Win2003 Server Setup Full compact version _win server

First step:
first, close unwanted ports
I'm more careful, I turn off the port first. Only opened 3389 1433 (MYSQL) Some people always say what the default of 3389 unsafe, on this I do not deny, but the use of the way can only one of the poor lift blasting, you change the account
The password is set to 66 bits, I reckon he will break for a few years, haha! Approach: Local connection--attribute--internet protocol (TCP/IP)--Advanced--Option--TCP/IP Filter--attributes--Put the tick and add the port you need. PS: Set the port needs to reboot!
Of course, you can also change the remote connection port method:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp]
"PortNumber" =dword:00002683
Save As. REG file Double click! Change to 9859, of course, we can change the other port, directly open the address of the above registry, the value of the decimal to enter the input you want to the port can! Reboot effective!
There is also a point, in the 2003 system, TCP/IP filtering in the port filtering function, the use of FTP server, only open 21 ports, in the FTP transmission, FTP-specific port mode and passive mode, in the data transmission, the need to dynamically open high-end port, Therefore, in the case of TCP/IP filtering, there is often a problem where the directory and data transfer cannot be listed after the connection. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the NIC. Do FTP download users look carefully, the table blame I said I write articles is rubbish ... If you want to turn off unnecessary ports, you can have a list in \\system32\\drivers\\etc\\services and Notepad will open. If lazy, the easiest way is to enable WIN2003 's own network firewall, and port changes. function can also! Internet connection firewalls can effectively intercept illegal intrusion on Windows 2003 servers, prevent illegal remote hosts from scanning the servers, and improve the security of Windows 2003 servers. At the same time, can also effectively intercept the use of operating system vulnerabilities for port attacks, such as the Blaster worm virus. Enabling this firewall feature on a virtual router constructed with Windows 2003 can provide a good protection for the entire internal network.
second, close the unwanted services to open the appropriate audit policy
I have closed the following services
Computer Browser maintains the latest list of computers on the network and provides this list
Task Scheduler allows a program to run at a specified time
Routing and Remote Access provides routing services to enterprises in LAN and WAN environments
Removable Storage manage removable media, drivers, and libraries
Remote Registry Service allows remoting registry operations
Print Spooler loads the file into memory for later printing. Friends who want to use the printer cannot disable this
IPSEC Policy Agent manages IP Security policies and starts isakmp/oakleyike) and IP Security drivers
Distributed Link tracking Client sends a notification when a file moves through an NTFS volume in a network domain
COM + Event System provides automatic publishing of events to subscription COM components
Alerter notifies selected users and computers to manage alerts
Error Reporting Service collects, stores, and reports exception applications to Microsoft
NET SEND and Alarm service messages between the Messenger transport client and the server
Telnet allows remote users to log on to this computer and run programs
Prohibit unnecessary services, although these may not be used by attackers, but in accordance with security rules and standards, superfluous things do not need to open, reduce a hidden danger.
In "Network Connections", delete all the unwanted protocols and services, install only basic Internet Protocol (TCP/IP), and install the QoS Packet Scheduler in addition to the bandwidth flow service. In Advanced TCP/IP Settings--"NetBIOS" setting disables NetBIOS (S) on TCP/IP. In the advanced option, use Internet Connection Firewall, which is a firewall with Windows 2003, not in the 2000 system, although not functional, but can screen ports, so that has basically reached an IPSec function.
Enter Gpedit.msc carriage return in the run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-Audit policy when creating an audit project, it should be noted that if there are too many items to be audited, the more events are generated, the more difficult it is to find a serious event. Of course, if the audit is too small, it will also affect your discovery of serious Events, you need to make a choice between the two depending on the situation.
