Generally speaking, the former is more difficult to configure, reference some of the other people's configuration and some of their own practice, to find a relatively satisfied with my practice, due to the limited level of personal, I hope the experts pointed out that I lack of place, thank you. Because recently busy other things, and so busy after the part of the IIS configuration also have their own to tidy up some of the data to serve ~ ~ Then we can go to the forum www.n0ws.com to see, but this blog is also to provide relevant information to download.
Here are my practices:
First, configure the permissions under the system disk (for example, C disk) (the default folder for IIS has been removed)
1. System disk:Select the system disk, properties, Security tab, and delete other groups or users except the administrators and system groups.
2. Program Files:Right-click Folder-> Select Properties-> Select the "Security" tab-> click the "Advanced" option-> Select "Allow parent ..." and "Use this to show ..."-> click "Copy"-> click OK to exit the Advanced security settings-> Remove the Security tab from groups or users other than administrators and the system group
The Advanced security settings effect is as follows:
3. Program Files/common File/users:Under the common File folder under Program files, locate the system add users, and the default permissions are available. The so-called default permission is that you add this user system to automatically grant this user permission to manipulate folders or files. (Someone may ask why you want to set the permissions for users on this folder?) A: There are some DLL files in this section that are needed when createobject in ASP.
4. Documents and Settings:Go to the system disk, select the Documents and Settings folder right and remove any users or groups other than the administrator, System, Power Users group. Access to the Documents and Settings folder, the administrator of this folder does not need to set permissions. All Users folder, go to Advanced option Select "Use the directory that is shown here that can be applied to child objects to replace all child object permission Entries", OK, under the Security tab, delete other user groups and users except Administrator and system, click OK. Default Users folder, go to Advanced option Select "Use the directory that is shown here to be applied to child objects to replace permission entries for all child objects", OK, under the Security tab, delete the administrator, System, power User groups and users other than users, click OK.
5. Windows:Right-key folder-> Select Properties-> Select the "Security" tab-> Remove the user-> Click OK except the Administrator and system.
6. Windows/temp:Right-click Folder-> Select Properties-> Select the Security tab-> Add the Users group-> set the Users group to have read only, write permissions.
7. Other folders under the root directory:Right-click Folder-> Select Properties-> Select the "Security" tab-> click the "Advanced" option-> Select "Allow parent ..." and "Use this to show ..."-> click "Copy"-> click OK, exit Advanced security settings-> put "security" tab in addition to Administrators and system group or user deletion
8. Batch processing:Next is some special folders, file permissions, some service modifications, the deletion of dangerous components.
The portion of the batch is finally attached with the following Save as *.bat or directly from the download where I provided the download.
Copy Code code as follows:
@echo off
ECHO.
ECHO.
ECHO. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ECHo.
ECHo "Windows2003ntfs Hardening Script"
ECHo.
ECHO. ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
ECHO.
ECHO.
ECHO. -------------------------------------------------------------------------
ECHo please follow the prompts to back up the registry, otherwise you can not restore after modification, I am not responsible.
ECHO.
ECHO Yes=next Set No=exit (this time Second default for N)
ECHO. -------------------------------------------------------------------------
choice/t 30/c yn/d N
if errorlevel 2 goto end
if errorlevel 1 goto next
: Next
If EXIST backup (echo.) Else MD Backup
If EXIST temp (rmdir/s/q TEMP|MD temp) Else MD Temp
If EXIST backup\backupkey.reg (move Backup\backupkey.reg backup\backupkey_old.reg) Else Goto run
: Run
regedit/e temp\backup-reg1.key1 "Hkey_local_machine\system\currentcontrolset\"
regedit/e Temp\backup-reg2.key2 "Hkey_classes_root\"
copy/b/y/v Temp\backup-reg1.key1+temp\backup-reg2.key2 Backup\backupkey.reg
If exist Backup\wshom.ocx (echo backup already exists) Else copy/v/y%systemroot%\system32\wshom.ocx Backup\wshom.ocx
If exist Backup\shell32.dll (echo backup already exists) Else copy/v/y%systemroot%\system32\shell32.dll Backup\shell32.dll
ECHO Backup is complete
ECHO.
