another page to prevent some scanners from detecting the page. In addition, to hide system information and prevent system version information leaked by telnet to port 80, you can modify the banner information of IIS. You can use winhex to manually modify the information or use relevant software such as banneredit.
For the directory where the user site is located, the user's FTP root directory should store site files for three files: wwwroot, database, and logfiles, database backup and log of the site. If an intrusion event occurs, you can set specific permissions for the directory where the user site is located. The directory where the image is located only gives the column directory permissions, if the directory where the program is located does not need to generate files (such as html programs), write permissions are not granted. Because Virtual Hosts usually have no way to detail Script Security, more users can only escalate permissions from the script:
ASP Security Settings:
After permissions and services are set, you need to do the following to prevent asp Trojans. Run the following command in the cmd window:
Regsvr32/u C: \ WINNT \ System32 \ wshom. ocx
Del C: \ WINNT \ System32 \ wshom. ocx
Regsvr32/u C: \ WINNT \ system32 \ shell32.dll
Del C: \ WINNT \ system32 \ shell32.dll
You can uninstall the WScript. Shell, Shell. application, and WScript. Network components to effectively prevent asp trojans from executing commands through wscript or shell. application and viewing sensitive system information using Trojans. In addition, you can cancel the permissions of the users of the preceding files and restart IIS to take effect. This method is not recommended.
In addition, the FSO component can not be deregistered on the server because the user program needs to be used. Here we only mention the FSO prevention, but it does not need to be used on the virtual merchant server that automatically opens the space. It is only suitable for manually opened sites. You can set two groups for sites that require both FSO and FSO. for user groups that require FSO, give c: winntsystem32scrrun. dll
File Execution permission. permissions are not required. Restart the server to take effect.
If this setting is combined with the above permission settings, you will find that the Haiyang trojan has lost its role here!
PHP security settings:
Note the following when installing php by default:
C: \ winnt \ php. ini only grants users read permission. In php. ini, you need to make the following settings:
Safe_mode = on
Register_globals = Off
Allow_url_fopen = Off
Display_errors = Off
Magic_quotes_gpc = On [the default value is on, but you need to check it again]
Open_basedir = web directory
Disable_functions = passthru, exec, shell_exec, system, phpinfo, get_cfg_var, popen, chmod
By default, com. allow_dcom = true is set to false. [cancel the previous modification before modification.]
MySQL Security Settings:
If the MySQL database is enabled on the server, note the following security settings for the MySQL database:
Delete all default users in mysql, retain only the local root account, and add a complex password to the root user. Grant the updatedeletealertcreatedrop permission to a common user and limit it to a specific database. In particular, avoid having the common user the permission to operate the mysql database. Check the mysql. user table and cancel unnecessary shutdown_priv, relo ad_priv, process_priv, and File_priv permissions. These permissions may leak more server information including non-mysql other information. You can set a startup user for mysql. This user only has permissions on the mysql directory. Set the permission of the data database in the installation directory (this directory stores the data information of the mysql database ). Add read, column directory, and execution permissions to users in the mysql installation directory.
Serv-u security questions: The installer should use the latest version whenever possible. Avoid using the default installation directory, set the permissions of the serv-u directory, and set a complicated administrator password. Modify the banner information of serv-u and set the passive mode port range (4001-4003)
Complete related security settings in the settings of the local server: including checking anonymous passwords, disabling anti-Timeout scheduling, and blocking "FTP bounce" attacks and FXP, users who have been connected for more than three times within 30 seconds are intercepted for 10 minutes. The complex password is required. The directory only uses lowercase letters. In advanced settings, the date on which the MDTM command is allowed to change the file is disabled.
Change the start user of serv-u: Create a new user in the system and set a password for the complex node, which does not belong to any group. Grant the user full control permission to the installation directory of The servu. To create an FTP root directory, you must grant the user full control permission on the directory because all ftp users upload, delete, and change files all inherit the permissions of the user; otherwise, the file cannot be operated. In addition, you need to grant the user the read permission to the parent directory above this directory. Otherwise, 530 Not logged in and home directory does not exist will appear during connection. For example, if the ftp root directory is d: soft during the test, you must grant the read permission to the user of drive d. In order to safely cancel the inherited permissions of other folders on drive d. In general, using the default system to start does not have these problems, because system generally has these permissions.
