Win2003 Server security Settings Graphics Tutorial _win server

Windows 2003 Server Security Settings

First, close unwanted ports

I'm more careful, I turn off the port first. It only opened 3389, 21, 80, 1433, some people have been saying what the default of 3389 unsafe, I do not deny, but the use of the way can only one of the poor lift blasting, you have changed the password set to 66, I guess he will break for several years, haha! Method: Local Connection--attribute--internet protocol (TCP/IP)--Advanced--Option--TCP/IP Filter--attribute--Put the tick on it and add the port you need. PS: Set the port needs to reboot!

Of course, you can also change the remote connection port method:
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE \ system\ current ControlSet \ control \ Terminal Server\winstations\rdp-tcp]
"PortNumber" =dword:00002683

Save As. REG file Double click! Change to 9859, of course, you can also change the other port, directly open the address of the above registry, the value of the decimal input you want to the port can! Reboot effective
There is also a point, in the 2003 system, TCP/IP filtering in the port filtering function, the use of FTP server, only open 21 ports, in the FTP transmission, FTP-specific port mode and passive mode, in the data transmission, the need to dynamically open high-end port, Therefore, in the case of TCP/IP filtering, there is often a problem where the directory and data transfer cannot be listed after the connection. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, it is not recommended to use the TCP/IP filtering function of the NIC.

Two. Turn off unwanted services and turn on the appropriate audit policy

I have closed the following services
Computer Browser maintains the latest list of computers on the network and provides this list
Task Scheduler allows a program to run at a specified time
NET SEND and Alarm service messages between the Messenger transport client and the server
Distributed file System: LAN management shared files, no need to disable
Distributed linktracking client: For LAN update connection information, no need to disable
Error Reporting Service: Prohibit sending errors report
Microsoft serch: Provides fast word search without the need to disable
Ntlmsecuritysupportprovide:telnet Service and Microsoft Serch, no need to disable
Printspooler: If there are no printers to disable
Remote Registry: Disable the registry from being modified remotely
Remote Desktop help session Manager: No distance assistance
Remote NET command does not list user group if workstation is closed
Prohibit unnecessary services, although these may not be used by attackers, but in accordance with security rules and standards, superfluous things do not need to open, reduce a hidden danger.

In "Network Connections", delete all the unwanted protocols and services, install only basic Internet Protocol (TCP/IP), and install the QoS Packet Scheduler in addition to the bandwidth flow service. In Advanced TCP/IP Settings--"NetBIOS" setting disables NetBIOS (S) on TCP/IP. In the advanced option, use Internet Connection Firewall, which is a firewall with Windows 2003, not in the 2000 system, although not functional, but can screen ports, so that has basically reached an IPSec function.

Enter Gpedit.msc carriage return in the run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-Audit policy when creating an audit project, it should be noted that if there are too many items to be audited, the more events are generated, the more difficult it is to find a serious event. Of course, if the audit is too small, it will also affect your discovery of serious Events, you need to make a choice between the two depending on the situation.

The recommended items to audit are:
Logon events
Account Login Events
System events
Policy changes
Object access
Directory service Access
Privileged use

Third, close the default shared null connection

People all over the world know, I will not say more!

Four, disk permissions settings

C Disk only to administrators and system permissions, other permissions do not give, the other disk can also be set up here, the system authority given here does not necessarily need to give, just because some third-party applications are launched in the form of services, need to add this user, otherwise it will not start.
Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run. Previously have friends to set INSTSRV and temp directory permissions, in fact, there is no such need.

In addition, it is important here in C:/Documents and settings/that the permissions in the following directory will not inherit from the previous settings, if only set the C disk to administrators permissions, and in all users/application The Everyone user has full control in the data directory, so the intrusion can jump to this directory, write script or file only, and then combine other vulnerabilities to elevate permissions, such as using serv-u local overflow to elevate permissions, or systems missing patches, database weaknesses, Even the social engineering and so on n many methods, once not have the bull person to send a squall to say: "As long as gives me a webshell, I can get system", this also certainly is possible. In systems that are used as WEB/FTP servers, it is recommended that these directories be set up for lock-dead. The directories for each of the other disks are set in this way, and each disk is given only adinistrators permissions.
In addition, it will:
Net.exe NET command
Cmd.exe CMD understand the computer all know slightly ~
Tftp.exe
Netstat.exe
Regedit.exe registration form, everybody knows that.
At.exe
Attrib.exe
Cacls.exe ACL user Group permission setting, this command can set any permissions on any folder under NTFS! I didn't use this for less when I invaded. （：
Format.exe don't say, everybody knows what to do
We all know ASP Trojan bar, there is a cmd run this, these if all can run under CMD. 55, estimated that nothing else, the format is estimated to cry material ~ ~ ~ (: These files are set to allow only Administrator access.)

