In fact, many friends often search for some information about 2003 will come to the cloud habitat community but the lack of a series of articles list, later we will be the topic of the way to organize, the following for you to share the security of Win2003 server settings considerations and procedures.
First, the security of the server is generally divided into: System security settings, Web security (Web server and program), database security (low privilege run)
First, server system security
First step:
First, close unwanted ports
I'm more careful, I turn off the port first. only 3389 (remote port) (FTP) (WEB) 1433 (SQL Server) 3306 (MYSQL) Some people always say what the default of 3389 insecure, I do not deny, but the use of the way can only one of the poor lift blasting, You changed the account number set to 66, I think he will break for several years, haha! Approach: Local connection--attribute--internet protocol (TCP/IP)--Advanced--Option--TCP/IP Filter--attributes--Put the tick and add the port you need. PS: Set the port needs to reboot!
Of course, you can also change the remote connection port method:
Windows Registry Editor Version 5.00
[Hkey_local_machine/system/currentcontrolset/control/terminal Server/winstations/rdp-tcp]
"PortNumber" =dword:00002683
Save As. REG file Double click! Change to 9859, of course, we can change the other port, directly open the address of the above registry, the value of the decimal to enter the input you want to the port can! Reboot effective!
There is also a point, in the 2003 system, TCP/IP filtering in the port filtering function, the use of FTP server, only open 21 ports, in the FTP transmission, FTP-specific port mode and passive mode, in the data transmission, the need to dynamically open high-end port, Therefore, in the case of TCP/IP filtering, there is often a problem where the directory and data transfer cannot be listed after the connection. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the NIC. Do FTP download users look carefully, the table blame I said I write articles is rubbish ... If you want to turn off unnecessary ports, you can have a list in//system32//drivers//etc//services and Notepad will open. If lazy, the easiest way is to enable WIN2003 's own network firewall, and port changes. function can also! Internet connection firewalls can effectively intercept illegal intrusion on Windows 2003 servers, prevent illegal remote hosts from scanning the servers, and improve the security of Windows 2003 servers. At the same time, can also effectively intercept the use of operating system vulnerabilities for port attacks, such as the Blaster worm virus. Enabling this firewall feature on a virtual router constructed with Windows 2003 can provide a good protection for the entire internal network.
Second, close the unwanted services to open the appropriate audit policy
I have closed the following services
Computer Browser maintains the latest list of computers on the network and provides this list
Task Scheduler allows a program to run at a specified time
Routing and Remote Access provides routing services to enterprises in LAN and WAN environments
Removable Storage manage removable media, drivers, and libraries
Remote Registry Service allows remoting registry operations
Print Spooler loads the file into memory for later printing. Friends who want to use the printer cannot disable this
IPSEC Policy Agent manages IP Security policies and starts isakmp/oakleyike) and IP Security drivers
Distributed Link tracking Client sends a notification when a file moves through an NTFS volume in a network domain
COM + Event System provides automatic publishing of events to subscription COM components
Alerter notifies selected users and computers to manage alerts
Error Reporting Service collects, stores, and reports exception applications to Microsoft
NET SEND and Alarm service messages between the Messenger transport client and the server
Telnet allows remote users to log on to this computer and run programs
Prohibit unnecessary services, although these may not be used by attackers, but in accordance with security rules and standards, superfluous things do not need to open, reduce a hidden danger.
In "Network Connections", delete all the unwanted protocols and services, install only basic Internet Protocol (TCP/IP), and install the QoS Packet Scheduler in addition to the bandwidth flow service. In Advanced TCP/IP Settings--"NetBIOS" setting disables NetBIOS (S) on TCP/IP. In the advanced option, use Internet Connection Firewall, which is a firewall with Windows 2003, not in the 2000 system, although not functional, but can screen ports, so that has basically reached an IPSec function.
Enter Gpedit.msc carriage return in the run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-Audit policy when creating an audit project, it should be noted that if there are too many items to be audited, the more events are generated, the more difficult it is to find a serious event. Of course, if the audit is too small, it will also affect your discovery of serious Events, you need to make a choice between the two depending on the situation.
