1, Security settings recommendations
(1) Check whether the SP2 patch has been installed! Change to daily 3:00 Automatic Update patching!
(2) When the firewall and port restrictions function settings, please be careful to avoid the loss of remote administrative rights!
------Right-click > properties in the Network Neighborhood advanced, open Win2003 Firewall feature, set to allow only 20,21,25,80,110,1433,3306, Remote Desktop 3389,33000~33003 (FTP PASV) and other ports.
------suggest that the >icmp> allow echo in advanced, so ping is allowed, easy to debug!
------Right-click > Properties >Tcp/ip> Advanced > Options > Port Restrictions in the Network Neighborhood, only allow 20,21,25,80,110,1433,3306, Remote Desktop 3389,33000~33003 and other common ports
------Open the Win2003 firewall and only the ports you need are open. Installing additional personal firewalls or setting security policies on the server is not recommended, and if you do need to be installed or set up, make sure that you do not shut down remote Terminal Services (that is, all traffic into the server is blocked).
------If you want to change the port 3389 for Remote Desktop, be sure to add the corresponding port in TCP/IP filtering in the TCP/IP properties and add the corresponding port in the firewall option, otherwise you will not be able to remotely administer the server after the reboot!
------cannot change the ip/subnet mask/gateway settings for the server.
(3) If you install SQL Server servers, you must immediately play SP4 patch, otherwise very easy to the SQL Server worm and cause the sever communication.
(4) Important data recommendations are placed in D disk, C disk only to place the program and system files to prevent the future reloading system will cause data loss.
2. Security of authority
Here's a security script for the Western Digital Safe.cmd
West_server_safe.rar, unzip yourself.
One more source version.
Copy Code code as follows:
@echo off
echo y|cacls.exe C:\/P administrators:f system:f "Network SERVICE": R
echo y|cacls.exe d:\/P administrators:f system:f servu:f "Network SERVICE": R
echo y|cacls.exe e:\/P administrators:f system:f servu:f "Network SERVICE": R
echo Y|cacls.exe "C:\Program Files"/t/p administrators:f system:f everyone:r
echo y|cacls.exe "C:\Program Files\Common Files"/t/g administrators:f system:f everyone:r
echo Y|cacls.exe c:\windows/p administrators:f system:f
echo Y|cacls.exe c:\windows\system32/p administrators:f system:f
echo y|cacls.exe c:\windows\system32\inetsrv/p administrators:f system:f everyone:r
echo Y|cacls.exe "C:\Documents and Settings"/P administrators:f system:f
echo Y|cacls.exe "C:\Documents and Settings\All Users"/t/p administrator:f system:f everyone:r
echo Y|cacls.exe c:\windows\temp/p everyone:f
echo Y|cacls.exe%systemroot%\system32\shell32.dll/p administrators:f
echo Y|cacls.exe%systemroot%\system32\wshom.ocx/p administrators:f
echo Y|cacls.exe c:\windows\system32\*.exe/p administrators:f system:f
echo Y|cacls.exe "c:\Documents and Settings\All Users"/e/g Everyone:r
echo y|cacls.exe%systemroot%\system32\svchost.exe/e/g "Network SERVICE": R
echo y|cacls.exe%systemroot%\system32\msdtc.exe/e/g "Network SERVICE": R
echo y|cacls.exe%windir%\system32\mtxex.dll/e/g everyone:r
echo Y|cacls.exe c:\windows\system32\cmd.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\net.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\net1.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\sc.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\at.exe/p administrator:f
echo y|cacls.exe%windir%\system32\dllhost.exe/e/g everyone:r
echo Y|cacls.exe c:\windows\system32\netsh.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\net.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\cacls.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\cmdkey.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\ftp.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\tftp.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\reg.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\regedt32.exe/p administrator:f
