Windows Server Security-website Server Security Settings

Source: Internet
Author: User
Tags website server account security net send

In addition to patches provided by security vendors, website server security is more important to set some common security problems that can withstand attacks by some cainiao tools.

Basic Security Settings

1. Adjust the testing environment (set resolution, IP address, and so on for server settings. Before accessing the network, you should first disable the DCOM component service and install the driver.Program)

2. Configure the server. Use "manage your servers" to configure the server wizard and configure all required service functions, such as IIS.

3. Set the Input Method for future maintenance of Chinese characters.

4. If you only divide the system area before installing the system, you can now differentiate others.

To improve security, the file system format of the server must be divided into NTFS (New Technology File System) formats, which greatly improves the security and space utilization of fat16 and FAT32, we can use it to configure file security, disk quota, and EPS file encryption. If you have already entered the FAT32 format, you can use the convert drive letter/Fs: NTFS/V to convert FAT32 to the NTFS format.

5. Set folder options to facilitate File Settings. Such as displaying system files and hidden files.

6. Set the virtual memory. Do not place the virtual memory on the drive C. You can move it to another disk. Saves valuable system disk space, and reduces the number of reads and writes to drive C.

7. Set power management. Of course, the server cannot shut down or sleep automatically after xx minutes, right?
8. System Service optimization settings. By default, many services are unnecessary. You can set system services based on the services you provide. Some services may even affect the system security. Disable unnecessary services to improve security and system efficiency:
Computer Browser maintains the latest list of computers on the network and provides this list
task scheduler allows programs to run at a specified time
Routing and Remote Access is enterprises provide the routing service
removable storage to manage removable media, drivers, and libraries
Remote Registry Service allows remote registry operations
Print Spooler to load files into memory for future print. Friends who want to use the printer cannot disable this
IPsec Policy agent to manage IP Security Policies and start ISAKMP/oakleyike) and the IP Security Driver
Distributed Link Tracking Client sends a notification when the file is moved in the NTFS Volume of the network domain
COM + Event System provides automatic release of the event to the subscription COM Component
Alerter Notifies selected users and computers to manage alerts
Error Reporting Service collects, stores, and reports exceptional applications to Microsoft
net send between the Messenger client and server and alarm service messages
Telnet allows remote users to log on to this computer and run programs

9. Change the Terminal Service port and security settings. The default Terminal Service port is 3389. You can use this service to conveniently remotely manage the server. Is the "Remote Desktop Connection" in your computer ". If you don't find this feature, you can also use http://www.xtit.net/d

To prevent this port from being scanned and attacked by some hacker software, you cannot use this port to remotely manage the server. To modify this port, you must restart the server to make it take effect. Remember not to restart immediately after 3389 is changed. You have to open the corresponding port and restart again. Otherwise, you cannot connect remotely and have to run the IDC.

How to change the remote desktop service Port:

Step 1: Open Registry Editor.

Start -- run -- regedit

Step 2: Find the default port 3389 in the registry.

HKEY_LOCAL_MACHINE // system // CurrentControlSet // control // Terminal Server // winstations // RDP-TCP

Step 3: locate RDP-TCP and search for portnumber on the right of the Registry! There is a string of numbers 3389 after the portnumber.

Then, when you click portnumber (right-click), a prompt box will pop up-click to modify-click to 10, modify 3389 the number you want, such as 3721 or something-then click hexadecimal (the system automatically converts the number)-and finally click OK!

There is also a key value:
HKEY_LOCAL_MACHINE // system // CurrentControlSet // control // terminalserver // winstations here there should be one or more child keys similar to the RDP-TCP (depending on how many RDP services you have built ), change the portnumber.

In this way, the port is successfully modified.

