WIN2000 Server Security Configuration Servers manual (4)

server| Security | Server SQL server is the most used database system on NT platform, but its security problem must be paid attention to. The database often has the most valuable information, once the data stolen consequences unimaginable.

Timely update of the patch procedures.

Description: As with NT, many vulnerabilities in SQL Server are made up by patches. It is recommended that you test the test machine before installing the patch, and that you do a good job of data backup of the target server ahead of time.

Give SA a complex password.

Description: SA has full permissions on SQL Server database operations. Unfortunately, some of the network management is not familiar with the database, the establishment of the database is done by programmers, and this part of the people tend to focus on writing the SQL statement itself, the SQL Server database management is not familiar with, so it is likely to cause the sa password is empty. This is a serious threat to database security. There are a few sites with this kind of hidden trouble.

Strict control of the permissions of the database users, easy to let users have direct query, change, insert, delete permissions to the table, you can access the view by giving the user permissions, and only to execute the stored procedure permissions.

Note: If the user has direct operation rights to the table, there will be the risk of data damage. Develop a complete database backup and recovery strategy.

32. Currently, Pcanywhere is the most popular remote control tool based on 2000, as well as the need to pay attention to security issues.

It is recommended to use a separate username and password, preferably by means of encryption. Do not use the same user name and password as the NT administrator, nor the password that is integrated with NT. Be sure to use strong encryption in the security options when setting up the server side. Reject low encryption level of the connection, while using password encryption and transmission of the user name and password encryption to prevent sniffing, but also to limit the number of connections, another important point is that it must be in the Protect The high intensity password is set in the item, and the limit is not allowed to let others see any settings on your host side, even if you want to check the relevant settings on the hosts, you must enter the password!

Note: PCANYWHERE password is the first gateway to remote control, if the same as NT, lost the security barrier. After being breached, there is no security whatsoever. And if a separate password is used, there is a password barrier even if the pcanywhere,nt is breached. Install newer versions in a timely manner.

33. In fact, security and application in many cases is contradictory, so you need to find a balance in it, after all, the server is to users rather than open hack, if the security principle hinders the application of the system, then this security principle is not a good principle. Network security is a system engineering, it not only has the space span, but also has the time span. Many friends (including some system administrators) think that a security-configured host is secure, in fact, there is a misunderstanding: I can only say that a host in a certain situation in a certain time is safe with the changes in the network structure, the discovery of new vulnerabilities, Administrator/user operations, The security situation of the host is changing anytime and anywhere, so the security consciousness and security system can be truly safe through the whole process.

Here are eight ways to improve the efficiency of IIS 5.0 Web server execution:

1. Enabling HTTP persistence can improve the efficiency of 15~20% execution.

2. Not enabling logging can improve the efficiency of 5~8% execution.

3. The use of a "stand-alone" handler would lose 20% of the execution efficiency.

4. Increasing the number of saved files for cache memory can improve the effectiveness of active Server pages.

5. Do not use CGI programs.

6. Increase the number of IIS 5.0 computer CPUs.

7. Do not enable the ASP debugging function.

8. Static Web pages are compressed by HTTP, which can reduce the transmission volume by 20%.

34. When enabling HTTP persistence (keep-alive), the connection between IIS and the browser is not disconnected and can improve execution efficiency until the connection is disconnected when the browser is closed. Because the "keep-alive" state is maintained, there is no need to re-establish a new connection on each client request, so the efficiency of the server is improved. This feature is a preset feature for HTTP1.1, and HTTP 1.0 plus Keep-alive header can also provide an ongoing function of HTTP.

Enabling HTTP persistence can improve the efficiency of 15~20% execution. How do you enable HTTP to continue? The steps are as follows: In Internet Services Administrator, select the entire IIS computer, or the Web site, on the home directory page of the content, and check the "continuing effects of HTTP" option.