Goto NEXT2
: next2
ECHO.
ECHO. -------------------------------------------------------------------
ECHo Modify Permissions System32 directory unsafe several EXE files, change only administrators only have permission to run
ECHO Yes=next Set No=this set Ignore (this time Second default for y)
ECHO. -------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto NEXT3
if errorlevel 1 goto next21
: next21
echo Y|cacls.exe%systemroot%\system32\net.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\net1.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\cmd.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\tftp.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\netstat.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\regedit.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\at.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\attrib.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\cacls.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\fortmat.com/g administrators:f
echo Y|cacls.exe%systemdrive%\boot.ini/g administrators:f
Echo Y|cacls.exe%systemdrive%\autoexec. Bat/g administrators:f
echo Y|cacls.exe%systemroot%/system32\ftp.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\secedit.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\gpresult.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\gpupdate.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\logoff.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\shutdown.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\telnet.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\wscript.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\doskey.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\help.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\ipconfig.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\nbtstat.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\print.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\debug.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\regedt32.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\reg.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\register.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\replace.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\nwscript.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\share.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\ping.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\ipsec6.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\netsh.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\edit.com/g administrators:f
echo Y|cacls.exe%systemroot%\system32\route.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\tracert.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\powercfg.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\nslookup.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\arp.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\rsh.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\netdde.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\mshta.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\mountvol.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\setx.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\find.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\where.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\finger.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\regsvr32.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\sc.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\shadow.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\runas.exe/g administrators:f
echo Y|cacls.exe%systemroot%\pchealth\helpctr\binaries\msconfig.exe/g administrators:f
echo Y|cacls.exe%systemroot%\notepad.exe/g administrators:f
echo Y|cacls.exe%systemroot%\regedit.exe/g administrators:f
echo Y|cacls.exe%systemroot%\winhelp.exe/g administrators:f
echo Y|cacls.exe%systemroot%\winhlp32.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\edlin.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\posix.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\atsvc.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\qbasic.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\runonce.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\syskey.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\cscript.exe/g administrators:f