Database Server Security Settings
For dedicated MSSQL database servers, follow the settings described above to set TCP/IP filtering and IP policies, and only open ports 1433 and 5631 to the outside. For MSSQL, you must first set a strong password for sa, use Hybrid Authentication, strengthen database log records, and review database Login Events "Success and Failure ". delete unnecessary and dangerous OLE Automatic stored procedures (which may render some functions unavailable in the Enterprise Manager). These procedures include:
Sp_OACreate Sp_OADestroy Sp_OAGetErrorInfo Sp_OAGetProperty
Sp_OAMethod Sp_OASetProperty Sp_OAStop
Remove unnecessary registry access processes, including:
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue
Xp_regenumvalues Xp_regread Xp_regremovemultistring
Xp_regwrite
Remove other system stored procedures. If you think there are threats, be careful to Drop these processes. You can test them on the testing machine to ensure that the normal system can complete the work. These processes include:
Xp_mongoshell xp_dirtree xp_dropwebtask sp_addsrvrolemember
Xp_makewebtask xp_runwebtask xp_subdirs sp_addlogin
Sp_addextendedproc
Select the TCP/IP protocol attribute from the instance attributes. Select to hide the SQL Server instance to prevent port 1434 from being detected. You can modify the default port 1433. Except for the database's guest account, unauthorized user data is excluded. The exception is the master and tempdb databases, because they are required for their guest accounts. In addition, pay attention to setting the permissions of each database user, and grant only some permissions to the database where these users are located. Do not use the sa user to connect to any database in the program. We recommend that you use protocol encryption on the network. Do not do this. Otherwise, you can only reinstall MSSQL.
Part 2 intrusion detection and Data Backup
§ 1. 1 Intrusion Detection
As the daily management of servers, intrusion detection is a very important task. In the normal detection process, it mainly includes routine server security inspection and intrusion detection when the server is under intrusion, that is, it can be divided into security checks during intrusion and before and after intrusion. The security of the system follows the barrel principle. The barrel principle refers to the principle that a barrel is composed of many wooden boards. If these wooden boards make up different lengths, the maximum capacity of this barrel does not depend on the long wooden board, but on the shortest wooden board. In terms of application security, that is, the security of the system depends on the weakest part of the system, which is the focus of daily security detection.
Routine Security Detection
Routine Security Detection mainly focuses on system security. The work is carried out in the following steps:
1. view the server status:
Open the Process Manager, view the server performance, and observe the CPU and memory usage. Check whether there are high CPU and memory usage exceptions.
2. Check the current process
Switch "Task Manager" to the process to check whether any suspicious application or background process is running. When you view a process in the Process Manager, there is a taskmgr, which is the process of the Process Manager. If Windows Update is running, there will be a wuauclt.exe process. If you are not sure which application is enabled on the server, you can search for the process name on the network to confirm the process. [Process Knowledge Base: http://www.dofile.com/#. Generally, when there is a process, it will take a name that corresponds to the system process, such as svch0st.exe. At this time, you should carefully identify [the usual obfuscation is to change the letter o to the number 0, and change the letter l to the number 1].
3. Check the system account
Open Computer Management, expand local users and group options, view group options, check whether new accounts are added to the administrators group, and check whether clone accounts exist.
4. view the current port opening status
Use activeport to check the current port connection status. Pay special attention to the external connection port status and check whether unauthorized ports are communicating with the outside world. If yes, close immediately
Close the port, record the program corresponding to the port, and transfer the program to another directory for later analysis. Open Computer Management = software environment = running task [
Here, you can view hidden processes that are not visible in the Process Manager], view the currently running program, if there is an unknown program, record the location of the program, open the task manager to end the process
You can try to end the process tree for a program that uses a daemon backdoor. If it still cannot end, search for the program name in the registry, delete the key value, and switch to safe mode to delete the program.
Remove related program files.