echo Y|cacls.exe c:\windows\system32\regini.exe/p administrator:f
echo y|cacls.exe%windir%\assembly/e/t/g "Network SERVICE": R
echo Y|cacls.exe%windir%\microsoft.net/e/t/g everyone:r
echo y|cacls.exe "%windir%\microsoft.net\framework\v1.1.4322\temporary asp.net Files"/e/t/g everyone:f
echo y|cacls.exe%windir%\system32\mscoree.dll/e/g everyone:r
echo y|cacls.exe%windir%\system32\ws03res.dll/e/g everyone:r
echo y|cacls.exe%windir%\system32\msxml*.dll/e/g everyone:r
echo y|cacls.exe c:\windows\system32\urlmon.dll/e/g everyone:r
echo y|cacls.exe c:\windows\system32\mlang.dll/e/g everyone:r
echo y|cacls.exe c:\windows\system32\tapi32.dll/e/g everyone:r
echo y|cacls.exe c:\windows\system32\wininet.dll/e/g everyone:r
cacls c:\windows\assembly/e/t/p "Network SERVICE": R
cacls c:\windows\microsoft.net/e/t/p "Network SERVICE": R
cacls "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary asp.net Files"/e/t/P "Network Service": F
cacls c:\windows\system32\mscoree.dll/e/g everyone:r
cacls c:\windows\system32\ws03res.dll/e/g everyone:r
cacls c:\windows/e/g "Network SERVICE": R
If exist c:\windows cacls c:\windows/e/g "Network SERVICE": R
cacls c:\windows\microsoft.net/e/t/p "Network SERVICE": R
cacls "C:\WINDOWS\Microsoft.NET\Framework\v1.1.4322\Temporary asp.net Files"/e/t/P "Network Service": F
cacls "C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\Temporary asp.net Files"/e/t/P "Network Service": F
cacls c:\windows\system32/e/g "Network SERVICE": R
cacls c:\windows\system32\rasapi32.dll/e/g "Network SERVICE": R
echo Y|cacls.exe c:\windows\system32\inetsrv\adsiis.dll/p administrators:f autosystem:f
echo Y|cacls.exe c:\windows\system32\inetsrv\iisadmpwd/p administrators:f autosystem:f
echo Y|cacls.exe c:\windows\system32\inetsrv\metaback/p administrators:f autosystem:f
cacls C ": \program Files\serv-u"/e/g "Servu": F
cacls d:\wwwroot/e/g servu:f
cacls c:\windows/e/g everyone:r
net stop Browser
sc config Browser start= disabled
net stop LanManServer
sc config LanManServer start= disabled
NET share C $/delete
NET share d$/delete
NET share e$/delete
NET share f$/delete
NET share admin$/delete
NET share ipc$/delete
Echo.. Delshare.reg .....
echo Windows Registry Editor Version 5.00> C:\delshare.reg
Echo [hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters]>> C:\delshare.reg
echo "AutoShareWks" =dword:00000000>> C:\delshare.reg
echo "AutoShareServer" =dword:00000000>> C:\delshare.reg
Echo.. Delshare.reg .....
REGEDIT/S C:\delshare.reg
Echo.. Delshare.reg .....
Del C:\delshare.reg
Echo.
echo .....
Echo.
Echo =========================================================
Echo.
echo ..... ..... dos ...........
Echo.
echo .....
echo Windows Registry Editor Version 5.00> C:\dosforwin.reg
Echo [hkey_local_machine\system\currentcontrolset\services\tcpip\parameters]>> C:\dosforwin.reg
echo "EnableICMPRedirect" =dword:00000000>> C:\dosforwin.reg
echo "Deadgwdetectdefault" =dword:00000001>> C:\dosforwin.reg
echo "Dontadddefaultgatewaydefault" =dword:00000000>> C:\dosforwin.reg
echo "EnableSecurityFilters" =dword:00000000 ">> C:\dosforwin.reg
echo "Allowunqualifiedquery" =dword:00000000>> C:\dosforwin.reg
echo "Prioritizerecorddata" =dword:00000001>> C:\dosforwin.reg
echo "ReservedPorts" =hex (7):31,00,34,00,33,00,33,00,2d,00,31,00,34,00,33,00,34,00,\>> C:\dosforwin.reg
Echo 00,00,00,00>> C:\dosforwin.reg
echo "SynAttackProtect" =dword:00000002>> C:\dosforwin.reg
echo "EnablePMTUDiscovery" =dword:00000000>> C:\dosforwin.reg
echo "NoNameReleaseOnDemand" =dword:00000001>> C:\dosforwin.reg
echo "EnableDeadGWDetect" =dword:00000000>> C:\dosforwin.reg
echo "KeepAliveTime" =dword:00300000>> C:\dosforwin.reg
echo "PerformRouterDiscovery" =dword:00000000>> C:\dosforwin.reg
echo "Enableicmpredirects" =dword:00000000>> C:\dosforwin.reg
Echo.
Echo ==========================================================
Echo.. Dosforwin.reg .....
REGEDIT/S C:\dosforwin.reg
Echo.. Dosforwin.reg .....
Del C:\dosforwin.reg
Echo ==============================================================
Echo.