echo Y|cacls.exe%systemroot%\system32\sethc.exe/g administrators:f
echo "C Disk permission set"
cacls "%systemroot%/registration"/R "Everyone"/e
echo "Remove permission to create owner in the Windows directory of C disk"
cd/
cacls "%systemroot%/repair"/r "Create owner"/e
cacls "%systemroot%/system32"/r "Create owner"/e
cacls "%systemdrive%/system32/config"/r "Create owner"/e
cacls "%systemroot%/system32/wbem"/r "Create owner"/e
echo "Remove permissions for Power Users under Windows folders"
cacls "%systemroot%/repair"/R "Power Users"/e
cacls "%systemroot%/system32"/R "Power Users"/e
cacls "%systemdrive%/system32/config"/R "Power Users"/e
cacls "%systemroot%/system32/wbem"/R "Power Users"/e
echo "Remove access rights for users under Windows"
cacls "%systemroot%/addins"/R "users"/e
cacls "%systemroot%/apppatch"/R "users"/e
cacls "%systemroot%/connection Wizard"/r "users"/e
cacls "%systemroot%/debug"/R "users"/e
cacls "%systemroot%/driver Cache"/r "users"/e
cacls "%systemroot%/help"/R "users"/e
cacls "%systemroot%/iis Temporary Compressed Files"/r "users"/e
cacls "%systemroot%/java"/R "users"/e
cacls "%systemroot%/msagent"/R "users"/e
cacls "%systemroot%/mui"/R "users"/e
cacls "%systemroot%/repair"/R "users"/e
cacls "%systemroot%/resources"/R "users"/e
cacls "%systemroot%/security"/R "users"/e
cacls "%systemroot%/system"/R "users"/e
cacls "%systemroot%/tapi"/R "users"/e
cacls "%systemroot%/temp"/R "users"/e
cacls "%systemroot%/twain_32"/R "users"/e
cacls "%systemroot%/web"/R "users"/e
cacls "%SYSTEMROOT%/SYSTEM32/3COM_DMI"/R "users"/e
cacls "%systemroot%/system32/administration"/R "users"/e
cacls "%systemroot%/system32/cache"/R "users"/e
cacls "%systemroot%/system32/catroot2"/R "users"/e
cacls "%systemroot%/system32/com"/R "users"/e
cacls "%systemroot%/system32/config"/R "users"/e
cacls "%SYSTEMROOT%/SYSTEM32/DHCP"/R "users"/e
cacls "%systemroot%/system32/drivers"/R "users"/e
cacls "%systemroot%/system32/export"/R "users"/e
cacls "%systemroot%/system32/icsxml"/R "users"/e
cacls "%systemroot%/system32/lls"/R "users"/e
cacls "%systemroot%/system32/logfiles"/R "users"/e
cacls "%systemroot%/system32/microsoftpassport"/R "users"/e
cacls "%systemroot%/system32/mui"/R "users"/e
cacls "%systemroot%/system32/oobe"/R "users"/e
cacls "%systemroot%/system32/shellext"/R "users"/e
cacls "%systemroot%/system32/wbem"/R "users"/e
Goto NEXT3
: NEXT3
ECHO.
ECHO.
ECHO. ------------------------------------------------------------------------
ECHo prohibits unnecessary services, press CTRL + C if you want to exit
ECHO Yes=next Set No=this set Ignore (this time Second default for y)
ECHO. ------------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto NEXT4
if errorlevel 1 goto next31
: next31
echo Windows Registry Editor Version 5.00 >temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\lanmanworkstation] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\alerter] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\browser] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\dfs] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\scheduler] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\lmhosts] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\tlntsvr] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [hkey_local_machine\system\currentcontrolset\services\remoteaccess] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\ntmssvc] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\remoteregistry] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\trkwks] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\ersvc] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\messenger] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [Hkey_local_machine\system\currentcontrolset\services\netdde] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CURRENTCONTROLSET\SERVICES\NETDDEDSDM] >>temp\services.reg
echo "Start" =dword:00000004 >>temp\services.reg
REGEDIT/S Temp\services.reg
ECHO.
Goto NEXT4
: NEXT4
ECHO.
