Win2003 IIS Virtual host Web site trojan, permissions settings, security Configuration _win Server

First, the system installation
1, according to the WINDOWS2003 installation CD-ROM prompts installation, by default, 2003 did not install IIS6.0 installed in the system.
2, the installation of IIS6.0
The following are the referenced contents:
Start Menu-> Control Panel-> Add or Remove Programs-> Add/Remove Windows Components
Application ——— asp.net (optional)
|--Enable network COM access (required)
|--internet Information Services (IIS) ——— Internet Information Services Manager (required)
|--Public files (required)
|--World Wide Web service ——— Active Server pages (required)
|--internet data connector (optional)
|--webdav Release (optional)
|--WWW service (required)
|--on server-side include file (optional)
Then click OK-> next installation.
3, the System Patch update: Click the Start menu-> All Programs->windows update follow the prompts to install the patch.
4, backup system: Use Ghost Backup system.
5, the installation of commonly used software: such as: Anti-Virus software, decompression software, etc. after installation, configure anti-virus software, scanning system vulnerabilities, after installation with Ghost again back up the system.
6. First turn off unwanted ports open firewall import IPSec policy
In "Network Connections", delete all the unwanted protocols and services, install only basic Internet Protocol (TCP/IP), and install the QoS Packet Scheduler in addition to the bandwidth flow service. In Advanced TCP/IP Settings--"NetBIOS" setting disables NetBIOS (S) on TCP/IP. In the advanced option, use Internet Connection Firewall, which is a firewall with Windows 2003, not in the 2000 system, although not functional, but can screen ports, so that has basically reached an IPSec function.
Modify 3389 Remote connection ports
Modify the Registration Form
Start--run--regedit
Expand hkey_local_machine/system/currentcontrolset/control/Sequentially
TERMINAL server/wds/rdpwd/tds/tcp
PortNumber to the port number you want to use in the right key value. Note The use of decimal (example 10000)
Hkey_local_machine/system/currentcontrolset/control/terminal server/winstations/rdp-tcp/
PortNumber to the port number you want to use in the right key value. Note The use of decimal (example 10000)
Note: Don't forget to WINDOWS2003 a firewall with 10000 ports
Modification completed. Restarting the server settings takes effect.
Second, user security settings
1. Disable Guest Account
Disable the Guest account in a computer-managed user. For insurance purposes, it's a good idea to add a complex password to the guest. You can open Notepad, enter a string of long strings containing special characters, numbers, letters, and then handcuff it as the Guest user's password.
2. Restrict unnecessary users
Remove all duplicate user users, test users, shared users, and so on. User Group Policy sets the appropriate permissions and frequently checks the users of the system to remove users that are no longer in use. Many of these users are a breakthrough for hackers to hack into their systems.
3, the system administrator account name
As you all know, Windows 2003 administrator users cannot be deactivated, which means that others can try this user's password over and over again. Try to disguise it as a regular user, such as GUESYCLUDX.
4. Create a trap user
What is a trap user? That is, create a local user named "Administrator", set it to the minimum, do nothing, and add a super complex password of over 10 bits. This would allow those hacker to be busy for a while to discover their invasion attempts.
5. Change the permissions of shared files from Everyone group to authorized users
Do not set the users who share files to the Everyone group, including print sharing, the default attribute is "Everyone" group, must not forget to change.
6. Open User Policy
Using User policy, set the Reset user lockout counter time to 20 minutes, user lockout time is 20 minutes, user lockout threshold is 3 times. (This entry is optional)
7, do not allow the system to display the last logged-on user name
By default, the last Logged-on user name is displayed in the logon dialog box. This makes it easy for others to get some user names for the system and then make password guesses. Modify the registry to not allow the last Logged-on user name to appear in the dialog box. To do this: Open Registry Editor and find the Registry "Hklm\software\microsoft\windowst\currentversion\winlogon\dont-displaylastusername", Reg_ The key value of SZ is changed to 1.
8, Password security settings
A, using a secure password
Some corporate administrators often create accounts with the company name, computer name, and then set the password too simple, such as "Welcome" and so on. Therefore, pay attention to the complexity of the password, but also remember to change the password frequently.
b, set the screen protection password
This is a very simple and necessary operation. Setting up a screen saver password is also a barrier to preventing internal personnel from destroying the server.