The recommended items to audit are:
Logon event failed successfully
Account Logon event failed successfully
System Event failed successfully
Policy Change failed successfully
Object access failed
Directory Service access failed
Privilege usage failed
Third, disk permissions settings
1. system Disk Permissions settings
C: Partition section:
c:/
Administrators all (this folder, subfolders and files)
CREATOR OWNER All (Files only)
System all (this folder, subfolders, and files)
IIS_WPG create File/write data (only this folder)
IIS_WPG (this folder, subfolders, and files)
Traverse Folder/Run file
List Folder/Read data
Read properties
Creating folders/Additional Data
Read permissions
C:/Documents and Settings
Administrators all (this folder, subfolders and files)
Power Users (this folder, subfolders, and files)
Read and run
Listing folder directories
Read
System all (this folder, subfolders, and files)
C:/Program Files
Administrators all (this folder, subfolders and files)
CREATOR owner all (Files only)
IIS_WPG (this folder, subfolders, and files)
Read and run
Listing folder directories
Read
Power Users (this folder, subfolders, and files)
Modify Permissions
System all (this folder, subfolders, and files)
TERMINAL SERVER USER (this folder, subfolders, and files)
Modify Permissions
2. Website and virtual machine permissions settings (such as the site in e-disk)
Description: We assume that the site is all in the E disk Wwwsite directory, and for each virtual machine created a guest user, the user name is VHOST1...VHOSTN and created a webuser group, Add all the Vhost users to the WebUser group for easy management.
e:/
Administrators all (this folder, subfolders and files)
E:/wwwsite
Administrators all (this folder, subfolders and files)
System all (this folder, subfolders, and files)
Service All (this folder, subfolders and files)
E:/wwwsite/vhost1
Administrators all (this folder, subfolders and files)
System all (this folder, subfolders, and files)
Vhost1 All (this folder, subfolders and files)
3. Data backup Disk
Data backup disk It is best to specify that only a specific user has full operation permissions on it. For example, F disk is a data backup disk, we only specify an administrator to it has full operation permissions.
4. Other places of authority settings
Please find these files in C disk, and the security settings only the specific administrator has full operation rights.
The following files allow only Administrators access
Net.exe,net1.exet,cmd.exe,tftp.exe,netstat.exe,regedit.exe,at.exe,attrib.exe.cacls.exe,format.com
5. Delete the c:/inetpub directory, delete the unnecessary mapping of IIS, create a trap account, change the description.
Iv. installation of firewall and antivirus software
The WIN2000/NT server I've seen has never seen any anti-virus software installed, which is really important. Some good anti-virus software not only can kill some famous viruses, but also killing a lot of Trojans and backdoor procedures. In that case, the famous Trojans used by hackers are useless. Don't forget to constantly upgrade the virus library, we recommend Mcafree anti-virus software +blackice firewall
V. SQL2000 serv-u FTP security settings
SQL Security aspects
1.System Administrators role preferably not more than two
2. If it is in this machine it is best to configure the authentication to win login
3. Do not use the SA account, configure it with a super complex password
4. Delete the following extended stored procedure format as:
Use master
Sp_dropextendedproc ' Extended stored procedure name '
xp_cmdshell: Is the best way to get into the operating system, delete
Accessing the registry's stored procedures, deleting
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues
Xp_regread xp_regwrite xp_regremovemultistring
OLE automatic stored procedures that do not need to be deleted
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop
5. Hide SQL Server, change the default 1433 port
Right-click the properties of the TCP/IP protocol in the general-network configuration, choose to hide the SQL Server instance, and change the default 1433 port
Several general security requirements for Serv-u are set:
Select "Block" Ftp_bounce "Attack and FXP". What is FXP? Typically, when you use the FTP protocol for file transfer, the client first issues a "port" command to the FTP server that contains the IP address of the user and the port number that will be used for data transmission, after the server receives the Use the user address information provided by the command to establish a connection with the user. In most cases, there is no problem with the above procedure, but when a client is a malicious user, the FTP server may be connected to other non-client machines by adding specific address information to the port command. Although the malicious user may not have the right to direct access to a particular machine, if the FTP server has access to the machine, then the malicious user can use the FTP server as an intermediary, and still be able to finally implement the connection to the target server. This is FXP, also known as Cross server attacks. When selected, this can be prevented.
