The network circulated a lot about the security configuration of the Windows Server 2003 system, but the careful analysis found that many are not comprehensive, and many still configured not reasonable, and there is a lot of security risks, today I decided to carefully do under the extreme BT 2003 server Security Configuration, Let more network management friends sit on the pillow.
The servers we configure need to provide the following components: (ASP, ASPX, CGI, PHP, FSO, JMail, MYSQL, SMTP, POP3, FTP, 3389 Terminal Services, Remote Desktop Web Connection Management services, etc.), provided that the system is already installed, IIS , including FTP server, mail server and so on, these specific configuration methods are no longer repeated, and now we focus on the main description of the security configuration.
About regular security installation systems, setting up and managing accounts, shutting down redundant services, auditing policies, modifying terminal management ports, configuring MS-SQL, removing dangerous stored procedures, connecting with the least privileged public account, etc.
First of all, about the system of NTFS disk permissions settings, we may see more, but 2003 server some detail places to pay attention to, I see a lot of articles have not written completely.
C Disk only to administrators and system permissions, other permissions do not give, the other disk can also be set up here, the system authority given here does not necessarily need to give, just because some third-party applications are launched in the form of services, need to add this user, otherwise it will not start.
Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run. Previously have friends to set INSTSRV and temp directory permissions, in fact, there is no such need.
In addition, it is important here in C:/Documents and settings/that the permissions in the following directory will not inherit from the previous settings, if only set the C disk to administrators permissions, and in all users/application The Everyone user has full control in the data directory, so the intrusion can jump to this directory, write script or file only, and then combine other vulnerabilities to elevate permissions, such as using serv-u local overflow to elevate permissions, or systems missing patches, database weaknesses, Even the social engineering and so on n many methods, once not have the bull person to send a squall to say: "As long as gives me a webshell, I can get system", this also certainly is possible. In systems that are used as WEB/FTP servers, it is recommended that these directories be set up for lock-dead. The table of contents for each of the other disks is set in this way, and none of the disks give adinistrators permissions.
In addition, you will: Net.exe,cmd.exe,tftp.exe,netstat.exe,regedit.exe,at.exe,attrib.exe,cacls.exe, these files are set to allow only administrators access.
Prohibit unnecessary services, although these may not be used by attackers, but in accordance with security rules and standards, superfluous things do not need to open, reduce a hidden danger.
In "Network Connections", delete all the unwanted protocols and services, install only basic Internet Protocol (TCP/IP), and install the QoS Packet Scheduler in addition to the bandwidth flow service. In Advanced TCP/IP Settings--"NetBIOS" setting disables NetBIOS (S) on TCP/IP. In the advanced option, use Internet Connection Firewall, which is a firewall with Windows 2003, not in the 2000 system, although not functional, but can screen ports, so that has basically reached an IPSec function.
Current 1/6 page
123456 Next read the full text