C, open password policy
Note Applying password policies, such as enabling password complexity requirements, setting a minimum password length of 6 digits, setting the mandatory password history of 5 times, 42 days.
D, consider using a smart card to replace the password
For passwords, always make the security administrator dilemma, password settings are easy to attack hackers, password settings complex and easy to forget. If conditions permit, it is a good solution to use smart cards instead of complex passwords.
third, the System permissions settings
1. Disk Permissions
system disk and all disks only give full control to the Administrators group and system
System disk \documents and Settings directory gives only full control to Administrators group and system
System disk \documents and Settings\All The Users directory only gives full control to the Administrators group and system
System disk \windows\system32\cacls.exe, Cmd.exe, Net.exe, Net1.exe, Ftp.exe, Tftp.exe, Telnet.exe, Netstat.exe, Regedit.exe, At.exe, Attrib.exe, format.com, del files give the Administrators group and system Full Control permissions only
Transfer <systemroot>\system32\cmd.exe, Format.com, Ftp.exe to another directory or rename
Some directories under Documents and settings are set to Adinistrators permissions only. And to view a single directory, including all subdirectories below.
Delete C:\Inetpub Directory
2. Local Security policy settings
Start Menu-> Administration Tools-> Local Security Policy
A, local policy--> audit policy
Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed audit process tracking no audit
Audit directory service access failed

Audit privilege usage failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management failed successfully
B, local policy--> user Rights Assignment
Shutdown system: Only Administrators group, all other delete.
Allow login via Terminal Services: Only join Administrators,remote Desktop Users group, all others deleted
C, Local policy--> security options
Interactive login: Do not display last user name enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Enable for network authentication store credentials is not allowed
Network access: All shares that can be accessed anonymously are deleted

Network access: Anonymous access to all of the lives deleted
Network access: Remote access to the registry path all deleted
Network access: Remotely accessible registry paths and subpath Delete all
Account: Rename guest account rename an account
Accounts: Renaming a system administrator account renaming an account
3. Disable unnecessary service start-run-services.msc
Tcp/ipnetbios Helper provides support for NetBIOS and NetBIOS name resolution on network clients on TCP/IP services to enable users to share files, print, and log on to the network
Server supports this computer to share file, print, and named pipes across the network
Computer Browser maintains the latest list of computers on the network and provides this list
Task Scheduler allows a program to run at a specified time
NET SEND and Alarm service messages between the Messenger transport client and the server
Distributed file System: LAN management shared files, no need to disable
Distributed linktracking client: For LAN update connection information, no need to disable
Error Reporting Service: Prohibit sending errors report
Microsoft serch: Provides fast word search without the need to disable
Ntlmsecuritysupportprovide:telnet Service and Microsoft Serch, no need to disable
Printspooler: If there are no printers to disable
Remote Registry: Disable the registry from being modified remotely
Remote Desktop help session Manager: No distance assistance
Remote NET command does not list user group if Workstation is closed
These are disabled in services that are started by default on the Windows Server 2003 system, and the default disabled service does not start if it is not specifically needed.
4, modify the registry: Modify the registry to make the system stronger
A, hidden important files/directories can modify the registry to achieve complete hiding
Hkey_local_machine\software\microsoft\windows\ Current-version\explorer\advanced\folder\hi-dden\showall ", right mouse click" CheckedValue ", select Modify, change the value from 1 to 0
B. Prevention of SYN flood attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named SynAttackProtect, with a value of 2
New EnablePMTUDiscovery REG_DWORD 0
New NoNameReleaseOnDemand REG_DWORD 1
New EnableDeadGWDetect REG_DWORD 0
New KeepAliveTime REG_DWORD 300,000
New PerformRouterDiscovery REG_DWORD 0
New Enableicmpredirects REG_DWORD 03. Prohibit responding to ICMP routed advertisement messages
Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface
Creates a new DWORD value with the name PerformRouterDiscovery value of 0
C. Preventing attacks from ICMP Redirect messages
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the Enableicmpredirects value to 0
D. does not support IGMP protocol
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Creates a new DWORD value with the name IGMPLevel value of 0
E, prohibit the IPC NULL connection:
Cracker can use the net using command to establish an empty connection, and then intrusion, and net View,nbtstat these are based on the null connection, the prohibition of NULL connection is good.
