Using McAfee to create a relatively secure server environment for Windows _win servers

This package is based on WINDOWS2008R2, at the same time, with the help of McAfee Enterprise version of anti-virus software, mainly to explain a train of thought, hope to give the need of a friend certain inspiration.

The first to say the 1th, is about Mcafee,mcafee can achieve the function, in fact, the system can do, but for a small white users, a variety of complex system settings is too much headache, and McAfee use is relatively simple, after a simple understanding, Generally small white can be used normally, will not because of excessive security settings for normal operation brought great inconvenience.

Then let's talk about my whole plan. First of all, some simple necessary settings are essential, commonly used include the following points:
1, the ASP, such as the use of functional items to turn off, this person's server needs may be different, their own flexible control on it.
2, then, we give each site a separate account, this account for the cache directory, the necessary DLL directory, the site directory with read access, no other places need any permissions at all.
3, processing some need to write permission directory. For example, in DiscuzX1.5, directories that require write permissions include/data,/uc-server/data,/uc_client/data/cache, and after setting write permissions, locate them in the IIS7 and turn off script execution permissions for those directories. Reference >>>>
4, the Remote Desktop port to a non-default 3389, while the system password to change slightly more complex. In the actual process we found that some friends of the server is black, in fact, is entirely social workers.
5, the use of McAfee set the port access rules, the general server will not be used to surf the internet, but to provide Web services to the outside, so direct use of McAfee for all ports directly to block, prohibit inbound, including MySQL, Memcache, Remote Desktop, such as simple exceptions to release.
6, use McAfee to block the commonly used dangerous files, here is very simple, because the server is not used daily, do not need frequent software installation, will not often change the settings, so we directly globally block Exe\dll\vbs\com\bat\txt and other dangerous formats of the write (**\*. EXE this is on behalf of the Global EXE), the specific format, you can specifically online collection. If you want to install the program later or make other changes, temporarily stop McAfee.
7, use McAfee to DiscuzX1.5 directory for detailed restrictions, although the previous use of NTFS permissions on the directory restrictions, but not escape the system is a vulnerability or something, so we also need to use McAfee to limit the relevant directory, specifically in addition to/data,/ Uc-server/data,/uc_client/data/cache and other directories all completely prohibit writing, and then refine the words, is to do some common attack mode of protection, such as writing multiple suffix name files, We can completely use McAfee to prohibit DiscuzX1.5 directories from writing to Discuzx1.5\data\**\*.*.*, of course, you can also think of some other refinement settings, such as the prohibition of data\ The attachment directory writes any files that are not allowed in the format of the attachment.
8, to prevent Cmd.exe is read, this is very important, many people through the system components call CMD to invoke power.
9, to prevent the Net.exe is read, hackers create a new account when the use of it is
10, the rest, we also need to the common attachment directory, database for regular backup

Through a few simple settings above, I believe we can block most of the invasion, those so-called small hacker should be difficult to take your server. Of course, the above settings do not protect the database, do not protect malicious delete attachments, these two aspects, the next time to share with you the simple protection measures. On the above are not clear, you can thread, I try to answer everyone. The above are all simple to say a little thought, and did not do detailed rigorous elaboration, please note that some webmaster friends do not pick bones in the eggs, thank you!