　　 v. Installation of firewall and antivirus software

About this thing to install in fact I also Tambulai, anyway installs what all have, suggest to use Kabbah, sell coffee. With the system itself with the firewall, this I am not professional, do not say! Let's do it!

　 vi. SQL2000 serv-u FTP security settings

SQL Security aspects
1, the System Administrators role preferably not more than two
2, if it is in this machine is best to configure the authentication to win login
3, do not use the SA account, configure a super complex password for it
or modify the SA user name:
Update sysxlogins set name= ' xxxx ' where sid=0x01
Update sysxlogins set sid=0xe765555bd44f054f89cd0076a06ea823 where name= ' xxxx '
4, delete the following extended stored procedure format:
Use master
Sp_dropextendedproc ' Extended stored procedure name '
xp_cmdshell: Is the best way to get into the operating system, delete
Accessing the registry's stored procedures, deleting
Xp_regaddmultistringxp_regdeletekeyxp_regdeletevaluexp_regenumvalues
Xp_regread xp_regwrite xp_regremovemultistring
OLE automatic stored procedures, not required, delete
sp_OACreate Sp_oadestroysp_oageterrorinfosp_oagetproperty
Sp_oamethodsp_oasetpropertysp_oastop
5, hide SQL Server, change the default 1433 port.
Right-click the properties of the TCP/IP protocol in the instance selection properties-General-network configuration, choose to hide the SQL Server instance and change the default 1433 port.
6. Create a new role for the database, prohibit the change of roles on the system table's Select, and so on, to prevent SQL injection using system tables.
Several general security requirements for Serv-u are set:

Select "Block" Ftp_bounce "Attack and FXP". What is FXP? Typically, when file transfers are made using the FTP protocol, the client first issues a "port" command to the FTP server that contains the IP address of the user and the port number that will be used for data transmission, and the server receives the user address information provided by the command to establish a connection to the user. In most cases, there is no problem with the above procedure, but when a client is a malicious user, the FTP server may be connected to other non-client machines by adding specific address information to the port command. Although the malicious user may not have the right to direct access to a particular machine, if the FTP server has access to the machine, then the malicious user can use the FTP server as an intermediary, and still be able to finally implement the connection to the target server. This is FXP, also known as Cross server attacks. When selected, this can be prevented.

　　 Vii. IIS security settings

Security for IIS:
1, do not use the default Web site, if used also to separate the IIS directory from the system disk.
2, delete the IIS default created Inetpub directory (on the installation system disk).
3, delete the virtual directory under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.
4, remove unnecessary IIS extension mappings.
Right-click the default Web site → properties → home directory → configuration, open the application window, and remove unnecessary application mappings. mainly for. sHTML,. shtm,. stm.
5, change the path of the IIS log
Right-click the default Web site → Properties-web site-click Properties under Enable Logging
6. If you are using 2000, you can use IISLockdown to protect IIS, and the version of IE6.0 running in 2003 is not required.

Eight, other

1, system upgrades, operating system patches, especially the IIS 6.0 patches, SQL SP3a patches, and even IE 6.0 patches to play. At the same time to track the latest patch of vulnerability;
2, stop the Guest account, and add an unusually complex password to the guest, the administrator renamed or disguised!

