Win2008 Server or VPS Security Configuration Basics Tutorial _win Server

Of course, the security tutorial here is as effective as Windows Server 2003, except that some steps are different and are for informational purposes only.

In fact, whether it is a Windows Server system, or Linux server system, as long as the security policy set up to the maximum extent possible to ensure that the server security, not to use Linux must be more than Windows security, the key is to see how you use, how to set security policy, how to avoid the use of loopholes The key to ensuring security for Windows Server systems is to avoid exploiting vulnerabilities in this system. The following is a specific basic Security configuration tutorial, for reference only, set by personal liking:

　　 Change admin account and password

Windows 2008 Server system is managed by remote login, the default administrator account is administactor; if the other person knows your account, you may be able to decrypt the password by brute force, so change the admin account in time.

The Modify process is: Select "click start → run", in the pop-up Run dialog box, enter "Gpedit.msc" to open the Group Policy Editor, expand the set →→ local policy → security options, and then pull the right list box down to the bottom, double-click Rename system administrator account to rename; Modify the account name, but also remember to modify the password, recommend no less than 18 digits of the password, must be in English combination of the case number.

　　 to modify the port number of a remote login

The Windows system default remote landing port number is 3389, this port number is easily scanned, it is recommended to change to a larger port number, like 23429, pay attention to the known port number conflict, if the firewall is turned on, to close 3389 ports, while opening 23429 port number.

The process of modifying the port number is: Open "Start → run", enter "regedit", open the registry, and go to the following path: [hkey_local_machinesystemcurrentcontrolsetcontrolterminal SERVERWDSRDPWDTDSTCP], see the Portnamber value, the default value is 3389, modified to the desired port, for example, 23429; then open [Hkey_local_ Machinesystemcurrentcontro1setcontroltenninal Serverwinstationsrdptcp], change the value of PortNumber (default is 3389) to Port 23429, Enter the computer name ip:23429 when you log in later.

　　 Set firewall shutdown unwanted port

Windows 2008 Server System is a firewall, the firewall can set the port number to open and close, the above modified the remote landing port number, to remember to shut down the 3389 port, while adding the new set of port number, and the port scan tool is recommended to scan, the general server only to use the opening of three ports, One is 80 ports, one is your remote landing port, one is the FTP port.

After the firewall is turned on, the default is to prohibit ping, and if you want the server to support Ping, remove the corresponding prohibition rule in the firewall settings. In addition, firewalls do not prohibit all non-network service ports by default, so it is recommended that you manually disable ports that must be used.

　　 remove FTP and database online management

Because the Windows 2008 server has a graphical interface, therefore can be used to achieve the Web site backup, remote Landing reserve site, upload to the network, and then from the local computer to download the site content from the network, so that the FTP could not be enabled; opening one more port means more risk, since windows 2008 server systems have a graphical interface, then you should make good use of this.

As for the database online management, novice are accustomed to using phpMyAdmin to manage, Linux system host through Ip/some space/way to manage the database, this is actually unsafe, the equivalent of one more security risks; for users of Windows 2008 systems, Can actually remotely login after the management database, like my website www.121h.com, after the original landing, with IE browser access 127.0.0.7 is my database management address, other users can not directly access to the database management background.

　　 Set file permissions and patch updates

If you are building a station with a Windows system server, then be sure to set the file permissions, such as prohibit the script to run what, set good, then the site program itself security will improve a lot; In addition, to remember to update the program and system patches, while increasing the error landing settings, the user through the remote to the system, Wrong password three times, you can ban 30 minutes or a day or something.

Some time ago, mysql/php a series of corresponding loopholes, we also have to remember to upgrade the version of these programs, such as the current version of the virtual host PHP is 5.2.17, this is the older stable version, there is a hash conflict, can be upgraded to 5.3.* or 5.4.*; As for MySQL, can also upgrade to the 5.5.* version, directly to the official website to download the corresponding program upgrades, please confirm the site before upgrading the program to support the new version of the software. 

　　 revise the account information in IDC website

Regardless of what you are buying system server, you should ensure that your own IDC official account information security, where the account, password should be registered with the usual account password is different, to avoid an account of their own theft, be used by others here. In addition, some IDC also has its own forum, although to the Forum exchange can get outside the chain, but pay attention to ensure their own information security, do not disclose their account habits.

These are the personal experience of maintaining a Windows Server 2008 server, a basic Security configuration tutorial that can protect against most vulnerabilities; Of course, if memory allows, you can install antivirus software, while adding other precautions, however, for VPS or cloud host users, Antivirus software is not necessary, the upper settings have these, and then install antivirus software may conflict.