WIN2000 Server Security Configuration Overview

WIN2000 SERVER Security Configuration strategy: currently, WIN2000 SERVER is one of the most popular SERVER operating systems, but it is not easy to securely Configure Microsoft's operating system. This article attempts to preliminarily discuss the security configuration of win2000 SERVER.

1. Customize your own WIN2000 SERVER

1. select a version: WIN2000 has a variety of language versions. For us, you can select the English or Simplified Chinese version. I strongly recommend that you use the English version if the language does not become an obstacle. You know, Microsoft products are known for bugs and patches. The Chinese version has more bugs than the English version, the patch is usually at least half a month late (that is to say, after microsoft announces the vulnerability, your machine will be unprotected for half a month)

2. component customization: win2000 installs some common components by default, but this is the default installation that is extremely dangerous (mitniko said that he can access any default installed server, although I dare not say this, if your host is installed by default on WIN2000 SERVER, I can tell you that you are dead.) You should know exactly what services you need, in addition, only install the services you actually need. According to the security principle, the minimum service + minimum permission = maximum security. The minimum components required for a typical WEB Server are: Install only the IIS Com Files, IIS Snap-In, and WWW Server components. If you do need to install other components, be careful, especially the Indexing Service, FrontPage 2000 Server Extensions, and Internet Service Manager (HTML) Dangerous services.

3. Manage Application Selection

It is very important to choose a good remote management software. This is not only a security requirement, but also an application requirement. Win2000 Terminal Service is a remote control software based on RDP (Remote Desktop Protocol). It is fast and easy to operate and is suitable for conventional operations. However, Terminal Service also has its shortcomings because it uses virtual desktops and Microsoft programming is not rigorous, when you use the Terminal Service to install software or restart the server and other operations that interact with the real desktop, you may often laugh. For example, you can use the Terminal Service to restart the Microsoft certified server (Compaq, may be shut down directly. Therefore, for the sake of security, we recommend that you have another remote control software as an aid to complement Terminal Service. Like PcAnyWhere is a good choice.

Ii. Install WIN2000 SERVER correctly

1. partition and Logical Disk allocation, some friends in order to save trouble, the hard disk is only divided into A Logical Disk, all the software is installed on the C drive, this is very bad, we recommend that you create at least two partitions, one system partition and one application partition. This is because Microsoft's IIS often has the source code/overflow vulnerability, if you place the system and IIS on the same drive, system files may leak and even intruders may remotely obtain the ADMIN. The recommended security configuration is to create three logical drives, the first is greater than 2 GB, used to install the system and important log files, the second is IIS, and the third is FTP, in this way, no matter whether IIS or FTP has a security vulnerability, the system directory and system files will not be directly affected. You must know that IIS and FTP are external services and are prone to problems. The main purpose of separating IIS from FTP is to prevent intruders from uploading programs and running them from IIS. (This may cause the annoyance of program developers and editors. You are administrator J)

2. Select the installation sequence: Do not think that the sequence is important? You only need to install it. Error! Note the following steps when installing win2000:

First, when to access the network: Win2000 has a vulnerability during installation. After you enter the Administrator password, the system creates an ADMIN $ share, however, it does not use the password you just entered to protect it. This situation continues until you start again. During this period, anyone can access your machine through ADMIN $. At the same time, once the installation is complete, various services will run automatically, and the SERVER is vulnerable and easy to access. Therefore, before the win2000 SERVER is fully installed and configured, do not connect the host to the network.

Second, patch installation: The patch installation should be completed after all applications are installed, because the patch often needs to replace/modify some system files, if you install a patch before installing the application, the patch may not work properly. For example, the HotFix of IIS requires you to install the patch every time you change the IIS configuration (not abnormal ?)

Iii. Security Configuration WIN2000 SERVER

Even if the WIN2000 SERVER is correctly installed, the system still has many vulnerabilities and requires further configuration.

1. port: the port is the logical interface connecting a computer to an external network and the first barrier of a computer. Whether the port is correctly configured directly affects the security of the host. Generally, it is safer to open only the port you need. The configuration method is to enable TCP/IP filtering in the NIC properties-TCP/IP-advanced-Option-TCP/IP filtering, however, for win2000 port filtering, there is a bad feature: You can only specify which ports are opened, but not which ports are closed, which is more painful for users who need to open a large number of ports.

