This solution is based on Windows2008R2 and uses the Mcafee Enterprise Edition anti-virus software to explain the idea and hope to inspire friends who need it.
The first thing we should talk about is the functions that Mcafee and Mcafee can achieve. In fact, all systems can do it. However, for a small white user, complicated system settings are too headaches, the use of Mcafee is much simpler. After a simple understanding, generally, the white paper can be used normally without causing great inconvenience to normal operations due to excessive security settings.
Let's talk about my overall solution. First of all, some simple and necessary settings are essential and commonly used include the following:
1. Turn off unused functions such as ASP, so that everyone's server needs may be different and they can be controlled flexibly.
2. Next, we will assign an account to each site. This account has the readable permission for the cache directory, the directory where the necessary dll is located, and the site directory, no permissions are required for other places.
3. Process directories that require write permissions. Take DiscuzX1.5 as an example. The directory for which the write permission is required includes/data,/uc-server/data,/uc_client/data/cache. After setting the write permission, find these directories in IIS7 and disable the script execution permission for these directories. Reference >>>>
4. Change the Remote Desktop port to a non-default 3389 port, and make the system password slightly more complex. In the actual process, we found that some of our friends' servers were hacked, but they were actually completely hacked by social workers.
5. Use Mcafee to set port access rules. Generally, servers are not used to access the Internet and only provide WEB services. Therefore, use Mcafee to block all ports directly and prohibit inbound traffic, simple exceptions are allowed for MYSQL, Memcache, and Remote Desktop.
6. Use Mcafee to block common dangerous files. This is very simple because the server is not used in daily use and does not need to be installed frequently, we directly stop writing in dangerous formats such as exe \ dll \ vbs \ com \ bat \ txt (**\*. in this way, the global exe is used. You can collect the files on the Internet in specific formats. You can temporarily stop Mcafee when you want to install the program or make other changes.
7. Use Mcafee to restrict the DiscuzX1.5 directory in detail. Although the NTFS permission was previously used to restrict the directory, it could not escape the system vulnerability or something, we also need to use Mcafee to restrict related directories. Specifically, all directories except/data,/uc-server/data,/uc_client/data/cache are completely prohibited from writing, further details are some common attack methods. For example, to write a multi-suffix file, we can use Mcafee to prohibit DiscuzX1.5 from writing data to the discuzX1.5 \ data \ *** \ * directory \**\*. *. * Of course, you can also think of other refined settings, such as prohibiting the data \ attachment directory from writing any files that are not allowed in the attachment format.
8 Gbit/s to block the reading of cmd.exe, which is very important. Many people use system components to call cmd to escalate the permission.
9、stop net.exe from being read. It is used when a hacker creates an account.
10. For the rest, we also need to regularly back up common attachment directories and databases.
Through the above several simple settings, we believe we can block the vast majority of intrusions. The so-called small hacker should be difficult to win your server. Of course, the above settings do not defend against databases or maliciously Delete attachments. In these two aspects, we will share some simple protection measures with you next time. If you have any questions about the above items, please follow the instructions. I will try my best to reply to you. All of the above are just a few simple ideas, and there is no detailed and rigorous explanation. I would like to explain that some webmaster friends should not pick bones in the eggs. Thank you!