The recommended items to audit are:
Logon event failed successfully
Account Logon event failed successfully
System Event failed successfully
Policy Change failed successfully
Object access failed
Directory Service access failed
Privilege usage failed
third, disk permissions settings
1. system Disk Permissions settings
C: Partition section:
C:\
Administrators all (this folder, subfolders and files)
CREATOR OWNER All (Files only)
System all (this folder, subfolders, and files)
IIS_WPG create File/write data (only this folder)
IIS_WPG (this folder, subfolders, and files)
Traverse Folder/Run file
List Folder/Read data
Read properties
Creating folders/Additional Data
Read permissions
C:\Documents and Settings
Administrators all (this folder, subfolders and files)
Power Users (this folder, subfolders, and files)
Read and run
Listing folder directories
Read
System all (this folder, subfolders, and files)
C:\Program Files
Administrators all (this folder, subfolders and files)
CREATOR owner all (Files only)
IIS_WPG (this folder, subfolders, and files)
Read and run
Listing folder directories
Read
Power Users (this folder, subfolders, and files)
Modify Permissions
System all (this folder, subfolders, and files)
TERMINAL SERVER USER (this folder, subfolders, and files)
Modify Permissions
2. Website and virtual machine permissions settings (such as the site in e-disk)
Description: We assume that the site is all in the E disk Wwwsite directory, and for each virtual machine created a guest user, the user name is VHOST1...VHOSTN and created a webuser group, Add all the Vhost users to the WebUser group for easy management.
E:\
Administrators all (this folder, subfolders and files)
E:\wwwsite
Administrators all (this folder, subfolders and files)
System all (this folder, subfolders, and files)
Service All (this folder, subfolders and files)
E:\wwwsite\vhost1
Administrators all (this folder, subfolders and files)
System all (this folder, subfolders, and files)
Vhost1 All (this folder, subfolders and files)
3. Data backup Disk
Data backup disk It is best to specify that only a specific user has full operation permissions on it. For example, F disk is a data backup disk, we only specify an administrator to it has full operation permissions.
4. Other places of authority settings
Please find these files in C disk, and the security settings only the specific administrator has full operation rights.
The following files allow only Administrators access
Net.exe
Net1.exet
Cmd.exe
Tftp.exe
Netstat.exe
Regedit.exe
At.exe
Attrib.exe
Cacls.exe
Format.com
5. Delete the C:\Inetpub directory, delete the unnecessary mapping of IIS, create a trap account, change the description.
Iv. installation of firewall and antivirus software
The WIN2000/NT server I've seen has never seen any anti-virus software installed, which is really important. Some good anti-virus software not only can kill some famous viruses, but also killing a lot of Trojans and backdoor procedures. In that case, the famous Trojans used by hackers are useless. Don't forget to constantly upgrade the virus library, we recommend Mcafree anti-virus software +blackice firewall
v. SQL2000 serv-u FTP security Settings
SQL Security aspects
1.System Administrators role preferably not more than two
2. If it is in this machine it is best to configure the authentication to win login
3. Do not use the SA account, configure it with a super complex password
4. Delete the following extended stored procedure format as:
Use master
Sp_dropextendedproc ' Extended stored procedure name '
xp_cmdshell: Is the best way to get into the operating system, delete
Accessing the registry's stored procedures, deleting
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues
Xp_regread xp_regwrite xp_regremovemultistring
OLE automatic stored procedures that do not need to be deleted
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop
5. Hide SQL Server, change the default 1433 port
Right-click the properties of the TCP/IP protocol in the general-network configuration, choose to hide the SQL Server instance, and change the default 1433 port
Several general security requirements for Serv-u are set:
Select "Block" Ftp_bounce "Attack and FXP". What is FXP? Typically, when you use the FTP protocol for file transfer, the client first issues a "port" command to the FTP server that contains the IP address of the user and the port number that will be used for data transmission, after the server receives the Use the user address information provided by the command to establish a connection with the user. In most cases, there is no problem with the above procedure, but when a client is a malicious user, the FTP server may be connected to other non-client machines by adding specific address information to the port command. Although the malicious user may not have the right to direct access to a particular machine, if the FTP server has access to the machine, then the malicious user can use the FTP server as an intermediary, and still be able to finally implement the connection to the target server. This is FXP, also known as Cross server attacks. When selected, this can be prevented.
vi. IIS security Settings
Related Settings for IIS:
Delete the virtual directory of the default established site, stop the default Web site, delete the corresponding file directory c:inetpub, configure the public settings for all sites, and set up the relevant number of connection limits, bandwidth settings, and other settings such as performance settings. Configures application mappings, removes all unnecessary application extensions, and retains only asp,php,cgi,pl,aspx application extensions. For PHP and CGI, it is recommended to use ISAPI parsing, and EXE parsing has an impact on security and performance. User program debug Settings send a text error message to the customer. For the database, try to use the MDB suffix, do not need to change to ASP, you can set up an MDB extension mapping in IIS, this mapping using an unrelated DLL file such as C:winntsystem32inetsrvssinc.dll to prevent the database from being downloaded. Set the log Save directory for IIS, and adjust logging information. Set to send text error messages. Modify the 403 error page and turn it to another page to prevent some scanners from probing. In addition, to hide system information, to prevent the release of the system version information from Telnet to port 80 can modify IIS banner information, you can use Winhex manual modification or use related software such as banneredit modification.
