The best Windows Virtual Host Security Configuration _win server ever

Cross-site attacks, remote control, and so on are a cliché. Some virtual host administrators do not know whether to facilitate or unfamiliar with the configuration, simply put all the sites in the same directory, and then set the parent directory to the site root directory. In some cases, the directory of all sites is set to executable, writable, and modifiable. Some in order to facilitate, in the server hang up QQ, also installed on the BT. What's more, the Internet Guest account is added to the Administrators group! Sweat......! The average user sets his or her password to a 6-digit pure number, such as birthdays, this situation can also be forgiven, after all, most of them are not specialized in network research, the safety awareness of Chinese people will need some time, but if it is the network administrator also, it is also a bit of people think impassability.
Here's my personal past experience with you to explore the issue of secure virtual host configuration. The following to establish a site cert.ecjtu.jx.cn as an example, with you to discuss the virtual host configuration issues.
first, the establishment of Windows users
Set up a separate Windows user account cert for each site, delete the user group for the account, and add cert to the Guest user group. The user cannot change the password, the password never expires two options selected.
Second, set folder permissions
1, set the non-site-related directory permissions
When Windows is installed, many directories and files by default are everyone can browse, view, run, or even modify. This poses a great danger to server security. Here are some of my personal experiences to mention some of the more commonly used directories in intrusion.

The permissions for these directories or files should be appropriately restricted. such as canceling the guests user's view, modify, and Execute permissions. Due to the length of the relationship, this is simply mentioned here.
2, set the site related directory permissions:
A, set the site root directory permissions: The user just established cert to the corresponding site folder, assume the appropriate permissions for the D:cert: Adiministrators Group for Full Control, cert have read and run, List folder directory, read, cancel all other permissions.
B, set updatable file permissions: After the 1th site root folder permissions setting, the Guest user has no permission to modify any content in the site folder. This is obviously not enough for an updated site. Then you need to set permissions on individual files that need to be updated. Of course this may be inconvenient for a virtual host provider. The customer's site may not be the same as the content of the file that needs to be updated. At this point, you can specify a folder can be written, can be changed. If some of the virtual host providers, the site root directory uploads for the Web can be uploaded folders, data or database folder. This allows the virtual host service provider to tailor the permissions for the two folders to the client. Of course, like some do a better virtual host provider, to the customer to do a program, let the customer set their own. May want to do so, service providers have to spend not small money and manpower oh.
The basic configuration should be everyone, here is a few special points or need to pay attention to places.
1, the main directory permissions settings: This can be set to read on the line. Write, directory browsing, etc. can not, the most important thing is the directory browsing. Unless it is a special case, it should be closed or it will expose a lot of important information. This will bring convenience to hackers. Leave the rest to default on it.
2, application configuration: In the Site properties, home directory This item also has a configuration option, click Enter. As you can see in the application mapping options, there are many application mappings by default. Remove all the required reservations and all that you don't need. In the process of intrusion, many programs may limit the asp,php file upload, but do not cer,asa, such as file restrictions, if the corresponding application mapping is not deleted, you can change the name of the ASP suffix to CER or ASA after the upload, Trojan will be able to be resolved normally. This is also often overlooked by the administrator. Add an application extension mapping and the executable file can optionally be named. MDB. This is to prevent the user database of the suffix named MDB from being downloaded.
3, Directory Security settings: Select Directory security in the site properties, click Anonymous access and authentication control, choose to Allow anonymous access, click Edit. As shown in the following figure. Delete the default user, browse to select the corresponding user for the CERT Web site, and enter the password. You can select to allow IIS to control passwords. The purpose of this set is to prevent some like webmaster assistants, the sea, such as cross-directory Cross-site browsing, can effectively prevent such cross-directory cross-site intrusion.
4, writable directory to perform permissions settings: Turn off all writable directories to execute permissions. Due to the loopholes in the program, the current very popular upload some of the trojan, most of them are uploaded with the web. Because can not write the directory Trojan can not upload, if you turn off the ability to write a directory, then upload the Trojan will not run normally. Can effectively prevent such forms of web intrusion.
5, processing run error: Here are two methods, one is to turn off error ECHO. IIS Properties-Home Directory-Configuration-application debugging-script error message, select Send text error message to customer. The second is to customize the error page. In the IIS properties-custom error messages, double-click the error page that you want to customize in the HTTP error message, the Error mapping property settings box pops up. The message type has a default value, a URL, and a file of three, which can be customized according to the situation. This allows you to hide some error messages, and on the other hand you can make the error display more user-friendly.