2. IIS: IIS is one of the most vulnerable components in Microsoft. On average, one vulnerability may occur in two or three months. Microsoft's IIS installation by default is not flattering, therefore, IIS configuration is our focus, and now everyone will come with me:

First, delete the Inetpub directory on drive C, and create an Inetpub on drive D (you can change the name if you are not sure about using the default directory name, but remember it) in IIS manager, point the main directory to D: Inetpub;

Secondly, what virtual directories such as scripts will be deleted by default during IIS installation (please forget http://www.target.com/scripts/.?c1=1c./winnt/system32/#.exe? Although we have removed Inetpub from the system disk, we should be careful.) If you need a directory with any permissions, you can create it by yourself and what permissions are needed. (Pay special attention to the write and execute permissions. There is no absolute need to do not grant them)

Third, application configuration: Delete unnecessary mappings in the IIS manager, which must refer to ASP, ASA, and other file types that you actually need, for example, if you use stml (using server side include), in fact, 90% of hosts have the above two mappings. Almost every other ing has a miserable story: htw, htr, idq, ida ...... Want to know these stories? Check the previous vulnerability list. What? Where can I delete it? In the IIS manager, right-click host> Properties> WWW Service Edit> Home Directory configuration> application ing, and delete the files one by one (no selection is available, ). Then, change the script error message to send text in the application debugging bookmarks in the window (unless you want to know your program/Network/database structure when ASP errors occur) what are error texts written? If you like it, do it yourself. When you click OK to exit, do not forget to let the Virtual Site inherit the attributes you set.

To deal with the increasing number of cgi vulnerability scanners, you can also refer to the following tips: redirect the HTTP404 Object Not Found error page in IIS to a custom HTM file through URL, this vulnerability can cause most CGI vulnerability scanners to malfunction. In the ghost file, all scans will return HTTP200 regardless of whether the vulnerability exists. 90% of CGI scanners will think that you have all the vulnerabilities, but the results will cover up your real vulnerabilities, it makes intruders confused. (In martial arts novels, it is often said that the full body vulnerabilities are rather impeccable. What is hard to say is this realm ?) However, from a personal perspective, I still think that it is more important to do a good job of security settings than such tips.

Finally, you can use the backup function of IIS to back up all the settings you just set so that you can restore the security configuration of IIS at any time. In addition, if you are afraid that the IIS load is too high, causing the server to crash at full load, you can also enable the CPU limit in performance, for example, limiting the maximum CPU usage of IIS to 70%.

3. Account Security:

Win2000 account security is another focus. First, the default installation of Win2000 allows any user to obtain a list of all accounts/shares of the system through empty users. This is intended to facilitate LAN users to share files, however, a remote user can also obtain your user list and use the brute force to crack the user password. Many of you know that you can disable the 139 null connection by changing the Registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1. In fact, win2000's Local Security Policy (if the Domain Server is in the Domain Server Security and Domain Security Policy) this option RestrictAnonymous (additional restrictions on anonymous connections) has three values:

0: None. Rely on default permissions (None, depending on the default permission)

1: Do not allow enumeration of SAM accounts and shares (enumeration of SAM accounts and sharing is not allowed)

2: No access without explicit anonymous permissions (access is not allowed without explicit anonymous permissions)

The value 0 is the default value and has no restrictions. remote users can know all the accounts, group information, shared directories, and network transmission lists (NetServerTransportEnum) on your machine, this setting is very dangerous for servers.

1. This value only allows non-NULL users to access SAM account information and share information.

2. This value is only supported in win2000. It should be noted that if you use this value, your sharing estimation will all be finished, therefore, it is recommended that you set it to 1.

Now, intruders cannot get our user list. Our account is secure ...... Slow down. At least one account can run the password, which is the Built-in administrator in the system. What should I do? In computer management> User Account, right-click administrator and rename it. Just remember what you want.

No, no. I have already changed the user name. Why is someone running my administrator password? Fortunately, my password is long enough, but isn't that a solution? Well, it must have been seen on the local or Terminal Service logon interface. Okay, let's change the Don't Display Last User Name string in the HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionwinlogon item to 1, in this way, the system will not automatically display the last logon user name.

Modify the Don't Display Last User Name string in the HKEY_LOCAL _ MACHINESOFTWAREMicrosoft WindowsNTCurrentVersionWinlogon entry of the server registry to 1 to hide the User Name of the Last logon console.

5. security log: I have encountered such a situation that a host has been infiltrated by someone else. The system administrator asked me to trace the murderer. I logged in and saw that the security log was empty, remember: Win2000 default