Vi. IIS security Settings
Related Settings for IIS:
Delete the virtual directory of the default established site, stop the default Web site, delete the corresponding file directory c:inetpub, configure the public settings for all sites, and set up the relevant number of connection limits, bandwidth settings, and other settings such as performance settings. Configures application mappings, removes all unnecessary application extensions, and retains only asp,php,cgi,pl,aspx application extensions. For PHP and CGI, it is recommended to use ISAPI parsing, and EXE parsing has an impact on security and performance. User program debug Settings send a text error message to the customer. For the database, try to use the MDB suffix, do not need to change to ASP, you can set up an MDB extension mapping in IIS, this mapping using an unrelated DLL file such as C:winntsystem32inetsrvssinc.dll to prevent the database from being downloaded. Set the log Save directory for IIS, and adjust logging information. Set to send text error messages. Modify the 403 error page and turn it to another page to prevent some scanners from probing. In addition, to hide system information, to prevent the release of the system version information from Telnet to port 80 can modify IIS banner information, you can use Winhex manual modification or use related software such as banneredit modification.
For the directory where the user site is located, here is a description of the user's FTP root directory corresponding to three files good, wwwroot,database,logfiles, respectively, storage site files, database backup and the site's log. If an intrusion event can set specific permissions on the directory where the user's site resides, the directory in which the picture resides is given permission only to the column directory, and the directory where the program resides does not require write access if the file is not required to generate the files, such as HTML-generated programs. Because it is a virtual host of the usual script security can not be nuanced to the point, more only in the method user from the script to elevate permissions:
Security Settings for asp:
After setting permissions and services, prevent ASP Trojan also need to do the following work, in the CMD window run the following command:
Regsvr32/u C:/winnt/system32/wshom.ocx
Del C:/winnt/system32/wshom.ocx
Regsvr32/u C:/winnt/system32/shell32.dll
Del C:/winnt/system32/shell32.dll
You can Wscript.Shell, Shell.Application, Wscript.Network component Uninstall, can effectively prevent ASP Trojan horse through WScript or shell.application execute commands and use Trojans to view some system sensitive information. Alternatively: You can cancel the permissions of the users user of the above file and restart IIS to take effect. However, this method is not recommended.
In addition, for the FSO because the user program needs to use, the server can not log off the component, here only to mention the prevention of FSO, but do not need to open space in the virtual Business Server use, only suitable for manually opened the site. You can set up two groups of sites that require FSO and do not need FSO, and do not need to give permission to C:winntsystem32scrrun.dll files to the user group that requires the FSO. Restarting the server can take effect.
For such settings combined with the above permission settings, you will find that the Haiyang Trojan has lost its role here!
Security Settings for PHP:
The default installation of PHP requires the following issues to be noted:
C:/winnt/php.ini only gives users read access. The following settings are required in php.ini:
Safe_mode=on
Register_globals = Off
Allow_url_fopen = Off
Display_errors = Off
MAGIC_QUOTES_GPC = on [default is on, but need to check again]
Open_basedir =web Directory
Disable_functions =passthru,exec,shell_exec,system,phpinfo,get_cfg_var,popen,chmod
The default setting Com.allow_dcom = True is modified to remove the front before the false[modification;]
MySQL Security settings:
If the MySQL database is enabled on the server, the security settings that the MySQL database needs to be aware of are:
Delete all default users in MySQL, keep the local root account only, and add a complex password to the root user. Give ordinary users Updatedeletealertcreatedrop permissions, and limit to a specific database, especially to avoid ordinary customers have permissions on MySQL database operations. Check the Mysql.user table to remove unnecessary user Shutdown_priv,relo
Ad_priv,process_priv and File_priv permissions that may leak more server information, including other information that is not MySQL. You can set up a startup user for MySQL that only has permissions on the MySQL directory. Set permissions on the data database for the installation directory (this directory holds the MySQL database information). For the MySQL installation directory, add read, column directories, and execute permissions to users.