5. Check System Services
Run services. msc, check the services in the started status, check whether the newly added unknown service exists, and determine the purpose of the service. For services that are unclear, open the service attributes and check
Check the executable file corresponding to the service. If you confirm that the file is a normally used file in the system, you can roughly ignore it. Check whether other normal open services exist.
, If there is, you can roughly let it go. If you cannot determine whether the execution file is a normal file in the system and no other normal open services exist on the service, you can temporarily stop
Service, and then test whether the applications are normal. Because some backdoors adopt the hook system API technology, the added service items cannot be seen in the Service Manager.
Open the HKEY_LOCAL_MACHINESYSTEMCurrentControlSetServices item in the Registry for search. Check the service name and corresponding execution file to determine whether the service is a backdoor.
And trojan programs.
6. View related logs
Run eventvwr. msc to roughly check related log records in the system. During viewing, right-click the corresponding log record and select "attribute". In "filter", set a LOG filter.
To view the log source and specific description. If you can find a solution to an error in the troubleshooting of common server faults, follow this solution.
If no solution is available, record the problem, and record the event source, ID number, and description in detail to find a solution to the problem.
7. Check System Files
Check the exe and dll files on the system disk. We recommend that you use dir *. exe/s> 1.txt to save the list of all exe files on the C disk after the system is installed.
Use this command to generate a list of the files at that time. Use fc to compare two files and perform related checks on dll files. It should be noted that after patching or installing software, the original
Start List. Check whether the related system files are replaced or whether Trojans and Backdoor programs are installed in the system. If necessary, run a antivirus program to scan the system disk.
8. Check whether the security policy is changed.
Open the properties of the local connection, check whether only "TCP/IP protocol" is checked in "General", and enable "TCP/IP" protocol settings, click "advanced" = "option" to view "IP Security"
Check whether the port permitted by the "TCP/IP" filter has been changed. Open "Administrative Tools" = "" Local Security Policy "to view the IP Security currently in use
Whether the policy is changed.
9. Check Directory Permissions
Check whether the system directory and important application permissions are changed. The directories to be viewed include c:; c: winnt;
C: winntsystem32; c: winntsystem32inetsrv; c: winntsystem32inetsrvdata; c: documents and
Settings; then, check the serv-u installation directory to check whether the permissions of these directories have been changed. Check whether the permissions of some important files under system32 have been changed, including: cmd,
. Net, ftp, tftp, and cacls files.
10. Check startup items
Check the current Boot auto-Start Program. You can use AReporter to check the self-starting program.
Measures for detecting intrusion
If the system has been damaged and the system has not been damaged or cannot be noticed, check the system according to the above inspection steps.
After checking the information, consider the following measures as appropriate. Immediately after the system is damaged, take the following measures:
Depending on the situation, the processing method is determined by remote processing or on-site processing. If the situation is serious, we recommend that you handle it on the spot. If on-site processing is adopted, the service can be implemented immediately after intrusion detection.
If the server is shut down in the IDC, the waiting personnel will disconnect the network cable when they arrive at the IDC, and then enter the system for inspection. If remote processing is adopted, if the situation is serious, all application services will be stopped immediately, and I
The P policy is to allow only remote management ports to connect and then restart the server. After restart, connect to the server remotely. Before restart, AReporter is used to check the self-started
Program. Then perform a security check.
The following measures are taken to reinforce the security of your site if your site is compromised but the system is not compromised:
Site root directory-only read permissions to the administrator. The permissions are inherited.
Wwwroot ------ read and write permissions to web users. Advanced has the permission to delete subfolders and files.
Logfiles ------ write permission to system.
Database ------ read and write permissions for web users. Advanced does not have permission to delete subfolders and files.
For further modification, you can grant only the read permission to the common file storage directories such as html, js, and image folders based on the features of your site, and grant the permissions in the preceding table to asp and other script files.
. In addition, you can view the security logs corresponding to the user's site to find out the cause of the vulnerability and help the user fix the vulnerability.
§ 1. 2 data backup and data recovery
Data backup is roughly as follows:
1. Back up system data once a month.
2. The application data is backed up independently once every two weeks after the system is backed up, including IIS, serv-u, database, and other data.