For log problems, the terminal service actually has the log function. Open the terminal service configration in the management tool and click "Connect ", right-click the RDP service you want to configure (such as the RDP-TCP (Microsoft rdp5.0), select the bookmarks "permission", click "advanced" in the lower left corner, see the above "Review? Join an everyone group, which represents all users, then review the "connection", "disconnected", "logout" success and "login" functions and failures is enough. It is not good if there are too many reviews, this review is recorded in security logs and can be viewed in "Administrative Tools"> "Log Viewer.
Now, it is clear when anyone will log in.

10. If you change the server, you must copy the files on the old server to the new server. After the copy operation is complete, check whether the file contains viruses and Trojans.

 

11. Account Security Settings

Rename the guest group.

Rename the default Administrator Account administrator, and then create a trap account: Administrator, disguise it as the default Administrator account, but assign it to the guest group.

Disable the Guest account, change it to a complex name and add a password, disable the name of the guest user, change the complex password, and add the number of times that the account is locked due to wrong logon, set to prevent the system from displaying the username of the last logon.

12. Preliminary full permission settings

For Windows Server, disk permissions are the most important part of security issues. Therefore, you must set the disk permission for the server as shown in the following figure. In addition, we must pay attention to the principle of "minimization": Assign the minimum permissions to disks while ensuring normal services. Disk permissions must be configured with account security settings. Therefore, this configuration will be detailed in the advanced security configuration in the future. Here we only perform basic full permission settings. My methods are different from those on the Internet. Most of them are not minimized on the Internet. Delete all groups or users in each partition except the Administrators group. Like this:

13. Important System File Permission settings
Find these files on drive C and set the security to only the specific administrator with full operation permissions.
The following files are only accessible to administrators:
Net.exe
Net1.exet
Cmd.exe
Tftp.exe
Netstat.exe
Regedit.exe
At.exe
Attrib.exe
Cacls.exe
Format.com

14. install anti-virus software. There are many anti-virus software, but they are suitable for servers. They must be secure, stable, and reliable. Symantec AntiVirus is recommended for Jarry. You can download it here.

15. Firewall testing and preliminary setup. Third-party firewall software is not recommended. The built-in firewall is very powerful. It works well with TCP/IP filtering.

16. Configure IIS and related services. The IIS security configuration is described in another chapter.

17. Conduct IIS and FTP tests. Make sure that the function is in normal use.

18. Only the TCP/IP protocol is retained, and all others are deleted.

19. Delete two subdirectories in C: Windows Web

20. How to disable NetBIOS: network connection> Local Connection Properties> advanced> wins option> disable NetBIOS on TCP/IP> OK.

 

21. TCP/IP Protocol attributes in Nic attributes ---> advanced --> options --> TCP/IP filter Attributes -->

IP filtering:

Item 1: TCP port:

Only allowed: --- (see what services are provided by this server to add)

80 (WWW Service)

21 (Default FTP)

53 (DNS Service)

110 (SMTP service of mail)

25 (Mail POP3 Service)

Also, for example, the port of your remote terminal (the default value is 3389, or you may change it to another port, for example, 6666, or 6666)

Item 2 UDP port:

This option is not added, because after the restriction is reached, the server cannot open webpages or other operations (of course, it is much safer)

The third IP protocol:

IP protocol: only 6

22. Delete unnecessary shares to improve security

Enumeration of SAM Accounts and sharing is not allowed (this can also be done in local policies)

Operation Method: Run regedit,

(1) Add a value under hkey_local_machinesystemcurrentcontrolsetserviceslanmanserverparameters.

Name: AutoShareServer

Type: REG-DWORD

Value: 0

(2) Add a value under hkey_local_machinesystemcurrentcontrolsetcontrollsa.

Name: restrictanonymous

Type: REG_DWORD

Value: 0

23. modifying certain computer features

Operation Method: Control Panel-> system-> advanced-> Start and fault recovery-> undisplay operating system list-> cancel sending alarm-> cancel writing debugging information-> complete.