Serv-u Security Issues:
The installer will use the latest version as far as possible, avoid using the default installation directory, set the permissions of the Serv-u directory, and set up a complex administrator password. Modify the banner information of the SERV-U, set the passive mode port range (4001-4003) make the relevant security settings in the local server settings: including checking anonymous passwords, disabling the scheduling of the go-ahead, intercepting "FTP bounce" attacks and FXP, Intercept 10 minutes for users who have connected more than 3 times in 30 seconds. The settings in the domain are: complex passwords are required, directories only use lowercase letters, and the advanced setting cancels the date that allows the file to be changed using the Mdtm command.
To change the startup user for Serv-u: Create a new user in the system, set a complex password, and not belong to any group. Give the user Full control of the SERVU installation directory. To create an FTP root directory, you need to give this user full control of the directory, because all FTP users upload, delete, change files are inherited from the user's permissions, otherwise unable to manipulate the file. Additionally, you need to give the user Read permission to the parent directory above the directory, or it will appear 530 not logged in, home directory does at the time of the connection. exist. For example, when testing the FTP root directory is d:soft, must give the user D disk Read permission, in order to safely cancel other folders in D disk inherited permissions. The general use of the default system startup does not have these problems, because system generally has these permissions.
Vii. Other
1. Hide important files/Directories you can modify the registry to achieve complete concealment: hkey_local_machine/software/microsoft/windows/current-version/explorer/advanced/ Folder/hi-dden/showall ", the mouse right click" CheckedValue ", select Modify, change the value from 1 to 0
2. Start the system's own Internet Connection Firewall, check the Web server in the Setting service option;
3. Prevent SYN Flood attack:
Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters
New DWORD value, named SynAttackProtect, with a value of 2
EnablePMTUDiscovery REG_DWORD 0
NoNameReleaseOnDemand REG_DWORD 1
EnableDeadGWDetect REG_DWORD 0
KeepAliveTime REG_DWORD 300,000
PerformRouterDiscovery REG_DWORD 0
Enableicmpredirects REG_DWORD 0
4. Prohibit response to ICMP routing notification messages:
Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters/interfaces/interface
Creates a new DWORD value with the name PerformRouterDiscovery value of 0
5. Prevent ICMP redirect packets from attacking:
Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters
Set the Enableicmpredirects value to 0
6. The IGMP protocol is not supported:
Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters
Creates a new DWORD value with the name IGMPLevel value of 0
7. Modify Terminal Services Port:
Run regedit, find [hkey_local_machine/system/currentcontrolset/control/terminal server/wds/rdpwd/tds/tcp], see p on the right Ortnumber? Change to the port number you want in the decimal state, such as 7126, as long as not with other conflicts.
The second place hkey_local_machine/system/currentcontrolset/control/terminal server/winstations/rdp-tcp, method ditto, remember to change the port number and above change the same On the line.
8. Prohibit the IPC NULL connection:
Cracker can use the net using command to establish an empty connection, and then intrusion, and net View,nbtstat these are based on the null connection, the prohibition of NULL connection is good. Open the registry and find local_machine/system/currentcontrolset/control/lsa-restrictanonymous to change this value to "1".
9. Change the TTL value:
Cracker can approximate your operating system based on a ping-back TTL value, such as:
ttl=107 (WINNT);
TTL=108 (Win2000);
ttl=127 or 128 (Win9x);
ttl=240 or 241 (Linux);
ttl=252 (Solaris);
ttl=240 (Irix);
In fact, you can change it yourself:
Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters:defaultttl REG_DWORD 0-0xff (0-255 decimal, The default value of 128) changed to a baffling number, such as 258, at least let those little rookie dizzy half, to give up the invasion you are not necessarily oh.
10. Delete Default shares:
I've been asked to share all the disks when I turn it on, and after that, the reboot has become a shared thing, this is 2K the default share that is set for administration and must be canceled by modifying the registry: Hkey_local_machine/system/currentcontrolset The/services/lanmanserver/parameters:autoshareserver type is REG_DWORD, change the value to 0.