3. Ensure the security of the backup data and classify the backup data. Because the full backup method is basically used, only the backup and the last backup can be retained for the data retention period.
Copy Data in two copies.
Data Recovery:
1. When the system crashes or encounters other situations where the system is not recoverable, back up and restore the settings of some changes that occur after the last system backup, such as applications and security policies.
After the system is restored, the changes will be restored.
2. Applications and other errors use the last backup data recovery related content.
Part 3 server performance optimization
§ 3. 1 server performance optimization
System Performance Optimization
Organize system space:
Delete the system backup file, delete the driver backup, Remove unused access methods, remove the system help file, and uninstall unused components. Minimize disk C files.
Performance Optimization:
Delete unnecessary programs that run automatically at startup; reduce pre-reading and progress bar wait time; enable the system to automatically close the program that stops responding; Disable Error reports, but notify when a serious error occurs
; Disable automatic update and change to manual update;
Enable hardware and DirectX acceleration, disable shutdown event tracking, disable the configuration server wizard, reduce the waiting time for disk scanning, and adjust both the processor plan and memory usage to the application
; Adjust virtual memory; Memory optimization; modify the second-level cache of the cpu; modify the disk cache.
IIS Performance Optimization
1. Adjust IIS Cache
HKEY_LOCAL_MACHINE \ System \ CurrentControlSet \ Services \ InetInfoParametersMemoryCacheSize
The MemoryCacheSize range is from 0 to 4 GB. The default value is 3072000 (3 MB ). Generally, this value should be at least 10% of the server memory. IIS uses the cache system handle and Directory
List and other common data values to improve system performance. This parameter specifies the memory size allocated to the cache. If the value is 0, it means "no cache is performed.
". In this case, the system performance may be reduced. If your server is busy with network communication and has enough memory, you can increase the value. Note that
After the table is created, you must restart the table to make the new value take effect.
2. Do not close the system service: "Protected Storage"
3. Restrict Access traffic
A. restrict the number of visitors to the site
B. Site bandwidth limit. Keep the HTTP connection.
C. Process restrictions: Percentage of CPU input consumed
4. Improve IIS processing efficiency
The "application protection" drop-down button in the "application settings" area. Select the "low (IIS Process)" option from the displayed drop-down list to improve the processing efficiency of IIS servers by 20%.
Left and right. However, this setting may cause serious security issues and is not recommended.
5. Set the IIS server as an independent server
A. Improve hardware configuration to optimize IIS Performance
Hard Disk: the hard disk space is used by NT and IIS in two ways: one is to simply store data, and the other is to use as virtual memory. If you use the SCSI hard drive of Ultra2, you can
Significantly improves IIS Performance
B. You can distribute the Page Swap files of the NT Server to multiple physical disks. Note that multiple "physical disks" are invalid when they are distributed across multiple partitions. In addition, do not place Page Swap files
In the same partition as the WIndows NT boot Area
C. Using a disk image or a disk zone set can improve the disk read performance
D. It is best to store all the data in a separate partition. Then, run the disk fragment program regularly to ensure that no fragments exist in the partition where the Web server data is stored. NTFS has
This helps reduce fragments. We recommend that you use the Speeddisk of Norton to quickly sort NTFS partitions.
6. Start with HTTP Compression
HTTP compression is used to transfer compressed text content between Web servers and browsers. HTTP compression uses common compression algorithms such as gzip to compress HTML, JavaScript, or CSS files. Yes
Use pipeboost for configuration.
7. Recovery of initial resources
Use IIS5Recycle to regularly Recycle Process resources.
§ 3. 2 troubleshooting of common server faults
1. ASP solution for "requested resources in use:
This problem is generally related to anti-virus software. It is caused by the installation of personal anti-virus software on the server. If this error occurs, you can uninstall the antivirus software or try to register vbscript. dl again.
Run regsvr32 vbscript. dll and regsvr32 jscript. dll in the command line.