Local_machine\system\currentcontrolset\control\lsa-restrictanonymous change this value to "1".
F, change the TTL value
Cracker can approximate your operating system based on a ping-back TTL value, such as:
ttl=107 (WINNT);
TTL=108 (Win2000);
ttl=127 or 128 (Win9x);
ttl=240 or 241 (Linux);
ttl=252 (Solaris);
ttl=240 (Irix);
You can actually change it yourself: Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters:defaultttl REG_DWORD 0-0xff ( 0-255 Decimal, the default value of 128) changed to a baffling number, such as 258, at least let those little rookie dizzy half, this will give up the invasion you are not necessarily OH
G. Delete default shares
I've been asked to share all the disks when I turn it on, and after that, the reboot has become a shared thing, and this is the default shared by 2K for management, hkey_local_machine\system\currentcontrolset\services\ The Lanmanserver\parameters:autoshareserver type is REG_DWORD, change the value to 0.
H. Prohibit the establishment of an empty connection
By default, any user who connects to the server through an empty connection, then enumerates the account number and guesses the password. We can disable the establishment of a null connection by modifying the registry:
The local_machine\system\currentcontrolset\control\lsa-restrictanonymous value is changed to "1".
I, create a notepad, fill in the following code. Save as *.bat and add to startup Project
The following are the referenced contents:
NET share C $/del
NET share d$/del
NET share e$/del
NET share f$/del
NET share ipc$/del
NET share admin$/del
5. IIS Site Settings:
A, separate the IIS directory & data from the system disk and save it in a dedicated disk space.
B, enable the parent path
C, delete any unmapped mappings that are not required in IIS Manager (keep the necessary mappings such as ASP)
D, in IIS, the HTTP404 Object not found error page is redirected to a custom HTM file through a URL
E, Web site permissions settings (recommended)
Read permission
Write not allowed
Script source access is not allowed
Directory browsing recommended shutdown
Log access recommended shutdown
Index Resource recommended shutdown
Perform recommended selection "script only"
F, the proposed use of the WWW expansion log file format, Daily Record of customer IP address, user name, server port, method, Uri Word root, HTTP status, user agent, and every day to review the log. (It is best not to use the default directory, it is recommended to replace a log path, and to set access to the log, allowing only administrators and system for full Control).

G. Security of procedures
1 involves the user name and password of the program is best encapsulated in the server side, as little as possible in the ASP file, involving the database connection with the user name and password should be given the minimum authority;
2 need to verify the ASP page, you can track the file name of the previous page, only from the previous page to enter the session to read this page. 3 Prevent ASP homepage. inc File leakage problem;
4) to prevent the UE and other editors to generate Some.asp.bak file leakage problem.
6, IIS permissions to set the idea
1 Create a system user for each individual to be protected (such as a Web site or a virtual directory) so that the site has the unique identity to set permissions on the system.
2 Fill out the user name you just created in IIS, "Site properties or virtual directory properties → directory security → Anonymous access and authentication control → edit → anonymous access → edit".
3 Set all partitions to prohibit this user access, and just the site's home directory corresponding to the folder settings allow this user access (to remove inherited parent rights, and to add the hyper-control group and the System group).
7, uninstall the most unsafe components
The easiest way to do this is to remove the appropriate program files after you uninstall them directly. Save the following code as one. BAT file, (WIN2000 for example, if 2003 is used, the system folder should be C:\WINDOWS\)
The following are the referenced contents:
Regsvr32/u C:\WINDOWS\System32\wshom.ocx
Del C:\WINDOWS\System32\wshom.ocx
Regsvr32/u C:\WINDOWS\system32\shell32.dll
Del C:\WINNT\WINDOWS\shell32.dll
Then run it, Wscript.Shell, Shell.Application, and Wscript.Network will be unloaded. You may be prompted not to delete the file, do not worry about it, restart the server, you will find that all three prompts "x security".