Web server Security Configuration Specification Document _ Server

Web server Security Configuration specification documentation
The network security community has a famous saying: the least service plus the minimum permissions equals maximum security.
The company server configuration is as follows:
67, 68, 69, 70 of the server installed system is WIN2000 Advance server version, using the IIS5.0 as a virtual host system, in order to ensure the security of the system and data reliability, the hard disk is divided into system disk and data disk, WIN2000 installed on the system disk, The database system is installed on the data disk.
The security precautions taken on the server are as follows:
1. All partitions are formatted in NTFS format to guarantee the control of the user's permissions. Give administrators and system Full control of permissions, remove the Full Control permissions for everyone on the system default, and grant the respective permissions to different users.
2. Partition the hard disk space into the system partition (install the operating system), the website partition (run the virtual host and the customer website, the partition of the backstage database), the backup partitions (do the data and the program backup storage use).
3. Turn on the event audit function, the user login, policy changes and procedures for real-time monitoring of the operation, to ensure that the system is damaged in the case can also be documented.
4. For the user data in the background database, set up in SQL Server, every night will automatically perform a backup of all the background database data, even if the customer's database was mistakenly deleted, can also find the night before the day before the backup of all the data to ensure the safety and reliability of customer data.
5. For the front desk site, we use the system's own backup function, set up a weekly backup plan, the customer's website in every Sunday to make a full backup. Ensure the integrity of the customer's website data.
6. When IIS is installed, only the Web service is installed and the rest of the FTP, SMTP, and NNTP are not installed.
7. The FTP server uses the SER-U server program, runs stably and reliably, and upgrades to the latest version, prohibits anonymous users from landing, assigns a strong password to each user, and sets the directory that can only access itself.
8. After installation of the operating system, timely SP4 and system security patches, to prevent the virus infection and the possibility of hacker attacks, to ensure the system's normal and safe operation. After Microsoft's vulnerability is discovered, the system is upgraded in a timely manner, and the system patches are patched.
9. At the same time, the installation of Microsoft's own Terminal Services and Symantec Company's pcanywhere remote control software, even if a remote control service can not be opened, but also to ensure the use of another remote landing mode to connect to the server.
10. Antivirus software uses the Symantec Company's Norton Anti-Virus software, and the weekly update after the antivirus, to ensure the system non-toxic and safe.
11. The Guest user account is disabled and the system administrator account is renamed to minimize the possibility of system attack.
12. The user's password for the system has been controlled, the password of the administrator uses the combination of letters and numbers and special characters to prevent the possibility of brute force to break the password and ensure the security of the server.
13. For the test method to crack the password method, took five times password error that is, lock the user 30 minutes of practice, to prevent the test method to probe the password.
14. The Network Vulnerability Scanning Tool is used to check and test the network security of the server regularly, and the security loophole is repaired in time to prevent the safety problem from arising.
After the SQL Server 2000 database installation, upgrade to the SP3 version, reduce the emergence of database vulnerabilities, prevent the worm virus infection and hacker damage.
16. The SA Superuser in the database has a strong password and has a username and password for each user's database, with the appropriate permissions set.                                    Each user can only operate on this database, effectively preventing the cross library operation from occurring. Compromise database security. Hangzhou Netcom Interconnection Company
Network Management Liu Wei
July 14, 2004
Win2000 Server network Security settings
I. Account security Management
1. Account for as little as possible, and often use some scanning tools to check system accounts, account permissions and passwords, delete accounts that are no longer in use
2. Deactivate the Guest account and add a complex password to the guest.
3. Rename the system administrator account and try to disguise it as a normal user, without the admin word name.
4. Do not let the system display the last user name logged on.
Modify the local security policy for Win2000
Set the login screen in local security policy-local policy-options to do not display the last logged in user name
Second, Network Service security management
1. To turn off unnecessary services
Some services may bring security vulnerabilities to the system, such as WIN2000 's Terminal Services (Terminal Service), IIS and RAS (Remote Access Services), and so on.
Unless necessary, close tasks Scheduler,telnet,remote Registry Service,runas service,print Spooler unnecessary services.
2. To close unnecessary ports
When the server offers only a single feature, consider opening only certain ports.
In order, open the Network Places-properties-Local Area Connection-Properties-internet protocol (TCP/IP) Properties-Advanced--tcp/ip Filter-Properties, turn on TCP/IP filtering, and add the required TCP,UDP protocol.
3. Prohibit the establishment of an empty connection
By default, any user can connect to the server via a null connection, enumerate the accounts, and guess the account number.
Modify the local security policy for WIN2000
Set the additional limit for anonymous connections in local Security policy-local policy-options for "Do not allow enumeration of accounts and shares".

Third, Network Service security settings
1. Turn on the policy audit function to monitor and record important system change events. Including audit account management, Audit account landing events, audit policy changes, audit landing events, so that after being attacked and destroyed, can promptly find traces of intruders, to take appropriate remedial measures.
2. Service Manager Security Settings
1) Change the service home directory, right-click the default site-Properties-Home Directory-local path, and point the local path to another directory.
2 Delete the original default installation directory and all the virtual directories under it.
3 Remove unnecessary IIS extension mappings. To do this, right-click the default site-Properties-Home Directory-configuration, open the application window, remove unnecessary application mappings, and leave only the. Asp,.asa without other mappings.
4) Back up the IIS configuration. You can use the Backup feature of IIS to back up all of your configured IIS configurations so that the security configuration of IIS is restored at any time.
Iv. Data File Security management
1. Backup
To frequently back up important data to a dedicated backup server, you can isolate the backup server from the network after the backup is complete.
2. Set File Share Permissions
When you set up shared files, be aware that you change the permissions for shared files from the Everyone group to authorized users, including print sharing.
The system disk must have security permissions set to grant the system and administrators user groups Full Control permissions. Delete all other user accounts.
User disk settings, granting the system and administrators user groups Full Control permissions. The Everyone group grants "read and run, List folder Directories" permissions.
3. Turn off default sharing
2000 after the installation is ready, the system creates some hidden shares, view them in the available commands, and disable these shares by opening the Manage Tools-Computer Management-shared folders-Shares right button on the corresponding shared folder, and then "stop sharing", but when the machine restarts, These shares are reopened again. A script file that deletes the default share can be done automatically when the system starts.
4. Prevent file name spoofing
Set the option to place file name spoofing, if you prevent a malicious file with a. txt or. exe suffix from being displayed as a way to make people open the file, double-click My Computer-Tools-Folder Options-View, select the Show all files and folders property setting, and remove the Hides the known file type extension property setting.