11. Prohibit the establishment of a NULL connection:
By default, any user who connects to the server through an empty connection, then enumerates the account number and guesses the password. We can disable the establishment of a null connection by modifying the registry:
The local_machine/system/currentcontrolset/control/lsa-restrictanonymous value is changed to "1".
12. Disable NetBIOS on TCP/IP
Network Places-Properties-Local Area Connection-Properties-internet protocol (TCP/IP) Properties-Advanced-wins panel-netbios Settings-disables NetBIOS on TCP/IP. This way cracker cannot use the nbtstat command to read your NetBIOS information and the NIC MAC address.
13. Account Security
First prohibit all accounts, except yourself, hehe. Then rename the administrator. I have also built an administrator account, but what permissions do not have the kind, and then open Notepad, a burst of knock, copy, paste into the "password" to go, oh, to break the password bar ~! only found is a low-level account, see you collapse?
Create 2 Administrator accounts
Although this may seem contradictory to the above, it is in fact subject to the above rules. Create a general permission account to receive letters and handle daily things, and another account with administrators privileges is used only when needed. You can have administrators use the "RunAS" command to perform some of the tasks that require privileges to facilitate management
14. Change c:/windows/help/iishelp/common/404b.htm content to do so, the error automatically go to the home page.
15. Local Security policy and Group Policy settings, if you set the local security policy incorrectly, you can revert to its default value
Open the%systemroot%/security folder, create a "oldsecurity" subdirectory, and move all the. log files under%systemroot%/security to this new subfolder
Locate the "Secedit.sdb" security database under%systemroot%/security/database/and rename it, such as "Secedit.old"
Start the Security configuration and Analysis MMC snap-in: Start-> run-> MMC, start the administration console, Add/Remove snap-ins, adding the Security Configuration and Analysis snap-in
Right-click Security Configuration and Analysis-> "Open database", browse the "c:/winnt/security/database" folder, enter the filename "Secedit.sdb", click "Open"
When prompted to enter a template, select "Setup security.inf", click "Open", if the system prompts "Deny access to the database", whatever he is, you will find the "C:/winnt/security/database" The new security database is regenerated in the subfolder, the log file is regenerated under the "c:/winnt/security" subfolder, and the security database is rebuilt successfully.
16. Disable DCOM:
Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console root. Open the Computers subfolder. For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab. Clear the Enable distributed COM on this computer check box.
Step Two:
Although the function of Windows 2003 is increasing, but because of the congenital reason, it still has a lot of security hidden trouble, if do not put these hidden trouble "block", may bring unnecessary trouble to the whole system; The following author introduces the Windows2003 of the unusual safety hidden trouble in the process of prevention and control, Hope to bring help to you!
By automatically saving hidden dangers
The DR in the system when the Windows 2003 operating system fails to invoke the application. Watson will automatically save some important debugging information for future maintenance of the system to view, but this information is likely to be hackers "aimed at", once the aim, a variety of important debugging information will be exposed, in order to block Dr. Watson automatically saves the pitfalls of debugging information that we can implement as follows:
1, open the Start menu, select the "Run" command, in the subsequent opening of the Run dialog box, enter the registry edit command "Ergedit" command, open a Registry editing window;
2, in this window, with the mouse to expand the Hkey_local_machine\software\microsoft\windowsdowsnt\currentversion\aedebug branch in turn, In the right child window of the corresponding AeDebug key value, double-click the auto value and reset the value to "0" in the pop-up parameter Settings window.
3. Open the Windows Explorer window of the system and expand the Documents and Settings folder, the All Users folder, the Shared Documents folder, the DrWatson folder in turn, Finally, the corresponding DrWatson in the User.dmp file, Drwtsn32.log file deleted.
Complete the above settings, restart the system, you can automatically save hidden trouble.
Resource sharing hidden Dangers
In order to facilitate the transmission of information between local area network users, the Windows Server 2003 system is "considerate" to provide you with the file and Print sharing function, but we enjoy the convenience of this feature at the same time, sharing features will be "Wolf", "magnanimous" To hackers open a lot of loopholes, to the server system caused a lot of insecurity; therefore, when using the file or Print sharing function, we must always turn off the function at any time, so that the resources to share hidden dangers, the following is the specific steps to turn off the sharing function:
1, the implementation of the Control Panel menu items under the "Network Connection" command, in the subsequent window, the right mouse click on the "Local Connection" icon;
2, in the Open shortcut menu, click Properties, so that you can open an Internet Protocol (TCP/IP) property Settings dialog box;
3, in this interface to cancel the "Microsoft Network file and Printer sharing" this option;
4. In this way, the local computer will not be able to provide the external file and print sharing services, so that hackers naturally less attack the system's "channel."