Echo ===============================================================
Echo.. Remote Registry Service ... .....
echo .....
Echo.
echo Windows Registry Editor Version 5.00> C:\regedit.reg
Echo [hkey_local_machine\system\currentcontrolset\services\remoteregistry]>> C:\regedit.reg
echo "Start" =dword:00000004>> C:\regedit.reg
Echo.
Echo.. Regedit.reg .....
REGEDIT/S C:\regedit.reg
Echo.
Echo ...
Del C:\regedit.reg
Echo ===============================================================
Echo.. Messenger .....
echo .....
echo Windows Registry Editor Version 5.00> C:\message.reg
Echo [hkey_local_machine\system\currentcontrolset\services\messenger]>> C:\message.reg
echo "Start" =dword:00000004>> C:\message.reg
Echo.
Echo.. Message.reg .....
REGEDIT/S C:\message.reg
Echo.
Echo.. Message.reg
Del C:\message.reg
Echo ===============================================================
Echo ===============================================================
Echo.. LanManServer .....
echo .....
echo Windows Registry Editor Version 5.00> C:\lanmanserver.reg
Echo [hkey_local_machine\system\currentcontrolset\services\lanmanserver]>> C:\lanmanserver.reg
echo "Start" =dword:00000004>> C:\lanmanserver.reg
Echo.
Echo.. Lanmanserver.reg .....
REGEDIT/S C:\lanmanserver.reg
Echo.
Echo.. Lanmanserver.reg
Del C:\lanmanserver.reg
Echo ==============================================================
Echo ... TCP/IP NetBIOS Helper Service
echo .....
echo Windows Registry Editor Version 5.00> C:\netbios.reg
Echo [hkey_local_machine\system\currentcontrolset\services\lmhosts]>> C:\netbios.reg
echo "Start" =dword:00000004>> C:\netbios.reg
Echo.
Echo.. Netbios.reg .....
REGEDIT/S C:\netbios.reg
Echo.
Echo.. Netbios.reg
Del C:\netbios.reg
REGEDIT/S Forddos.reg
Directory security permissions that are not serv-u on the script, just one. I sent it here alone.
cacls "C:\Program Files\Serv-U" /t /P administrators:f servu:r
There is also a reverse operation, has been packaged into the above file.
Note Oh, inside the directory path to change their own oh.
3. Script Mapping
Remove unwanted script mappings and make your server more secure. Here, according to the Western Digital collection of a
The simplest way to modify this file is to C:\WINDOWS\system32\inetsrv\MetaBase.xml it in this document, and look at it yourself.
shtml Script Mapping
.shtm,C:\WINDOWS\system32\inetsrv\ssinc.dll,5,GET,POST
.shtml,C:\WINDOWS\system32\inetsrv\ssinc.dll,5,GET,POST
.stm,C:\WINDOWS\system32\inetsrv\ssinc.dll,5,GET,POST
ASP Script Mappings
.asp,C:\windows\System32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE
.asa,C:\windows\System32\inetsrv\asp.dll,5,GET,HEAD,POST,TRACE
PHP CGI script mapping
.php,D:\wwwsoft\PHP\php-cgi.exe,5,GET,HEAD,POST,TRACE
.php3,D:\wwwsoft\PHP\php-cgi.exe,5,GET,HEAD,POST,TRACE
PHP ISAPI Script Mappings
.php,D:\wwwsoft\PHP\php5isapi.dll,5,GET,HEAD,POST,TRACE
.php3,D:\wwwsoft\PHP\php5isapi.dll,5,GET,HEAD,POST,TRACE
asp.net v2.0 script map
asp.net2.0 compatible with v1.0, so the general use of 2.0 of the settings can be
. asax,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. ascx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. ashx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. asmx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. aspx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. axd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. vsdisco,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. rem,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. soap,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. config,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. cs,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. csproj,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. vb,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. vbproj,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. webinfo,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. licx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. resx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. resources,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. xoml,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. rules,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. master,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. skin,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. compiled,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. browser,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. mdb,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. jsl,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. vjsproj,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. sitemap,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. msgx,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. ad,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. dd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. ldd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. sd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. cd,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. adprototype,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. lddprototype,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
;. Sdm,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. sdmdocument,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. ldb,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. svc,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,1,get,head,post,debug
. mdf,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. ldf,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. java,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. exclude,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
. refresh,c:\windows\microsoft.net\framework\v2.0.50727\aspnet_isapi.dll,5,get,head,post,debug
Puzzled, how does the above have the Java mapping?