3. Hide important files/directories

You can modify the registry to achieve complete concealment: "Hkey_local_machine\software\microsoft\windows\ current-version\explorer\advanced\folder\hi-dden\ ShowAll ", the mouse right click" CheckedValue ", select Modify, change the value from 1 to 0.
4. Start the system with Internet Connection Firewall, check the Web server in the Setting service option.
5, Prevent SYN flood attack.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named SynAttackProtect, with a value of 2
6. Prohibit responding to ICMP routing notification messages
HKEY_LOCAL_MACHINE \ SYSTEM \ currentcontrolset\ services\tcpip\parameters\interfaces\interface
Creates a new DWORD value with the name PerformRouterDiscovery value of 0.
7. Prevent ICMP redirect packets from attacking
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the Enableicmpredirects value to 0
8. IGMP protocol not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Creates a new DWORD value with the name IGMPLevel value of 0.
9. Disable DCOM:
Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console root. Open the Computers subfolder.

Server security Settings

Recommended settings

Limit test

In "Network Connections", delete all the unwanted protocols and services, install only basic Internet Protocol (TCP/IP), and install the QoS Packet Scheduler in addition to the bandwidth flow service.

In Advanced TCP/IP Settings--"NetBIOS" setting disables NetBIOS (S) on TCP/IP.

In the 2003 system, TCP/IP filtering is not recommended in the port filtering function, such as the use of FTP server, if only open 21 ports, due to the specificity of the FTP protocol, FTP transmission, due to FTP-specific port mode and passive mode, In the data transmission, the need to dynamically open the high-end port, so in the case of TCP/IP filtering, often the connection can not be listed after the directory and data transfer problems. So the addition of Windows Connection Firewall on 2003 system can solve this problem very well, so it is not recommended to use the TCP/IP filtering function of the NIC.

In the advanced option, use Internet Connection Firewall, which is a firewall with Windows 2003, not in the 2000 system, although not functional, but can screen ports, so that has basically reached an IPSec function.

Open the port you use to, and if you modify the port on the Remote Desktop, do not forget to add it. If you have a mail server, also release the SMTP server port POP3 server port 110. Services can be added to the external service port, otherwise the service cannot be accessed.

Modify ICMP settings, recommended all enabled, easy network test ping, etc.

permissions setting The root of all disk partitions gives full control to the Administrators group and system, noting that the systems disk does not replace the permissions of the subdirectory. Some directories, such as the Windows directory and Program Files directory, do not inherit parent directory permissions, and these directories require some additional permissions to run. The C:\Documents and Settings directory only gives full control to the Administrators group and SYSTEM, and the project that applies to child objects replaces the permission entries for all child objects. The system disk \documents and Settings\All Users Directory only gives full control to the Administrators group and system. The system permissions given here do not necessarily need to be given, just because some third-party applications are started in the form of a service and need to be added to this user, otherwise it will not start.

C:/Documents and settings/here to note that the permissions in the following directory will not inherit from the previous settings, if only set the C disk to administrators permissions, and in the all Users/application data directory will The Everyone user has full control, so the intrusion can jump to this directory, write scripts or files, and combine other vulnerabilities to elevate permissions, such as using serv-u local overflow to elevate permissions, or missing patches, database vulnerabilities, and so on. In systems that are used as WEB/FTP servers, the recommended setting.

Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run. If you modify it, do not apply the item to the child object instead of the permission entries for all child objects. System directory permissions in doubt, do not move, generally do the root directory and the documents and settings are relatively safe, ASP programs can not access the root directory can not access the subdirectory.

In addition, the Documents and Settings directory to increase the users user group read run permissions, you can avoid loaduserprofile failure, it is necessary to note that the Users group Read permissions, ASP Trojan can access this directory. You need to accept some error logs for security. (January 13, 2009 Note: It seems that there is no system completely appear loaduserprofile, and users have nothing to do.) )

system disk under Cacls.exe; cmd.exe; Net.exe; Net1.exe; Ftp.exe; Tftp.exe; Telnet.exe; Netstat.exe; Regedit.exe; At.exe; Attrib.exe; The Format.com file only gives full control to the Administrators group and system. You can look for a unified setting, or edit a batch and use the CACLS command to process it.

