Windows Server 2008 R2 Server system Security Defense Hardening method _win Server

Source: Internet
Author: User
Tags file permissions ntfs permissions trustedinstaller


First. Change the terminal default port number



Steps:



1. Run regedit 2. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds \rdpwd\tds \tcp], see Portnamber value? The default value is 3389, modified to the desired port, such as 12345 3. [Hkey_local_machine\system\currentcontro1set\control\tenninal server\winstations\ RDP\TCP], Modify the value of PortNumber (default is 3389) to Port 12345 (custom).



4. Set up IPSec editing rules in the firewall after the modification, restart the computer, the remote login at the time of the use of port 12345 can be.




Second. NTFS Permissions settings



Attention:



1, 2008r2 default folder and file owner is TrustedInstaller, this user also has all control rights. 2, the same as the registry of the same, the owner of the TrustedInstaller. 3, if you want to modify file permissions should first set the Administrators group administrators as the owner, and then set additional permissions. 4, if you want to delete or rename the registry, also need to set the Administrator group as the owner, but also should be to the subkey,



Delete a subkey before deleting the current item or deleting the item



Steps:



1.C disk only to Administrators and system permissions, other permissions do not give, other disks can also be set (Web directory permissions depending on the circumstances)
2. The system permissions given here do not necessarily need to be given, just because some third-party applications are started in the form of a service and need to be added to this user, otherwise it will not start.



Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run (if you are using IIS, refer to the DLL files under Windows).



3.c:/user/only gives administrators and system permissions



Third. Delete Default share



Steps:



1. Open dos,net Share view default share
2. New Text Document Input command



NET share C $/del net share d$/del//If E disk can be added the default share name is C $, d$, etc.
NET share ipc$/del net share admin$/del Save as Sharedelte.bat



3. Run Gpedit.msc, expand windous Settings-script (start \ Shutdown)-start)-Right Key properties-add Sharedelte.bat



Similarly, you can edit other rules



fourth. IPSec Policy
Take the remote terminal for example 1. Control Panel--windows Firewall-Advanced Settings-inbound rules-new rule-Port-specific port TCP (for example, 3389)-Allows connection 2. When you are done, right-click the rule scope--local IP address--Any IP address-- Remote IP address--The following IP address--Add manager IP empathy other ports can use this feature to mask specific segments (such as Port 80)






Other please refer to Win2003 security optimization






Security consolidation Supplement for Windows 2008 R2 servers



Recently hosted a 2U server to the engine room, installed the Windows 2008 system, intended to use IIS to do Web server, so need to put useless ports, services shut down, reduce risk.



I found that the network is now a valuable thing is too little, many people are reproduced to reprint, learn without thinking, without a little nutrition. Or summarize it yourself, there are probably the following steps:



1. How to turn off IPv6?



This point in the domestic and foreign websites basically have a consensus, are based on the following two steps. It is said that the local return route has not been closed after execution. But after the shutdown I found that some of the ports are still listening to IPv4 and IPv6 ports, especially the 135 port, has IPv4 closed, IPv6 unexpectedly still open. It's unbelievable.



Turn off network Connections-> local connection-> Properties->internet Protocol version 6 (TCP/IPV6)



And then modify the registry: Hkey_local_machine\system\currentcontrolset\services\tcpip6\parameters, add a DWORD entry, Name: disabledcomponents, Value: FFFFFFFF (16-bit 8 f)



Restart the server to close IPv6



2. How do I close 135 ports?



This broken port is RPC service port, before a lot of problems, now seemingly no loopholes, but still have a lingering fear ah, want to shut this off:



Start-> run->dcomcnfg-> Component Services-> computer-> My Computer-> properties-> default properties-> turn off "Enable distributed COM on this computer"-> default protocol-> removal " Connection-oriented TCP/IP "



But the feeling did the above operation also can see 135 in Listen state, also can try this.



Execute in cmd: netsh rpc add 127.0.0.0, so that port 135 only listens for 127.0.0.1.



3. How do I close 445 ports?



Port 445 is a service port that NetBIOS uses to resolve machine names within a LAN, and the general server does not need to be open to the LAN for any shares, so it can be turned off.



Modify registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters, then more a DWORD: smbdeviceenabled, Value: 0



4. Turn off the NetBIOS service (139 port off)



Network connection-> Local Area Connection-> Properties->internet protocol version 4-> Properties-> Advanced->wins-> Disable NetBIOS on TCP/IP



5. Close LLMNR (5355 port off)



What is LLMNR? Local link Multicast name resolution, also called Multicast DNS, is used to resolve names on local network segments, but it still occupies 5355 of ports.



Use Group Policy shutdown, run->gpedit.msc-> Computer Configuration-> Administrative Templates-> Network->dns client-> turn off Multicast name resolution-> Enable



There is another way, I did not try, if there is no Group Policy management can try, modify the registry Hkey_local_machine\software\policies\microsof\windows NT\DNSClient, create a new DWORD entry, Name: enablemulticast, Value: 0



6. Shut down Windows Remote Management Service (47001 port off)



Windows Remote Management Service, used in conjunction with IIS management hardware, generally not used, but open 47001 port is very uncomfortable, close the method is very simple, disable this service.



7. Turn off UDP 500,udp 4500 ports



These two ports let me search for a half-day, although know should be related to VPN, but do not know which service is occupied. Finally found, in fact, Ike and AuthIP IPsec keying modules services in the mischief. If your server does not run an IKE-authenticated VPN service, you can shut down. (I'm using PPTP to connect to VPN, turn IPSec and ike off)



8. Delete File and printer Sharing



The network connection-> The local connection-> attribute and hooks out everything except "Internet Protocol version 4".



9. Turn off file and printer sharing



Stop the "server" service directly and set it to disabled, restart and then right-click on a disk selection property, "sharing" This page does not exist.


Related Article

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.