Blocking remote access vulnerabilities
Under the Windows2003 system, to make remote network access connection, the Remote Desktop function under this system can transmit the user name and password entered in the network connection to the client program of the corresponding connection by means of ordinary clear text content, and realize "placement" in the process of plaintext account transmission. In the network channel of various sniffer tools, will automatically enter the "sniff" state, this clear-text account is very easy to be "captive"; clear-Text account content once the hacker or other attackers to seek his use, oh, careful their system is "crazy" attack it! In order to eliminate this security risk, We can "reinforce" the system in the following way:
1, click on the System desktop "Start" button, open the Start menu;
2, from the implementation of Control Panel commands, from the pop-up drop-down menu, select the "System" command, open a System Properties settings interface;
3, in the interface, with the mouse click "Remote" label;
4, in the subsequent label page, the "Allow users to connect remotely to this computer" option is canceled, so that the remote access connection function can be blocked off, thereby blocking remote access vulnerabilities.
Blocking User Switching potential
The Windows 2003 system provides us with fast User Switching capabilities, with this feature we can easily log into the system, but in the enjoyment of this ease, the system also has a hidden trouble, for example, if we execute the system "start" menu in the "Logoff" command to quickly "switch users", The traditional way to log in to the system, the system is likely to log in incorrectly as a violent "attack" on computer systems, so that the Windows2003 system might lock up the currently logged in account as an illegal account, which is clearly not what we need; We can follow the following steps to block the user switching, the security risks created:
In the Windows 2003 System desktop, open the Control Panel command under the Start menu, locate the Administrative Tools command below, perform the Computer Management command on the subordinate menu, locate the user account icon, and click Change the way users log on or off in the window that appears. In the Settings window that opens, you can cancel the Use Fast User switch option.
Block the page to exchange hidden trouble
The Windows 2003 operating system may disclose important confidential information, especially important account information, to hackers or other visitors, even under normal working conditions. Maybe we'll never think of looking at files that might leak privacy information, but hackers are concerned about them. In the Windows 2003 operating system of the paging file, in fact, a lot of important privacy information is hidden, this information is generated in the dynamic, if they do not clean up in time, it is very likely to become a hacker invasion breach; To do this, we have to follow the following methods to get Windows 2003 the operating system automatically deletes the paging files that are generated when the system is working when the system is shut down:
1. On the Start menu of Windows 2003, execute the Run command, open the Run dialog box, and enter the "Regedit" command to open the Registry window;
2. In the left area of the window, click the Hkey_local_machine\system\currentcontrolset\control\sessionmanager\memory Management key value with the mouse, Locate the ClearPageFileAtShutdown key value in the right area and double-click it, and then modify the DWORD value to "1" in the subsequent open Numeric Settings window;
3, after the completion of the setup, exit the Registry editing window, and restart the computer system, you can make the above settings effective
Additional information on the cloud-dwelling community:
If you are using a php5.2.17 can go to s.jb51.net download the PHP5.2.17 automatically configure the installation package corresponding to the version. Installation version of the very worry, a lot of parameters are set well.
Third, the database down the right to run, including SQL Server and MySQL
To run an MS SQL Server database in a normal user (independent user) state setting method finalization
It should be noted that SQL Server's disk needs to be listed with SQL Server to list directory permissions. Do not give read and write. All permissions are required for the installation directory. If you can't run it is a permission issue, you can refer to the above location
MySQL down the right to run by the Guests Account Startup setting method
Of course Guests group also can not give, MySQL security directory requires read and write permissions. If it is not running, it is a permission issue or the username password is incorrect
Of course there are many need to pay attention to the place, we can use the " keyword site:jb51.net" search can be.