"Administrative Tools-Local Security settings Secpol.msc
Account policy → account lockout policy
User lockout threshold 3 Invalid login
Reset account lockout counter   30 minutes
Account lockout time 30 min

Local policy → Audit policy
Audit Slight change success failure
Audit logon event Success failure
Audit object access failed
Audit process trace No audit
Audit directory service access failed
Audit privilege usage Failure
Audit system events Failed to successfully
Audit account logon event failed successfully
Audit account management failed

Local policy → User Rights Assignment
Shutdown system: Only Administrators group, all others deleted.
Allow login via Terminal Services: Only join Administrators,remote Desktop Users group, all other delete

Local policy → security options
Interactive login: Do not display last username enable
Network access : Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Enable
Network access for network authentication store credentials: All anonymous access shared delete
Network access: Delete all anonymous access
Web　　　　　　　　　Access: All remotely accessible registry paths Delete
Network access: Remotely accessible registry paths and subpath Delete all
Account: Rename guest account rename an account
Account: Rename the system Administrator account Rename an account

The easiest way to "uninstall the least secure Components"
is to remove the appropriate program files after uninstalling directly.
Save the following code as one. BAT file, (for example, the Win2003 system folder should be C:\WINDOWS\)
regsvr32/u C:\WINDOWS\system32\wshom.ocx
regsvr32/u C:\windows\s Ystem32\wshext.dll
regsvr32/u C:\WINDOWS\system32\shell32.dll
If it is possible to remove these components
del C:\WINDOWS\system32\ Shell32.dll
del C:\WINDOWS\system32\wshom.ocx
del C:\windows\system32\wshext.dll
then run it, Wscript.Shell, Shell.Application, Wscript.Network will be unloaded.
go to http://www.ajiang.net/products/aspcheck/to download the Arjunolic probe to see the relevant security settings.
you may be prompted not to delete the file, do not worry about it, restart the server, you will find that all three prompts "x security".
If you recover, you can remove/U.

FSO (FileSystemObject) is a Microsoft ASP's control of file manipulation, which can read, create, modify, delete directories, and file operations on the server. is a very useful control in ASP programming. However, because of the issue of permissions control, many virtual host Server FSO has become a public backdoor of this server, because customers can be in their own ASP Web page directly to the control program, thus controlling the server or even delete files on the server. So many of the industry's virtual hosting providers simply shut down the control, giving customers a lot less flexibility. Our company's W2K Virtual host server has high security, can let the customer in own website space to use arbitrarily but has no way to endanger the system or to hinder other customer website normal operation.

FSO Add
 1, first find Scrrun.dll in the system disk, if this file exists, please skip to step three, if not, follow the second step.
 2, in the installation file directory i386 find Scrrun.dl_, with winrar decompression Scrrun.dll copied to the system disk: \windows\system32\ directory.
 3, the Operation Regsvr32 Scrrun.dll can.

 FSO Delete
 regsvr32/u scrrun.dll
 recommended

 to keep uninstall stream object
 running under cmd:
 regsvr32/s/u "C:\Program files\ Common files\system\ado\msado15.dll "
 Restore, remove/U on the line, the proposed retention

Modify the 3389 port for Remote Desktop Connection to 9874, hexadecimal 2692 equals decimal 9874, and modify to the appropriate port as needed. Save the following content as a. reg file and import the registry. (not required)

Copy Code code as follows:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds\rdpwd\tds\tcp]
"PortNumber" =dword:00002692

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp]
"PortNumber" =dword:00002692

Server antivirus software Here is a description of McAfee 8.5i Chinese Enterprise Edition http://www.jb51.net/softs/17178.html

Because this version of the domestic many malicious code and Trojans can be updated in a timely manner. For example, you can detect the Haiyang top 2006 and kill MIME-encoded virus files in queues that are used by SMTP software such as IMAIL, and many people like to install Norton Enterprise Edition. and Norton Enterprise Edition, for the Webshell. Basically, there is no response. And the MIME-encoded file cannot be antivirus.
In McAfee.We also have the ability to add rules. Prevent the creation and modification of EXE.DLL files in the Windows directory so we add antivirus programs to our web directories in the software. Execute once a day and turn on real-time monitoring.

Note: Installing some anti-virus software will affect the implementation of ASP, because the Jscript.dll and Vbscript.dll components are disabled to run in DOS regsvr32 jscript.dll, regsvr32 Vbscript.dll lifting restrictions can be like appearing
The requested resource is in use

regsvr32%windir%\system32\jscript.dll
regsvr32%windir%\system32\vbscript.dll

Turn off the script scan in the antivirus software.

Some of the software that is commonly used on servers can be viewed s.jb51.net to hundreds of people a day.