Windows 2000 Server Security Configuration

First: How to Install

One, the choice of version

I strongly recommend that: in the case of language does not become a barrier, please be sure to use the English version. You know, Microsoft's products are known as "Bugs & Patch", the Chinese version of the bug far more than the English version, and the patch is usually late at least half a month (that is, the general Microsoft released a loophole after your server will be half a month in the unprotected state).

Ii. Customization of components

Win2K installs some common components by default, but it is this default installation that is very dangerous, with the security principle "minimal service + minimal permissions = maximum security", only the services that are really needed are installed. The special note here is the "Indexing Service", "FrontPage Server Extensions", and "Internet service Manager", which are some of the most dangerous services.

Iii. managing the selection of applications

Choosing a good remote management software is very important, not only the security requirements, but also the application needs. Win2K's Terminal service is a remote control software based on RDP (Remote Desktop Protocol), which is fast, easy to operate and more suitable for routine operation. However, Terminal service also has its shortcomings, because it uses the virtual desktop, coupled with Microsoft programming is not rigorous, when you use the Terminal service to install software or restart the server and so on with the real desktop interactive operation, often will appear in distress phenomenon, For example: Restarting Microsoft's authentication server (COMPAQ, IBM, etc.) using the Terminal Service may be turned off directly. Therefore, for the sake of safety, it is recommended to be equipped with a remote control software as auxiliary, and terminal Service complementary, such as pcanywhere is a good choice.

Allocation of partitions and logical disks

Create at least two partitions, one system partition, one application partition. This is because Microsoft's IIS (Internet ihformation Server) often has vulnerabilities, and if you put the system and IIS on the same drive, it can cause system files to leak and even allow intruders to remotely gain administrative power.

It is recommended to establish three logical drives, the first to install system and important log files, the second to put IIS, and the third to put FTP, so that no matter whether IIS or FTP out of security vulnerabilities will not directly affect the system directory and system files.

V. Selection of installation sequence

Do not feel as long as can install the system, even if finished, in fact, Win2K installation sequence is very important.

First, pay attention to the time to access the network. Win2K has a flaw in the installation, that is, after entering the administrator password, the system will establish a "$ADMIN" share, but did not use the password just entered to protect it, this situation will continue until the computer started again. During this time, anyone can enter the system through the "$ADMIN", and as soon as the installation completes, the various services will automatically run, and the server at this time is full of vulnerabilities, very easy to invade from the outside. Therefore, you must not connect the host to the network until the Win2K server is fully installed and configured.

Second, pay attention to the installation of patches. Patches should be installed after all applications have been installed, because patches often replace or modify some system files, which may not work if the patch is installed first.

Second: How to set

Even if the Win2K Server is installed correctly, there are many vulnerabilities in the system and further detailed configuration is required.

One, port

The port is the logical interface between the computer and the external network, the first barrier of the computer, and the correct port configuration directly affects the security of the host.

II. IIS

IIS is the most problematic component of Microsoft, with an average of two or three months to a vulnerability, and Microsoft's IIS default installation is not flattering, so the configuration of IIS is our focus.

First, delete the Inetpub directory under C disk, build a inetpub in D disk, and point the home directory to D:\Inetpub in IIS Manager.

Second, the IIS installation of the default scripts and other virtual directories are also deleted, if you need what permissions of the directory can be built later (pay special attention to write permissions and execute the program's permissions).

Then there is the configuration of the application. Delete all useless mappings in IIS Manager (you must reserve, for example, ASP, ASA, etc.). In IIS Manager, host → properties →www service edit → home directory configuration → application mappings, and then start deleting them. Then, in the application debug bookmark, quot the script error message to send text instead. When you click "OK" to exit, don't forget to let the virtual site inherit the properties you just set.

Finally, for insurance purposes, you can use the Backup feature of IIS to back up all the settings you just set up so that you can restore the security configuration of IIS at any time. Also, if you are afraid that the IIS overload causes the server to panic, you can also turn on CPU limits in performance, such as limiting IIS's maximum CPU usage to 70%.