Windows 2003 Server Security Configuration complete article (3)

Four, disk permissions settings

C Disk only to administrators and system permissions, other permissions do not give, the other disk can also be set up here, the system authority given here does not necessarily need to give, just because some third-party applications are launched in the form of services, need to add this user, otherwise it will not start.

Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run. Previously have friends to set INSTSRV and temp directory permissions, in fact, there is no such need.

In addition, it is important here in C:/Documents and settings/that the permissions in the following directory will not inherit from the previous settings, if only set the C disk to administrators permissions, and in all users/application The Everyone user has full control in the data directory, so the intrusion can jump to this directory, write script or file only, and then combine other vulnerabilities to elevate permissions, such as using serv-u local overflow to elevate permissions, or systems missing patches, database weaknesses, Even the social engineering and so on n many methods, once not have the bull person to send a squall to say: "As long as gives me a webshell, I can get system", this also certainly is possible. In systems that are used as WEB/FTP servers, it is recommended that these directories be set up for lock-dead. The directories for each of the other disks are set in this way, and each disk is given only adinistrators permissions.

In addition, it will:

Net.exe NET command

Cmd.exe

Tftp.exe

Netstat.exe

Regedit.exe

At.exe

Attrib.exe

Cacls.exe ACL user Group permission setting, this command can set any permissions on any folder under NTFS!

Format.exe

We all know ASP Trojan bar, there is a cmd run this, these if all can run under CMD. 55, estimated that nothing else, the format is estimated to cry material ~ ~ ~ (: These files are set to allow only Administrator access.)

V. Installation of firewall and antivirus software

About this thing to install in fact I also Tambulai, anyway installs what all have, suggest to use Kabbah, sell coffee. With the system itself with the firewall, this I am not professional, do not say! Let's do it!

Vi. SQL2000 serv-u FTP security settings

SQL Security aspects

1, the System Administrators role preferably not more than two

2, if it is in this machine is best to configure the authentication to win login

3, do not use the SA account, configure a super complex password for it

4, delete the following extended stored procedure format:

Use master

Sp_dropextendedproc ' Extended stored procedure name '

xp_cmdshell: Is the best way to get into the operating system, delete

Accessing the registry's stored procedures, deleting

Xp_regaddmultistringxp_regdeletekeyxp_regdeletevaluexp_regenumvalues

Xp_regread xp_regwrite xp_regremovemultistring

OLE automatic stored procedures, not required, delete

sp_OACreate Sp_oadestroysp_oageterrorinfosp_oagetproperty

Sp_oamethodsp_oasetpropertysp_oastop

5, hide SQL Server, change the default 1433 port.

Right-click the properties of the TCP/IP protocol in the instance selection properties-General-network configuration, choose to hide the SQL Server instance and change the default 1433 port.

Several general security requirements for Serv-u are set:

Select "Block" Ftp_bounce "Attack and FXP". What is FXP? Typically, when file transfers are made using the FTP protocol, the client first issues a "port" command to the FTP server that contains the IP address of the user and the port number that will be used for data transmission, and the server receives the user address information provided by the command to establish a connection to the user. In most cases, there is no problem with the above procedure, but when a client is a malicious user, the FTP server may be connected to other non-client machines by adding specific address information to the port command. Although the malicious user may not have the right to direct access to a particular machine, if the FTP server has access to the machine, then the malicious user can use the FTP server as an intermediary, and still be able to finally implement the connection to the target server. This is FXP, also known as Cross server attacks. When selected, this can be prevented.

Vii. IIS security Settings

Security for IIS:

1, do not use the default Web site, if used also to separate the IIS directory from the system disk.

2, delete the IIS default created Inetpub directory (on the installation system disk).

3, delete the virtual directory under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.

4, remove unnecessary IIS extension mappings.

Right-click the default Web site → properties → home directory → configuration, open the application window, and remove unnecessary application mappings. mainly for. sHTML,. shtm,. stm.

5, change the path of the IIS log

Right-click the default Web site → Properties-web site-click Properties under Enable Logging

6. If you are using 2000, you can use IISLockdown to protect IIS, and the version of IE6.0 running in 2003 is not required.

Eight, other

1, system upgrades, operating system patches, especially the IIS 6.0 patches, SQL SP3a patches, and even IE 6.0 patches to play. At the same time to track the latest patch of vulnerability;

2, stop the Guest account, and add an unusually complex password to the guest, the administrator renamed or disguised!