Win2000Server Security Configuration entry

Currently, Windows SERVER is one of the most popular SERVER operating systems, but it is not easy to securely Configure Microsoft's operating system. This article attempts to preliminarily discuss the security configuration of Windows SERVER.

1. Customize your own Windows2000 SERVER

1. select a version: Windows has a variety of language versions. For us, you can select the English or Simplified Chinese version. I strongly recommend that you use the English version if the language does not become an obstacle. You know, Microsoft products are known for bugs and patches. The Chinese version has more bugs than the English version, the patch is usually at least half a month late (that is to say, after microsoft announces the vulnerability, your machine will be unprotected for half a month)

2. component customization: Windows2000 installs some common components by default, but it is the default installation that is extremely dangerous (mitniko said that he can access any default installed server, although I dare not say this, if your host is installed by default on Windows SERVER, I can tell you that you are dead.) You should know exactly what services you need, in addition, only install the services you actually need. According to the security principle, the minimum service + minimum permission = maximum security. The minimum components required for a typical WEB Server are: Install only the IIS Com Files, IIS Snap-In, and WWW Server components. If you do need to install other components, be careful, especially the Indexing Service, FrontPage 2000 Server Extensions, and Internet Service Manager (HTML) Dangerous services.

3. Manage Application Selection

It is very important to choose a good remote management software. This is not only a security requirement, but also an application requirement. The Terminal Service of Windows2000 is a remote control software based on RDP (Remote Desktop Protocol). It is fast and easy to operate and is suitable for conventional operations. However, Terminal Service also has its shortcomings because it uses virtual desktops and Microsoft programming is not rigorous, when you use the Terminal Service to install software or restart the server and other operations that interact with the real desktop, you may often laugh. For example, you can use the Terminal Service to restart the Microsoft certified server (Compaq, may be shut down directly. Therefore, for the sake of security, we recommend that you have another remote control software as an aid to complement Terminal Service. Like PcAnyWhere is a good choice.

2. install Windows2000 SERVER correctly

1. partition and Logical Disk allocation, some friends in order to save trouble, the hard disk is only divided into A Logical Disk, all the software is installed on the C drive, this is very bad, we recommend that you create at least two partitions, one system partition and one application partition. This is because Microsoft's IIS often has the source code/overflow vulnerability, if you place the system and IIS on the same drive, system files may leak and even intruders may remotely obtain the ADMIN. The recommended security configuration is to create three logical drives, the first is greater than 2 GB, used to install the system and important log files, the second is IIS, and the third is FTP, in this way, no matter whether IIS or FTP has a security vulnerability, the system directory and system files will not be directly affected. You must know that IIS and FTP are external services and are prone to problems. The main purpose of separating IIS from FTP is to prevent intruders from uploading programs and running them from IIS. (This may cause the annoyance of program developers and editors. You are administrator J)

2. Select the installation sequence: Do not think that the sequence is important? You only need to install it. Error! Note the following steps when installing Windows2000:

First, when to access the network: Windows2000 has a vulnerability during installation. After you enter the Administrator password, the system creates a sharing of ADMIN $, however, it does not use the password you just entered to protect it. This situation continues until you start again. During this period, anyone can access your machine through ADMIN $. At the same time, once the installation is complete, various services will run automatically, and the SERVER is vulnerable and easy to access. Therefore, before Windows SERVER is fully installed and configured, do not connect the host to the network.

Second, patch installation: The patch installation should be completed after all applications are installed, because the patch often needs to replace/modify some system files, if you install a patch before installing the application, the patch may not work properly. For example, the HotFix of IIS requires you to install the patch every time you change the IIS configuration (not abnormal ?)

Iii. Security Configuration of Windows2000 SERVER

Even if the Windows2000 SERVER is correctly installed, the system still has many vulnerabilities and requires further configuration.

1. Port: the port is the logical interface connecting the computer to the external network and the first barrier of the computer. Whether the port is correctly configured directly affects the security of the host.