35. Not enabling logging can improve the efficiency of 5~8% execution. How do I set a record without enabling it? The steps are as follows:

In Internet Services Administrator, select the entire IIS computer, or Web site, on the home directory page of the content, and uncheck the Enable logging option. Setting up a separate handler that uses a "standalone" handler loses 20% of the execution efficiency, where the term "standalone" means setting the Application Protection option for the home directory, virtual directory page to high (independent). So when application protection is set to low (IIS handlers), how can you set a non "independent" handler? The steps are as follows: In Internet service Administrator, select the entire IIS computer, the Web site, or the application's starting directory. To the home directory, virtual directory page of content, set the Application Protection option to low (IIS handler).

36.IIS 5.0 The static Web page data is temporarily stored in cache memory, and IIS 4.0 temporarily saves the static Web page data in the file. Adjusting the number of saved files in cache memory can improve execution efficiency. After the ASP instruction file executes, it will be staged in cache memory to improve performance. Increase the number of saved files for cache memory to improve the performance of active Server pages. You can set the number of cache memory files for all applications executed on the entire IIS computer, the standalone web site, or the standalone application. How to set cache function? The steps are as follows: Select the entire IIS computer, the standalone web site, or the start directory for the standalone application in Internet service administrator. On the home directory, virtual directory page of content, and when you press the Set button, you can set the command file cache memory by the handler Options page. How do I set the number of cache memory files? The steps are as follows: In Internet service Administrator, select the entire IIS computer, or the start directory for the Web site. On the "Content" Server Extensions page, press the "Set" button. You can set the number of cache memory files.

37. The use of CGI programs, because the processing process (process) must be constantly generated and destroyed, resulting in inefficient implementation. Generally speaking, the efficiency of execution is compared as follows: Static Web page: Isapi:50 asp:10 cgi:1. In other words, ASPs can be 10 times times faster than CGI, so don't use CGI programs to improve the efficiency of IIS execution. In terms of elasticity (flexibility): ASP > CGI > ISAPI > Static Web page (static). In terms of Security: ASP (Standalone) = ISAPI (standalone) = CGI > ASP (non-standalone) = ISAPI (not standalone) = static Web page (static)

38. According to Microsoft's test report, increase the number of IIS 4.0 computer CPU, implementation efficiency does not improve how much, but increase the number of IIS 5.0 computer CPU, execution efficiency will be almost proportional to provide, in other words, Two CPU IIS5.0 computer execution efficiency is almost twice times of a CPU computer, four CPU IIS 5.0 computer execution efficiency is almost four times times of a CPU computer IIS 5.0 will static Web page data temporarily in cache memory; IIS 4.0 The static web page data is temporarily stored in the file. Adjusting the number of saved files in cache memory can improve execution efficiency.

39. Do not enable the ASP debugging function can improve the execution efficiency. How do you not enable ASP debugging features? The steps are as follows: In Internet Services Administrator, select the Web site, or the start directory of the application, press the right key to select content, press the "Home directory", "virtual directory" or "directory" page, press the "Set" button, select the "Application Debug" page, uncheck "Enable ASP server-side Directive debugging , enable ASP client Directive debugging option.

40. Static Web pages are compressed by HTTP, which can reduce the transmission volume by 20%. The HTTP compression feature is enabled or closed and is set for the entire IIS server. HTTP compression is available on the client side using the IE 5.0 browser to connect to a Web server that has HTTP compression IIS5.0 enabled. How do I enable the HTTP compression feature? The steps are as follows: To enable HTTP compression, select the "content" of the computer in Internet service administrator, and select "WWW service" under "primary content". Then click the Edit button on the Services page and choose Compress static file to compress the static file without selecting Compress application files. Dynamically generated content files (compressed application files) can also be compressed, but the extra CPU processing time is required, and it is recommended that you do not compress if%processor times are 80% or more.



The above is the adoption of IIS as a Web server for some security-related settings and its performance tuning parameter settings, you can maximize the optimization of your IIS, but personally think that if there is no obstacle, or the use of Apache better, less loopholes, the proposed use of Apache version 1.3.24, Because of the recent test, the Apache 1.3.23 before the version of the overflow vulnerability, do not be afraid, this vulnerability is very small. In addition, personal recommendations do not use ASP security is not reassuring, personal think or use JSP better, safe, powerful, absolute value, because PHP also has a lot of loopholes.