How do you build a secure personal Web server? Here's a brief introduction
installation of Windows Server2003 1, the installation system requires at least two partitions, the partition format is formatted with NTFS
2. Install 2003 systems in the case of disconnected network
3, install IIS, install only the necessary IIS components (disable unwanted FTP and SMTP services, for example). By default, the IIS service is not installed, select Application Server in the Add/Remove Win component, click Details, double-click Internet Information Services (IIS), and select the following options:
Internet Information Services Manager;
Common Files;
Background Intelligent Transfer Service (BITS) server Extensions;
World Wide Web services.
If you use a FrontPage-extended Web site, check again: FrontPage 2002 Server Extensions
4, the installation of MSSQL and other software required and then update.
5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze your computer's secure configuration and identify missing patches and updates. Download Address: See the link at the end of the page
Ii. setting up and managing accounts 1, the system administrator account is best to build less, change the default Administrator account name (administrators) and description, the password is best to use the number of lowercase letters plus number of the upper file key combination, the length of the best not less than 14 bits.
2, create a new name for the administrator of the trap account, set the minimum permissions, and then casually enter the combination of the best not less than 20-bit password
3, disable the Guest account and change the name and description, and then enter a complex password, of course, now also has a delguest tool, perhaps you can also use it to delete the Guest account, but I did not try.
4, in the operation of the input gpedit.msc enter, open Group Policy Editor, select the Computer Configuration-windows Settings-security Settings-account strategy-account lockout policy, the account is set to "three login invalid", "Lockout time is 30 minutes", "Reset lock count is set to 30 minutes."
5, in the security settings-Local policy-security options, "Do not display the last user name" set to enable
6, in the security settings-Local policy-user rights assignment in the "Access this computer from the network" only keep the Internet Guest account, start the IIS process account. If you use ASP.net, keep the ASPNET account.
7, create a user account, run the system, if you want to run privileged commands using the runas command.
Third, Network Service security management 1, prohibit the default share of C $, d$, admin$ class
Open the registry, Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters, and create a new DWORD value in the right window. The name is set to the AutoShareServer value set to 0
2, the release of NetBIOS and TCP/IP protocol binding
Right-click Network Neighborhood-Properties-right-click Local Connection-Properties-double-click Internet Protocol-Advanced-wins-Disable NetBIOS on TCP/IP
3, turn off unwanted services, the following is the recommended option
Computer Browser: Maintaining network computer updates, disabling
Distributed file System: LAN management shared files, no need to disable
Distributed linktracking client: For LAN update connection information, no need to disable
Error Reporting Service: Prohibit sending errors report
Microsoft serch: Provides fast word search without the need to disable
Ntlmsecuritysupportprovide:telnet Service and Microsoft Serch, no need to disable
Printspooler: If there are no printers to disable
Remote Registry: Disable the registry from being modified remotely
Remote Desktop help session Manager: No distance assistance
Iv. Open the appropriate audit policy Enter Gpedit.msc carriage return in the run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-Audit policy when creating an audit project, it should be noted that if there are too many items to be audited, the more events are generated, the more difficult it is to find a serious event. Of course, if the audit is too small, it will also affect your discovery of serious Events, you need to make a choice between the two depending on the situation.
The recommended items to audit are:
Logon event failed successfully
Account Logon event failed successfully
System Event failed successfully
Policy Change failed successfully
Object access failed
Directory Service access failed
Privilege usage failed
v. Other security-related settings 1. Hide Important files/directories
You can modify the registry to achieve complete concealment: "Hkey_local_machine\software\microsoft\windows\ current-version\explorer\advanced\folder\hi-dden\ ShowAll ", the mouse right click" CheckedValue ", select Modify, change the value from 1 to 0
2. Start the system with Internet Connection Firewall, check the Web server in the Setting service option.
3. Prevent SYN Flood attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named SynAttackProtect, with a value of 2
4. Prohibit responding to ICMP routing notification messages
Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface
Creates a new DWORD value with the name PerformRouterDiscovery value of 0
5. Prevent ICMP redirect packets from attacking
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the Enableicmpredirects value to 0
6. IGMP protocol not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Creates a new DWORD value with the name IGMPLevel value of 0
7. Disable DCOM:
Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console root. Open the Computers subfolder.
For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab.
Clear the Enable distributed COM on this computer check box.
Note: 3-6 items I am using the Server2000 settings, not tested for 2003 whether it works. But one thing is certain that I spent a period of time without finding the effects of other facets.
Vi. Configuring the IIS service: 1, do not use the default Web site, if used also to separate the IIS directory and the system disk.
