Server security Settings
1, the system disk and site placement disk must be set to NTFS format, easy to set permissions.
2, the system disk and site placement disk in addition to administrators and system user rights are removed.
3, enable Windows with a firewall, only to retain useful ports, such as remote and Web, FTP (3389, 80, 21), and so on, there are mail server to open 25 and 130 ports.
4, after the installation of SQL into the directory search xplog70 and then will find three files renamed or deleted.
5, change the sa password for you do not know the very long password, under no circumstances should not use the SA account.
6, rename the system default account name and create a new administrator account as a trap account, set an extra long password, and remove all user groups. (that is, set to NULL in the user group.) Let this account not belong to any user group-sample) also renamed to disable the Guest user.
7. Configure Account Lockout policy (enter Gpedit.msc carriage return in run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-account policy-account lockout policy, set account to "three login invalid", "Lock time 30 minutes", " The reset lock count is set to 30 minutes. )
8, in the security settings local policy-security options will
Network access: Shares that can be accessed anonymously;
Network access: Named pipes that can be accessed anonymously;
Network access: A registry path that can be accessed remotely;
Network access: A registry path and subpath that can be accessed remotely;
The above four items are emptied.
9, in the security settings local policy-security options through Terminal Services refused to login to join
The following are the referenced contents:
ASPNET
Guest
iusr_*****
iwam_*****
Network SERVICE
SQLDebugger
(* * * * to indicate your machine name, specific search can be clicked to add user or group Select the advanced selection immediately find the list below the user list selection.) Be careful not to add into the user group and the Administrators group after adding it there is no way to remotely log in. )
10, remove the default share, save the following file as a reg suffix, and then perform the import.
Windows Registry Editor Version 5.00
[Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters]
"AutoShareServer" =dword:00000000
"AutoShareWks" =dword:00000000
11, disabling unwanted and dangerous services, the following list of services need to be disabled.
Alerter Send administrative alerts and notifications
Computer Browser: Maintaining network computer updates
Distributed file System: LAN management shared files
Distributed linktracking Client for LAN update connection information
Error Reporting Service send bug report
Remote Procedure call (RPC) Locator rpcns* remoting procedure calls (RPC)
Remote Registry remotely Modify registry
Removable Storage manage removable media, drivers, and libraries
Remote Desktop help session Manager Remoting
Routing and Remote Access provides routing services to enterprises in LAN and WAN environments
Messenger Message File Transfer service
Net Logon domain Controller channel management
Ntlmsecuritysupportprovide telnet Service and Microsoft Serch
Printspooler Print Service
Telnet Telnet Service
Workstation leak System User Name list
12. Change audit policy for local security policy
Account Management failed successfully
Logon event failed successfully
Object access failed
Policy Change failed successfully
Privilege usage failed
System Event failed successfully
Directory Service access failed
Account Logon event failed successfully
13, change is likely to be the right to use the file run permissions, find the following files, the security settings in addition to the Administrators user group all deleted, it is important not to leave the system.
Net.exe
Net1.exe
Cmd.exe
Tftp.exe
Netstat.exe
Regedit.exe
At.exe
Attrib.exe
Cacls.exe
Format.com
C.exe special files may not be able to find this file on your computer.
Enter in the search box
"Net.exe", "Net1.exe", "cmd.exe", "Tftp.exe", "Netstat.exe", "Regedit.exe", "At.exe", "Attrib.exe", "Cacls.exe", " Format.com "," C.exe "
Click Search and select All right key property security
This is one of the most important points, and it is the most convenient way to reduce the possibility of being put right and destroyed.
14, backup work, the current server to capture the process of the map or record it, save it to facilitate later check whether there are unknown procedures. Grasp the current open port or record it, save it for later to see if the unknown port is open. Of course if you can distinguish each process, and the port this step can be omitted.