For the directory where the user site is located, here is a description of the user's FTP root directory corresponding to three files good, wwwroot,database,logfiles, respectively, storage site files, database backup and the site's log. If an intrusion event can set specific permissions on the directory where the user's site resides, the directory in which the picture resides is given permission only to the column directory, and the directory where the program resides does not require write access if the file is not required to generate the files, such as HTML-generated programs. Because it is a virtual host of the usual script security can not be nuanced to the point, more only in the method user from the script to elevate permissions:
Security Settings for asp:
After setting permissions and services, prevent ASP Trojan also need to do the following work, in the CMD window run the following command:
Regsvr32/u C:\WINNT\System32\wshom.ocx
Del C:\WINNT\System32\wshom.ocx
Regsvr32/u C:\WINNT\system32\shell32.dll
Del C:\WINNT\system32\shell32.dll
You can Wscript.Shell, Shell.Application, Wscript.Network component Uninstall, can effectively prevent ASP Trojan horse through WScript or shell.application execute commands and use Trojans to view some system sensitive information. Alternatively: You can cancel the permissions of the users user of the above file and restart IIS to take effect. However, this method is not recommended.
In addition, for the FSO because the user program needs to use, the server can not log off the component, here only to mention the prevention of FSO, but do not need to open space in the virtual Business Server use, only suitable for manually opened the site. You can set up two groups of sites that require FSO and do not need FSO, and do not need to give permission to C:winntsystem32scrrun.dll files to the user group that requires the FSO. Restarting the server can take effect.
For such settings combined with the above permission settings, you will find that the Haiyang Trojan has lost its role here!
Security Settings for PHP:
The default installation of PHP requires the following issues to be noted:
C:\winnt\php.ini only gives users read access. The following settings are required in php.ini:
Safe_mode=on
Register_globals = Off
Allow_url_fopen = Off
Display_errors = Off
MAGIC_QUOTES_GPC = on [default is on, but need to check again]
Open_basedir =web Directory
Disable_functions =passthru,exec,shell_exec,system,phpinfo,get_cfg_var,popen,chmod
The default setting Com.allow_dcom = True is modified to remove the front before the false[modification;]
MySQL Security settings:
If the MySQL database is enabled on the server, the security settings that the MySQL database needs to be aware of are:
Delete all default users in MySQL, keep the local root account only, and add a complex password to the root user. Give ordinary users Updatedeletealertcreatedrop permissions, and limit to a specific database, especially to avoid ordinary customers have permissions on MySQL database operations. Check the Mysql.user table to remove unnecessary user Shutdown_priv,relo
Ad_priv,process_priv and File_priv permissions that may leak more server information, including other information that is not MySQL. You can set up a startup user for MySQL that only has permissions on the MySQL directory. Set permissions on the data database for the installation directory (this directory holds the MySQL database information). For the MySQL installation directory, add read, column directories, and execute permissions to users.
Serv-u Security Issues:
The installer will use the latest version as far as possible, avoid using the default installation directory, set the permissions of the Serv-u directory, and set up a complex administrator password. Modify the banner information of the SERV-U, set the passive mode port range (4001-4003) make the relevant security settings in the local server settings: including checking anonymous passwords, disabling the scheduling of the go-ahead, intercepting "FTP bounce" attacks and FXP, Intercept 10 minutes for users who have connected more than 3 times in 30 seconds. The settings in the domain are: complex passwords are required, directories only use lowercase letters, and the advanced setting cancels the date that allows the file to be changed using the Mdtm command.
To change the startup user for Serv-u: Create a new user in the system, set a complex password, and not belong to any group. Give the user Full control of the SERVU installation directory. To create an FTP root directory, you need to give this user full control of the directory, because all FTP users upload, delete, change files are inherited from the user's permissions, otherwise unable to manipulate the file. Additionally, you need to give the user Read permission to the parent directory above the directory, or it will appear 530 not logged in, home directory does at the time of the connection. exist. For example, when testing the FTP root directory is d:soft, must give the user D disk Read permission, in order to safely cancel other folders in D disk inherited permissions. The general use of the default system startup does not have these problems, because system generally has these permissions.