Win2003 Server Security Settings Tutorial

Server security Settings

1, system disk and site placement disk must be set to NTFS format, easy to set permissions.

2, system disk and site placement disk in addition to administrators and system user rights are all removed.

3, enable Windows to bring the firewall, only to retain the useful ports, such as remote and Web, FTP (3389, 80, 21), and so on, there are mail server also open 25 and 130 ports.

4. After installing SQL, go to directory search xplog70 and then rename or delete the three files found.

5, change the sa password for you do not know the long password, under no circumstances do not use SA this account.

6. Rename the system default account name and create a new administrator account as a trap account, set an extra long password, and remove all user groups. (It is set to empty in the user group.) Let this account not belong to any user group-like) also renamed Disabled Guest user.

7, configure the Account lockout policy (enter Gpedit.msc carriage return in the run, open the Group Policy Editor, select the Computer Configuration-windows Settings-security Settings-account policy-account lockout policy, set the account to "three times invalid login", "Lockout time 30 minutes", " The reset lock count is set to 30 minutes. ）

8. Local policy in Security settings-security options will

Network access: a share that can be accessed anonymously;

Network access: Named pipes that can be accessed anonymously;

Network access: Remote access to the registry path;

Network access: Remote access to the registry path and sub-path;

The above four items are emptied.

9. Local policy in Security settings-security options deny login via Terminal Services join

The following is the referenced content: ASPNET Guest iusr_***** iwam_***** NETWORK SERVICE SQLDebugger

(* * * * indicates your machine name, specific find can click Add User or group Select Advanced Choose to find in the user list listed below.) Note Do not add into the user group and the Administrators group added, there is no way to remotely log in. ）

10. Remove the default share, save the following file as a reg suffix, and then perform the import.

Windows Registry Editor Version 5.00

[Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters]

"AutoShareServer" =dword:00000000

"AutoShareWks" =dword:00000000

11. To disable unwanted and dangerous services, the following list of services needs to be disabled.

Alerter sending administrative alerts and notifications

Computer Browser: Maintaining network computer updates

Distributed file System: LAN management shared files

Distributed linktracking Client for LAN update connection information

Error Reporting Service send bug report

Procedure Call (RPC) Locator rpcns* Remote Procedure calls (RPC)

Remote Registry remotely Modify the registry

Removable Storage manage removable media, drivers, and libraries

Remote Desktop help Session Manager Remoting

Routing and Remote Access provides routing services for enterprises in LAN and WAN environments

Messenger Message File Transfer service

Net Logon domain Controller channel management

Ntlmsecuritysupportprovide telnet Service and Microsoft Serch

Printspooler Print Service

Telnet Telnet Service

Workstation leak System User Name list

12. Change the audit policy for the local security policy

Successful account management failure

Logon event failed successfully

Object access failed

Policy Change failed successfully

Privilege use failed

System Event failed successfully

Directory Service access failed

Account Logon event failed successfully

13, the change may be the right to use the file running permissions, find the following files, its security settings in addition to the Administrators user group to delete all, it is important that even the system do not stay.

Net.exe

Net1.exe

Cmd.exe

Tftp.exe

Netstat.exe

Regedit.exe

At.exe

Attrib.exe

Cacls.exe

Format.com

C.exe special files may not be found on your computer.

In the search box, type

"Net.exe", "Net1.exe", "cmd.exe", "Tftp.exe", "Netstat.exe", "Regedit.exe", "At.exe", "Attrib.exe", "Cacls.exe", " Format.com "," C.exe "

Click on Search and then select All Right-button property security

This is the most important point, and is the most convenient to reduce the right to be raised and destroyed the possible defense methods.

14, backup work, the current server process capture or record down, save it, convenient later check whether there are unclear procedures. Take the current open port capture or record it and save it to see if the unknown port is open for later reference. Of course, if you can identify each process, and the port this step can be omitted.

Win2003 Server Security Settings Tutorial