Win2003 Server High Security Configuration (Ice Shield Firewall setting method) _win Server

The answer is no, first of all I want to say:

I think the current Linux home users are less, in terms of user volume Linux is not the enemy but windows, because most games, applications, etc. are based on the win platform vb,vc,c#, and so on, and the current computer beginners to learn most of the textbooks are about windows, At least for the past few years, Microsoft should still win the hegemony in more than 10 years. The vulnerability of Linux is not very high because it exploits a vulnerability in which the number of computers infected with the virus can be spread widely. And playing Linux I think most of the technical type, disdain to pursue those petty and show off what, happy to open source and share their latest research results, this is the reason for today's Linux security.

Windows, as long as security details are well done, the chances of a successful invasion are low. OK, nonsense not much to say, the following into the body, talk about my Web server security protection experience and programs.

This security protection program is just my blog site www.9170.org adopted the protection scheme, and a higher protection plan. (I provide a way of thinking, such as: An extranet IP open VPN and NAT port forwarding, and then a computer inside the router to connect the VPN, the 80 port forward to the intranet, the intranet has a MySQL Intranet server)

The programme is as follows:

System Platform:

WIN2003SP2 Enterprise Edition, all Microsoft released security updates.

Main hardware: Intel dual-Core cpu,512m memory

Optimization settings:

Turn off the default shared $admin, $c, and so on, code as follows:

NET share C $/delete

NET share admin$/delete

Echo.. Delshare.reg .....

echo Windows Registry Editor Version 5.00> C:\delshare.reg

Echo [hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters]>> C:\delshare.reg

echo "AutoShareWks" =dword:00000000>> C:\delshare.reg

echo "AutoShareServer" =dword:00000000>> C:\delshare.reg

Echo.. Delshare.reg .....

REGEDIT/S C:\delshare.reg

Echo.. Delshare.reg .....

Del C:\delshare.reg

The new text document runs as a. bat file.

Try not to install any application software (such as: thunder, QQ, etc.) installed anti-virus software and firewalls.

Install winrar, turn off redundant system service items (such as your own firewalls, schedule tasks, printers, etc.). Note: Please close according to the actual situation of the server, if you do not understand the system background service is not recommended to modify. can refer to http://baike.baidu.com/view/685551.htm)

The startup registry key can be deleted in addition to the input method.

System security Settings

Disks are formatted using NTFS, and if they are FAT32, convert them. command format such as: Convert c:/fs:ntfs (command default is C disk, if it is another partition, modify the letter) to retain the administrator, System full permissions on the root of the permission values, as shown in the figure:

The Web root only retains full access to the administrator, System, and the IIS user that is used to start the web. As shown in the figure:

The Web root only retains full access to the administrator, System, and the IIS user that is used to start the web. As shown in the figure:

Cmd. Exe,net. Exe,net1. EXE, and the Recycle Bin directory retains only the full permissions of the administrator and system, as shown in the figure:

Deletes the Intepub directory that was generated after IIS was installed. The directory security permissions are set.

PHP Security Settings

Because this article says security, skip the PHP installation steps. Edit the PHP configuration file and open the php.ini with a text editor. Make the following modifications:
Safe_mode = On
Disable_functions = PassThru, exec, shell_exec, System, fopen, MkDir, RmDir, chmod, unlink, dir, fopen, Fread, Fclose, FWR Ite, file_exists, Closedir, Is_dir, Readdir, Opendir, fileperms, copy, unlink, Delfile, Popen, COM

PHP uses the NETWORK Service this user group to start, so in the PHP installation directory we need to give him permission, as shown in the figure:

The security settings for PHP are now complete.

MySQL Security settings

Install MySQL and phpmyadmin after using the root account login, modify root for strong password, preferably the number + uppercase + lowercase, if you remember to live special symbols also line. Then point permissions, add a new user, create a newly created user, make a database with the same name as the user, grant all permissions, and do not give special permissions. Web site to connect to the user of MySQL to use this new, do not use root! As shown in the figure:

IIS security Settings

Set permissions on each Web site that is attached to IIS, such as the MDB database path set in IIS cannot read, write, etc., no Execute permissions

The upload directory has no execution to read.

Turn off unknown extensions and so on, preferably at each site with an independent user, can be named iis_***, corresponding to the root of each site permissions, IIS allows anonymous access, so that other sites can prevent cross-directory Access

Protect CC and DDoS attacks

The principle of the attack will not say, search engine search is known, the general CC attacks are launched by the web dynamic page, but also in a short time to create a lot of TCP port connections, according to this feature, we can install a DDoS firewall, set the rules, I use the ice shield, As shown in the figure, I set the protection cc attack rule.

Flow can be set in port filtering

This is done to prevent DDoS and CC attacks after it is set.

and to prevent scanning software scanning web pages and brute force to crack the background landing (because of the number of connections too much shielding, the general scanning and cracking are multiple-threaded open many ports at the same time, tool scan the number of connections too much automatically shielded, increase security can)