ECHO. -------------------------------------------------------------------------
ECHo prevents human intrusion and attack. If you want to quit, press CTRL + C
ECHO Yes=next Set No=this set Ignore (this time Second default for y)
ECHO. -------------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto NEXT5
if errorlevel 1 goto next41
: next41
echo Windows Registry Editor Version 5.00 >temp\skyddos.reg
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters] >>temp\skyddos.reg
echo "EnableDeadGWDetect" =dword:00000000 >>temp\skyddos.reg
echo "Enableicmpredirects" =dword:00000000 >>temp\skyddos.reg
echo "PerformRouterDiscovery" =dword:00000000 >>temp\skyddos.reg
echo "NoNameReleaseOnDemand" =dword:00000001 >>temp\skyddos.reg
echo "KeepAliveTime" =dword:000493e0 >>temp\skyddos.reg
echo "EnablePMTUDiscovery" =dword:00000000 >>temp\skyddos.reg
echo "SynAttackProtect" =dword:00000002 >>temp\skyddos.reg
echo "TcpMaxHalfOpen" =dword:00000064 >>temp\skyddos.reg
echo "TcpMaxHalfOpenRetried" =dword:00000050 >>temp\skyddos.reg
echo "TcpMaxConnectResponseRetransmissions" =dword:00000001 >>temp\skyddos.reg
echo "TcpMaxDataRetransmissions" =dword:00000003 >>temp\skyddos.reg
echo "TCPMaxPortsExhausted" =dword:00000005 >>temp\skyddos.reg
echo "DisableIPSourceRouting" =dword:0000002 >>temp\skyddos.reg
echo "TcpTimedWaitDelay" =dword:0000001e >>temp\skyddos.reg
echo "EnableSecurityFilters" =dword:00000001 >>temp\skyddos.reg
echo "TcpNumConnections" =dword:000007d0 >>temp\skyddos.reg
echo "Tcpmaxsendfree" =dword:000007d0 >>temp\skyddos.reg
echo "IGMPLevel" =dword:00000000 >>temp\skyddos.reg
echo "DefaultTTL" =dword:00000016 >>temp\skyddos.reg
echo Delete ipc$ (Internet Process Connection) is a resource that shares a named pipe
echo [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa] >>temp\skyddos.reg
echo "RestrictAnonymous" =dword:00000001 >>temp\skyddos.reg
echo [Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interfaces] >>temp\ Skyddos.reg
echo "PerformRouterDiscovery" =dword:00000000 >>temp\skyddos.reg
echo [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters] >>temp\skyddos.reg
echo "Backlogincrement" =dword:00000003 >>temp\skyddos.reg
echo "Maxconnbacklog" =dword:000003e8 >>temp\skyddos.reg
echo [Hkey_local_machine\system\currentcontrolset\services\afd\parameters] >>temp\skyddos.reg
echo "EnableDynamicBacklog" =dword:00000001 >>temp\skyddos.reg
echo "MinimumDynamicBacklog" =dword:00000014 >>temp\skyddos.reg
echo "MaximumDynamicBacklog" =dword:00002e20 >>temp\skyddos.reg
echo "DynamicBacklogGrowthDelta" =dword:0000000a >>temp\skyddos.reg
echo [Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters] >>temp\skyddos.reg
echo "AutoShareServer" =dword:00000000 >>temp\skyddos.reg
REGEDIT/S Temp\skyddos.reg
ECHO.
ECHO.
Goto NEXT5
: NEXT5
ECHO.
ECHO. ------------------------------------------------------------------------
ECHo prevents ASP Trojans from running dismount Wscript.Shell, Shell.Application, wscript.network
ECHO Yes=next Set No=this set Ignore (this time Second default for y)
ECHO. -----------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto NEXT6
if errorlevel 1 goto next51
: Next51
echo Windows Registry Editor Version 5.00 >temp\del.reg
echo [-hkey_classes_root\shell.application] >>temp\del.reg
echo [-hkey_classes_root\shell.application.1] >>temp\del.reg
echo [-hkey_classes_root\clsid\{13709620-c279-11ce-a49e-444553540000}] >>temp\del.reg
echo [-hkey_classes_root\adodb.command\clsid] >>temp\del.reg
echo [-HKEY_CLASSES_ROOT\CLSID\{00000566-0000-0010-8000-00AA006D2EA4}] >>temp\del.reg
REGEDIT/S Temp\del.reg
Regsvr32/u%systemroot%\system32\wshom.ocx
del/f/q%systemroot%\system32\wshom.ocx
regsvr32/u%systemroot%\system32\shell32.dll
del/f/q%systemroot%\system32\shell32.dll
RMDIR/Q/S Temp
ECHO.
Goto NEXT6
: Next6
ECHO.
ECHO.
ECHO. ---------------------------------------------------------------------
The ECHo setting has completed a reboot before it can take effect.
ECHO yes=reboot Server No=exit (this Second default for y)
ECHO. ----------------------------------------------------------------------
choice/t 30/c yn/d y
if errorlevel 2 goto end
if errorlevel 1 goto reboot
: Reboot
SHUTDOWN/R/T 0
: End
If EXIST temp (rmdir/s/q temp|exit) Else exit