Server security Settings
1, system disk and site placement disk must be set to NTFS format, easy to set permissions.
2, system disk and site placement disk in addition to administrators and system user rights are all removed.
3, enable Windows to bring the firewall, only to retain the useful ports, such as remote and Web, FTP (3389, 80, 21), and so on, there are mail server also open 25 and 130 ports.
4. After installing SQL, go to directory search xplog70 and then rename or delete the three files found.
5, change the sa password for you do not know the long password, under no circumstances do not use SA this account.
6. Rename the system default account name and create a new administrator account as a trap account, set an extra long password, and remove all user groups. (It is set to empty in the user group.) Let this account not belong to any user group-like) also renamed Disabled Guest user.
7, configure the Account lockout policy (enter Gpedit.msc carriage return in the run, open the Group Policy Editor, select the Computer Configuration-windows Settings-security Settings-account policy-account lockout policy, set the account to "three times invalid login", "Lockout time 30 minutes", " The reset lock count is set to 30 minutes. )
8. Local policy in Security settings-security options will
Network access: a share that can be accessed anonymously;
Network access: Named pipes that can be accessed anonymously;
Network access: Remote access to the registry path;
Network access: Remote access to the registry path and sub-path;
The above four items are emptied.
9. Local policy in Security settings-security options deny login via Terminal Services join
The following is the referenced content: ASPNET Guest iusr_***** iwam_***** NETWORK SERVICE SQLDebugger |
(* * * * indicates your machine name, specific find can click Add User or group Select Advanced Choose to find in the user list listed below.) Note Do not add into the user group and the Administrators group added, there is no way to remotely log in. )
10. Remove the default share, save the following file as a reg suffix, and then perform the import.
Windows Registry Editor Version 5.00
[Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters]
"AutoShareServer" =dword:00000000
"AutoShareWks" =dword:00000000
11. To disable unwanted and dangerous services, the following list of services needs to be disabled.
Alerter sending administrative alerts and notifications
Computer Browser: Maintaining network computer updates
Distributed file System: LAN management shared files
Distributed linktracking Client for LAN update connection information
Error Reporting Service send bug report
Procedure Call (RPC) Locator rpcns* Remote Procedure calls (RPC)
Remote Registry remotely Modify the registry
Removable Storage manage removable media, drivers, and libraries
Remote Desktop help Session Manager Remoting
Routing and Remote Access provides routing services for enterprises in LAN and WAN environments
Messenger Message File Transfer service
Net Logon domain Controller channel management
Ntlmsecuritysupportprovide telnet Service and Microsoft Serch
Printspooler Print Service
Telnet Telnet Service
Workstation leak System User Name list
12. Change the audit policy for the local security policy
Successful account management failure
Logon event failed successfully
Object access failed
Policy Change failed successfully
Privilege use failed
System Event failed successfully
Directory Service access failed
Account Logon event failed successfully
13, the change may be the right to use the file running permissions, find the following files, its security settings in addition to the Administrators user group to delete all, it is important that even the system do not stay.
Net.exe
Net1.exe
Cmd.exe
Tftp.exe
Netstat.exe
Regedit.exe
At.exe
Attrib.exe
Cacls.exe
Format.com
C.exe special files may not be found on your computer.
In the search box, type
"Net.exe", "Net1.exe", "cmd.exe", "Tftp.exe", "Netstat.exe", "Regedit.exe", "At.exe", "Attrib.exe", "Cacls.exe", " Format.com "," C.exe "
Click on Search and then select All Right-button property security
This is the most important point, and is the most convenient to reduce the right to be raised and destroyed the possible defense methods.
14, backup work, the current server process capture or record down, save it, convenient later check whether there are unclear procedures. Take the current open port capture or record it and save it to see if the unknown port is open for later reference. Of course, if you can identify each process, and the port this step can be omitted.
Win2003 Server Security Settings Tutorial