2. IIS: IIS is one of the most vulnerable components in Microsoft. On average, one vulnerability may occur in two or three months. Microsoft's IIS installation by default is not flattering, therefore, IIS configuration is our focus, and now everyone will come with me:

First, delete the Inetpub directory on drive C, and create an Inetpub on drive D (you can change the name if you are not sure about using the default directory name, but remember it) in the IIS manager, direct the main directory to D: Inetpub. Secondly, delete all the default virtual directories such as scripts during IIS installation (the evil source is: Forget http://www.target.com/scripts/.20.c1%1c./winnt/system32/developer.exe? Although we have removed Inetpub from the system disk, we should be careful.) If you need a directory with any permissions, you can create it by yourself and what permissions are needed. (Pay special attention to the write and execute permissions. There is no absolute need to do not grant them)

3. application configuration: delete any unnecessary mappings that must be excluded from the IIS manager. It must refer to ASP, ASA, and other file types that you actually need, for example, if you use stml (using server side include), in fact, 90% of hosts have the above two mappings. Almost every other ing has a miserable story: htw, htr, idq, ida ...... Want to know these stories? Check the previous vulnerability list. What? Where can I delete it? In the IIS manager, right-click host> Properties> WWW Service Edit> Home Directory configuration> application ing, and delete the files one by one (no selection is available, ). Then, change the script error message to send text in the application debugging bookmarks in the window (unless you want to know your program/Network/database structure when ASP errors occur) what are error texts written? If you like it, do it yourself. When you click OK to exit, do not forget to let the Virtual Site inherit the attributes you set.

To deal with the increasing number of cgi vulnerability scanners, you can also refer to the following tips: redirect the HTTP404 Object Not Found error page in IIS to a custom HTM file through URL, this vulnerability can cause most CGI vulnerability scanners to malfunction. In the ghost file, all scans will return HTTP200 regardless of whether the vulnerability exists. 90% of CGI scanners will think that you have all the vulnerabilities, but the results will cover up your real vulnerabilities, it makes intruders confused. (In martial arts novels, it is often said that the full body vulnerabilities are rather impeccable. What is hard to say is this realm ?) However, from a personal perspective, I still think that it is more important to do a good job of security settings than such tips.

Finally, you can use the backup function of IIS to back up all the settings you just set so that you can restore the security configuration of IIS at any time. In addition, if you are afraid that the IIS load is too high, causing the server to crash at full load, you can also enable the CPU limit in performance, for example, limiting the maximum CPU usage of IIS to 70%.

4. Account Security:

Windows Account Security is another focus. First, the default installation of Windows allows any user to obtain a list of all accounts/shares of the system through empty users. This is intended to facilitate LAN users to share files, however, a remote user can also obtain your user list and use the brute force to crack the user password. Many of my friends know that you can disable the 139 null connection by changing the Registry Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous = 1. In fact, the Local Security Policy of Windows2000 (if the Domain Server is in the Domain Server Security and Domain Security Policy) this option RestrictAnonymous (additional restrictions on anonymous connections) has three values:

0: None. Rely on default permissions (None, depending on the default permission)

1: Do not allow enumeration of SAM accounts and shares (enumeration of SAM accounts and sharing is not allowed)

2: No access without explicit anonymous permissions (access is not allowed without explicit anonymous permissions)

The value 0 is the default value and has no restrictions. remote users can know all the accounts, group information, shared directories, and network transmission lists (NetServerTransportEnum) on your machine, this setting is very dangerous for servers.

1. This value only allows non-NULL users to access SAM account information and share information.

2. This value is only supported in Windows2000. It should be noted that if you use this value, your sharing estimation will be all done, therefore, it is recommended that you set it to 1.

Now, intruders cannot get our user list. Our account is secure ...... Slow down. At least one account can run the password, which is the Built-in administrator in the system. What should I do? In computer management> User Account, right-click administrator and rename it. Just remember what you want.

No, no. I have already changed the user name. Why is someone running my administrator password? Fortunately, my password is long enough, but isn't that a solution? Well, it must be seen on the local or Terminal Service logon interface. Okay, let's change the Dont Display Last User Name string in HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionwinlogon to 1, in this way, the system will not automatically display the last logon user name.

Modify the Dont Display Last User Name string in the HKEY_LOCAL _ MACHINESOFTWAREMicrosoft WindowsNTCurrentVersionWinlogon entry of the server registry to 1 to hide the User Name of the Last logon console. (Wow, the world is quiet)

5. security log: I have encountered such a situation that a host has been infiltrated by someone else. The system administrator asked me to trace the murderer. I logged in and saw that the security log was empty, remember: The default installation of Windows does not enable any security review! Go to the Local Security Policy> Audit Policy to open the corresponding audit. The recommended audit is:

Account Management failed

Logon Event successful failed

Object Access