2. ASP500 error solution:
First, determine whether the problem exists for a single site or all sites. If the problem exists for a single site, it is a problem with the website program. You can open the site error prompt and
The "show friendly HTTP Error" information is canceled, view the specific error information, and modify the relevant program accordingly. If this problem exists on all sites and the problem does not occur on the HTML page,
The related log shows "The server cannot load the application '/LM/W3SVC/1/root '. The error is 'this interface is not supported '". The ASP-related components in the server system
If the problem persists, restart the IIS service and try to solve the problem. If the problem persists, restart the system and try to solve the problem. If the problem persists, restart the ASP Component.
: First, delete the three items about IIS in the com component. You Need To deselect the "Disable deletion" check in the advanced section of the attribute.
In the command line, enter the "cd winnt \ system32 \ inetsrv" string command, click the Enter key, then run the "rundll32 wamreg. dll, CreateIISPackage" command, and then
Run the "regsvr32 asptxn. dll" command and the "iisreset" command in sequence, and restart the computer operating system. Then, the IIS server can correctly respond to the ASP script again.
Page.
3. IIS error 105:
In the system log, "the server cannot register the information found by the management tool. Management tool may not be able to see this server "Source: w3svc ID: 105
Solution: reinstall the netbios protocol in the network connection. After the installation is complete, deselect the check box.
4. the MySQL service cannot start [error code 1067] Solution
An error is reported during MySQL service startup! Content: unable to start MySQL service on local computer error 1067: Process aborted unexpectedly.
Solution: Find the my. ini file in the Windows directory and edit the content (if the file does not exist, create a new one), including at least
Basedir and datadir are two basic configurations.
[Mysqld]
# Set basedir to installation path, e.g., c:/mysql
# Set it to the MYSQL installation directory
Basedir = D:/www/WebServer/MySQL
# Set datadir to location of data directory,
# E.g., c:/mysql/data or d:/mydata/data
# Set it to the MYSQL DATA DIRECTORY
Datadir = D:/www/WebServer/MySQL/data
Note: I did not grant the system user permission to the changed directory after changing the temp directory of the system.
5. cpu consumption of DllHotst processes: 100%
The normal CPU consumption of the server should be below 75%, and the CPU consumption should be fluctuating. If such a problem occurs on the server, the CPU will suddenly remain at the level of 100% and will not decrease.
Check the task manager and you can find that DLLHOST. EXE consumes all the CPU idle time. In this case, the Administrator has to restart the IIS service. The strange thing is, restart IIS.
After the service, everything is normal, but after a while, the problem may occur again.
Cause:
One or more ACCESS databases are damaged during multiple read/write operations. When the MDAC system writes this corrupt ACCESS file, the ASP thread is in the BLOCK state, and other threads can only wait.
Wait, IIS is deadlocked, and all CPU time is consumed in DLLHOST.
Solution:
Download the database to your local computer, and then open it with ACCESS for restoration. Upload it to the website. If not, you only need to create an ACCESS database and then export it from the original database.
Enter all tables and records. Then upload the new database to the server.
6. Windows installer error:
When installing the software, the following error occurs: "You cannot access the windows installer Service. You may be running windows in safe mode, or the windows installer is not properly installed.
Installation. Please contact your support staff for help. "If you try to reinstall instmsiw.exe, the system prompts" the specified service already exists ".
Solution:
For installer errors, there may be other error prompts. You can try the following solutions:
First, check whether it is a permission issue. The prompt will provide relevant information. If it is a permission issue, grant the winnt directory everyone permission. [after installation, change the permission back.
]. If the preceding information is displayed, Run "msiexec/unregserver" to uninstall Windows.
If the Installer service cannot be uninstalled, you can use SRVINSTW to uninstall it, and then download windows
Installer [Address: installer
I. inf file, right-click and select "Install", restart the system, and run "msiexec/regserver" to re-register the Windows Installer Service.
Part 4 Server Management
§ 4. 1 daily server management arrangements
Server Management must be standardized and rigorous, especially when there is not only one administrator. daily management includes:
1. timed restart of the server. Each server must be restarted once a week. Review after restarting, confirm that the server is started, and confirm that all services on the server are restored.