2, delete the IIS default created Inetpub directory (on the installation system disk).
3, delete the virtual directory under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.
4, remove unnecessary IIS extension mappings.
Right-click the default Web site → properties → home directory → configuration, open the application window, and remove unnecessary application mappings. mainly for. sHTML,. shtm,. stm
5, change the path of the IIS log
Right-click the default Web site → Properties-web site-click Properties under Enable Logging
6. If you are using 2000, you can use IISLockdown to protect IIS, and the version of IE6.0 running in 2003 is not required.
7. Use URLScan
URLScan is an ISAPI filter that analyzes incoming HTTP packets and can reject any suspicious traffic. The latest version is 2.5, and if it is 2000Server you need to install the 1.0 or 2.0 version first. Download address no link to page
If there are no special requirements to use the URLScan default configuration on it.
But if you run the ASP.net program on the server and you want to debug it you need to open the%windir%\system32\inetsrv\urlscan
folder, and then add the debug verb in the Userallowverbs section, noting that this section is case-sensitive. \ urlscan.ini
If your page is an. asp page you need to delete the. asp-related content in DenyExtensions.
If your page uses non-ASCII code, you need to set the value of Allowhighbitcharacters to 1 in the option section
After making changes to the Urlscan.ini file, you will need to restart the IIS service to take effect, and enter IISReset in the fast method run
If you have any problems after configuration, you can remove URLScan by adding/removing programs.
8. Use WIS (WEB injection Scanner) tool to scan the entire website for SQL injection vulnerability.
Download Address: [HTTP://WWW.FANVB.NET/WEBSAMPLE/OTHERSAMPLE.ASPX]VB. NET enthusiast [/url]
Seven, configure SQL Server 1, the System Administrators role preferably not more than two
2, if it is in this machine is best to configure the authentication to win login
3, do not use the SA account, configure a super complex password for it
4, delete the following extended stored procedure format:
Use master
Sp_dropextendedproc ' Extended stored procedure name '
xp_cmdshell: Is the best way to get into the operating system, delete
Accessing the registry's stored procedures, deleting
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues
Xp_regread xp_regwrite xp_regremovemultistring
OLE automatic stored procedures that do not need to be deleted
sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty
sp_OAMethod sp_OASetProperty sp_OAStop
5, hide SQL Server, change the default 1433 port
Right-click the properties of the TCP/IP protocol in the instance selection properties-General-network configuration, choose to hide the SQL Server instance and change the default 1433 port.
Viii. If you are only doing servers and do nothing else, use IPSec 1. Administrative Tools-Local security policy-right-click IP Security Policy-Manage IP filter tables and filter actions-click under Manage IP filter table options
Add-Name to Web filter-click Add-Enter the Web server in the description-set the source address to any IP address-set the destination address to my IP address-the protocol type is set to the TCP--IP protocol port The first item is set to from any port, the second entry to this port 80--click Finish-click OK.
2, again in the management of IP filter table options under click
Add-Name set to all inbound filters-click Add-Enter all inbound filters in the description-set the source address to any IP address--Set the destination address to my IP address--the protocol type is arbitrary--click Next--Finish--click OK.
3, under the Management Filter action option Click Add--Next--name input block--next--Select block--next--finish--Close the Manage IP filter table and filter Actions window
4. Right-click IP Security Policy-Create IP Security Policy-next-Name Input packet Filter-next--Cancel the default activation response principle--next--complete
5, in the new IP Security Policy Properties window that opens, select Add--next--do not specify a tunnel--next--all network connections--next--In in the IP filter list, select the new Web Filter--Next--Select the license in the filter action--next--complete-- Select the new blocking filter in the IP filter List--Next--select block in the filter action--next--complete--OK
6. In the right window of the IP Security Policy, right-click the new packet filter, click Assign, do not need to reboot, IPSec can take effect.
IX. Recommendations If you follow this article, it is recommended that you test the server for every change you make, and if you have a problem, you can undo the change immediately. And if the number of changed items, only to find out the problem, it is difficult to determine the question is where the step.
10, running the server record the current program and open port 1, the current server to capture or record the process, save it to facilitate later check whether there are unknown procedures.
2, the current open to grasp the port map or record, save, easy to check whether the opening of the unknown port. Of course if you can distinguish each process, and the port this step can be omitted.
The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion;
products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the
content of the page makes you feel confusing, please write us an email, we will handle the problem
within 5 days after receiving your email.
If you find any instances of plagiarism from the community, please send an email to:
info-contact@alibabacloud.com
and provide relevant evidence. A staff member will contact you within 5 working days.