24. Security Log Configuration

Choose Local Security Policy> Audit Policy to open the corresponding audit. The recommended audit is:

Account Management failed

Logon Event successful failed

Object Access failed

Policy Change failed

Failed to use privilege

System Event success/failure

Directory Service Access failed

Account Logon event failed

Set in Account Policy> password policy:

Password complexity must be enabled

Minimum Password Length: 6 Characters

Force password five times

Maximum Retention Period: 30 days

In account policy-> account lock policy, set:

Account locked 3 times error Login

Lock time: 20 minutes

Reset lock count 20 minutes

25. Cancel shutdown dialog box

Shutdown on Windows Server 2003 requires "adequate" reasons. It is easy to cancel it. Press win + R to open the run dialog box and enter gpedit. MSC, open "Group Policy Editor", select "Local Computer Policy> Computer Configuration> management template> System", and then double-click "show close event tracking program" in the window on the right ", on the "Settings" tab, click "disabled". Note: What about Windows Server 2003 wearing Windows XP? You only need to enter the "service" Window of Windows Server 2003, press the "T" key to find "themes", double-click it, and select "automatic" in the "Start" type ", the next time you start the system, you can see the effect.

 

26. Modify the Registry to make the system stronger.

1. To hide important files/directories, you can modify the Registry to completely hide them: hkey_local_machinesoftwaremicrosoftwindows current-versionpoliceradvancedfolderhi-ddenshowall. Right-click "checkedvalue", select modify, and change the value from 1

2. Start the system's built-in Internet connection _ blank> firewall, and check the web server in the set service options.

3. Prevent SYN flood attacks

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters

Create a DWORD Value named SynAttackProtect. The value is 2.

Enablepmtudiscovery REG_DWORD 0

NoNameReleaseOnDemand REG_DWORD 1

EnableDeadGWDetect REG_DWORD 0

KeepAliveTime REG_DWORD 300,000

Invalid mrouterdiscovery REG_DWORD 0

Enableicmpredirects REG_DWORD 0

4. Disable response to ICMP route notification packets
Hkey_local_machinesystemcurrentcontrolsetservicestcpipparametersinterfacesinterface
Create a DWORD value, with the name "descrimrouterdiscovery" set to 0.

5. Prevent ICMP redirection packet attacks

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters

Set enableicmpredirects to 0

6. IGMP protocol not supported

Hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters

Create a DWORD Value named igmplevel 0

7. Disable null IPC connection:

Cracker can use the net use command to establish a null connection, and then invade into the database. Net view and NBTSTAT are all based on NULL connections. It is good to disable NULL connections. Open the registry, find the Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous to change this value to "1.

8. Change the TTL value

Cracker can roughly judge your operating system based on the TTL value returned by Ping, such:

TTL = 107 (winnt );

TTL = 108 (Win2000 );

TTL = 127 or 128 (Win9x );

TTL = 240 or 241 (Linux );

TTL = 252 (Solaris );

TTL = 240 (IRIX );

In fact, you can change it by yourself: hkey_local_machinesystemcurrentcontrolsetservicestcpipparameters: defaultttl REG_DWORD 0-0xff (0-255 decimal, default value 128) to an inexplicable number such as 258, at least make the little cainiao, you may not have to give up intrusion.

9. delete default share

Someone asked me how I shared all the disks when I started. After I changed it back, I restarted and shared it again. This is the default share set for 2 k management, you must modify the Registry to cancel it: hkey_local_machinesystemcurrentcontrolsetserviceslanmanserverparameters: the AutoShareServer type is REG_DWORD and change the value to 0.

10. Do not create a null connection.

By default, any user connects to the server through an empty connection, and then enumerates the account and guesses the password. We can modify the Registry to disable NULL connections:

The value of the Local_MachineSystemCurrentControlSetControlLSA-RestrictAnonymous is changed to "1.

OK. After reading a lot of information, is it a bit dizzy? Get up and have an activity. The body is the most important. However, your system now has a basic security system. In addition to the security knowledge introduced to you after xiantian server, I believe you will be able to grow into a top security expert. The content of this issue is a bit long and I hope you will not mind it. Of course, if you have more opinions on server security, you are welcome to comment on this article!

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.