Restore normal. Take appropriate measures if the service is not started or the service fails to be restored in a timely manner. The former can ask the relevant staff of the producer to help manually restart, if necessary
Connect to the monitor to check whether it has been started; the latter needs to remotely log on to the server to find the cause and try to restore the service based on the cause.
2. Check the security and performance of the server. Each server must log on twice a week for at least two rough checks. The results of each check must be registered. If you need to use some tools for inspection
You can find related tools in e: tools. For tools that need to be found on the network temporarily, first adjust the security level of IE to a high level, and then search on the network.
He does not know how to download the site. He tries his best to select large websites such as huajun and skysky to download the site. After downloading the site, make sure that the current anti-virus software has been upgraded to the latest version.
The second anti-virus attack can be used only after confirmation is normal. If you need to use the downloaded new tool for future maintenance, save the tool to e: tools and make it in the readme.txt file in the directory.
Record the name, function, and usage of the tool. In addition, keep a copy of The winrar compressed file backup in the rar folder of this tool and set the decompression password.
3. Backup of server data. Each server must back up system data at least once a month. The system backup adopts the ghost method, and ghost files are stored in the e: ghost file directory.
The file name is named after the backup date, such as 02.16.gho. each server must back up application data at least once every two weeks, and each server must back up user data at least once a month.
Copies of data are stored in the e: databak folder, and corresponding subfolders are created for various types of data, such as the number of iis sites where serv-u user data is stored in the servu folder.
Data is stored in the iis folder under this folder.
4. During the monitoring of servers, the status of all servers must be monitored every day during normal operation. Once the service is found to be stopped, appropriate measures should be taken in a timely manner. If the service is found to be stopped, first check
Check whether services of the same type on the server are interrupted. If all services of the same type have been interrupted, log on to the server in time to view the relevant reasons and try to restart the corresponding services for this reason.
5. Log operations on the server. Each server ensures that the relevant logs are cleared once a month. All the logs corresponding to the logs before cleaning, such as application logs, security logs, and system logs, should be
Select save log ". All log files are stored in e: logs, application logs are stored in e: logsapp, and system program logs are saved in e: logssys.
Exist in e: logssec. Logs of other applications are also processed in this way. For example, ftp logs are stored in e: logsftp. All the backup log files
Name the backup date, for example, 200502.16.evt. For logs that are not in the form of a single file, create a folder named by date at the corresponding record location and store these files in
Folder.
6. server patch and application update. For new vulnerability patches, application security updates must be applied to each server immediately upon discovery.
.
7. Check for potential risks of servers, including security risks and performance. Each server must be checked separately on a monthly basis. The results of each check must be recorded.
8. For irregular work, all administrators must be informed about the installation of new applications or uninstallation of applications on each server due to application software changes or other reasons.
9. Regularly change the management password. Each server must change the password at least once every two months. For SQL servers, changing the system administrator password will be affected if SQL adopts hybrid verification.
Database usage is not modified.
Related suggestion: Set up a server management record for each server. The Administrator should record the details in each login system. The following items must be recorded: Logon Time, exit
Time, server status during login [contains unknown process records, port connection status, system account status, memory/CPU status], detailed operation records [detailed records of administrator login to the System
Next step]. Both remote login and physical contact operations should be recorded, and these records should be archived by servers and documents should be sorted in chronological order.
We recommend that you group servers for data backup and regular server restart operations, such as dividing them into four groups, backing up the data of a group of servers on Saturday every month, and restarting them on a regular basis every week.
Group server, which is more convenient for work, these are fixed work. In addition, some tasks can be synchronized, such as monthly data backup, security check, and management.
To change the password, back up data first, perform security checks, and then change the password. Real-time operations, such as the installation of server patches and the maintenance of server faults from time to time
Protection and other work, these are immediate work, but in principle, immediate work cannot affect the arrangement of fixed work.
§ 4. 2 administrator's daily notes
During server management, the Administrator must pay attention to the following:
1. Make a detailed record of each of your operations. For details, refer to the above suggestions for later checks.
2. strive to improve their own level and enhance learning
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.