Third, configure the FTP
FTP is a necessary service for most virtual host providers. Most of the user's station files are uploaded using FTP. Most of the FTP servers currently in use are not serv-u. Here are a few points to explain.
1. Admin password must be changed
If the invasion enthusiasts must be familiar with the serv-u right again mo past. These power tools use the Serv-u default Administrator's account number and password to run. Because the SERV-U administrator is running as a super administrator. If you do not change the administrator password, these tools can be used to the most useful. If you change the password, the tools are not as simple as they want to function properly. You have to crack the admin password before you can.
2, change the installation directory permissions
The default installation directory for Serv-u is for everyone to browse and even modify. If you choose to store the user information in the INI file when you install it, you can get all the information about the user in Servudaemon.ini. If guests has permission to modify, then hackers can successfully establish a user with super privileges. This is not a good thing. So after installing the serv-u, you have to modify the appropriate folder permissions, you can cancel the guests user's corresponding permissions.
iv. command-line related operations handling
1, prohibit guests users to perform Com.exe:
We can cancel guests execute Com.exe permission by following command
cacls c:winntsystem3cmd.exe/e/d guests.
2. Disable Wscript.Shell components:
Wscript.Shell can invoke the system kernel to run DOS basic commands. This can be prevented by modifying the registry to rename this component. Hkey_classes_rootwscript.shell and HKEY_CLASSES_ROOTWSCRIPT.SHELL.1 renamed to other names. You can also change the value of the HKEY_CLASSES_ROOTWSCRIPT.SHELLCLSID item and the value of the HKEY_CLASSES_ROOT WSCRIPT.SHELL.1CLSID item by changing the values of the two CLSID.
3. Disable Shell.Application Components
Shell.Application can also invoke the system kernel to run DOS basic commands. This can be prevented by modifying the registry to rename this component. Hkey_classes_rootshell.application and Hkey_classes_rootshell.application.1 renamed to other names. Change or delete the value of the HKEY_CLASSES_ROOTSHELL.APPLICATIONCLSID project Hkey_classes_rootshell.applicationclsid the value of the item. Also, the guest user is prohibited from using Shell32.dll to prevent calls to this component. Use command: cacls c:winntsystem32shell32.dll/e/d Guests
4, FileSystemObject components
FileSystemObject can be normal operation of the file can be modified by modifying the registry, the component renamed to prevent the harm of such Trojans. The corresponding registry entry is HKEY_CLASSES_ROOT scripting. FileSystemObject. You can prevent guests users from using or deleting them directly. Considering that many uploads will use this component, it is not recommended to change or delete it for convenience.
5. No Telnet landing
There is a login.cmd file in the C:winntsystem32 directory, open it in Notepad, take another line at the end of the file, and add the exit to save it. This allows users to automatically exit immediately when they log on to telnet.
Note: The above registry operation requires a restart of the Web service before it takes effect.
Five, port settings
The bottom of the port form is the door, the metaphor is very vivid. If all the ports on our servers are open, that means hackers have a lot of doors to invade. So I personally feel that shutting down unused ports is an important thing. In Control Panel-network and dial-up connections-local Connection-attribute ――internet protocol (TCP/IP) properties, click Advanced, enter Advanced TCP/IP settings, select options, select TCP/IP filtering in the optional settings, and enable TCP/IP filtering. Add the required ports, such as 21, 80, and close all remaining unused ports.
vi. closing file-sharing
The system defaults to the file sharing feature enabled. We should give the cancellation. In Control Panel-network and dial-up connections-local connections-Properties, in the General options, cancel Microsoft Network file and print sharing. The principle of minimum service is an important principle of guaranteeing security. Non-essential services should be given off. System services can be set in the Control Panel-management tools-services.
vii. closure of non-essential Services
Services such as Telnet services, remote registry operations, and so on should be disabled. At the same time install the fewest software possible. This avoids some of the security problems caused by software vulnerabilities. Some network administrators install QQ on the server, use the server to hang QQ, this kind of practice is extremely wrong.
Eight, pay attention to the security and update the vulnerability of timely patches
Update vulnerability patches are important for a network administrator. Update the patch, you can further ensure the security of the system.