Windows Server 2008 R2 General Security settings and basic security Policies _win servers

Source: Internet
Author: User
Tags anonymous change settings parent directory windows web server administrator password least privilege

Tencent Cloud was first purchased when the only Windows Server 2008 R2 system, the original use of Windows Server 2003 to 2008 is not very skilled, for some basic settings and basic security policy, search the Internet, Finishing probably have the following 17 aspects, if have not mentioned hope everybody enthusiastically propose ha!

Some of the more important

1. Change the default administrator username, complex password
2. Open the Firewall
3. Install antivirus Software

1 new to do the system must be patched first
2 Install the necessary anti-virus software
3) Delete system default share

4) Modify local policy--> security options
Interactive login: Do not display the last username enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Credentials that do not allow storage of network authentication or. NET Passports Enabled
Network access: Remotely accessible registry paths and subpath Delete all
5 Disable unnecessary services
TCP/IP NetBIOS Helper, Server, distributed Link tracking Client, Print Spooler, Remote Registry, Workstation
6) Disable IPV6

Server 2008 R2 Interactive logon: Do not display the last user name

In fact, the most important thing is to open the firewall + server security Dog (the security dog comes with some of the functions are basically set almost) +mysql (SQL Server) low privileges run basically almost. 3389 telnet, be sure to restrict IP logons.

I. Systems and PROCEDURES

1. Screen protection and power supply

Desktop right--〉 personalized--〉 screen saver, screen saver Select None, change power settings Select High-performance, select the time to turn off the monitor to turn off the monitor selection never save changes

2, configure IIS7 components, FTP7, PHP 5.5.7, MySQL 5.6.15, phpMyAdmin 4.1.8, Phpwind 9.0, isapi_rewrite environment. Here I give you can recommend the next Aliyun server one-click Environment configuration, automatic installation settings is very good. Click to view Address

Second, the system security Configuration

1, directory Permissions

All partitions except the system's partition give administrators and system Full control, and then separate directory permissions for subdirectories under it

2. Remote connection

My Computer Properties--〉 remote Settings--〉 remote--〉 only allow connections to computers running Remote Desktop with network authentication, choosing a computer connection that allows you to run any version of Remote Desktop (less secure). Note: Convenient for multiple versions of Windows Remote Management Server. Remote Desktop Connection for Windows Server 2008, which introduces Network Level authentication (nla,network levels authentication) compared to 2003, and XP SP3 does not support this network-level authentication, Vista and Win7 support. However, modifying the registry in the XP system allows XP SP3 to support network Level authentication. HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa in the right window, double-click Security pakeages to add a "tspkg". Hkey_local_machine\system\currentcontrolset\control\securityproviders, double-click SecurityProviders in the right window, Add Credssp.dll; Note that when you add this value, be sure to add a comma after the original value, and don't forget to empty one (English state). Then restart the XP system. Check again to see that XP system has supported Network Level authentication


3. Modify the remote Access Service port

To change the remote connection port method, you can use Windows's own calculator to convert 10 to 16. Change 3389 port to 8208, reboot effective!

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds\rdpwd\tds\tcp]
"PortNumber" =dword:0002010

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp]
"PortNumber" =dword:00002010

(1) In the Start-run menu, enter regedit, enter Registry Editor, press the path below to enter the modified port
(2) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp
(3) Find "PortNumber" on the right, display in decimal, default to 3389, and (for example) 6666 ports
(4) HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds\rdpwd\tds\tcp
(5) To find the "portnumber" on the right, the decimal display, the default is 3389, to the same port as above
(6) In the Control Panel--windows Firewall-Advanced Settings--inbound rules-new rule
(7) Select Port-Protocol and port--tcp/specific local port: Ditto Port
(8) Next, select Allow connection
(9) Next, select the public
(10) Next, Name: Remote Desktop-New (tcp-in), Description: Inbound rules for Remote Desktop services to allow RDP traffic. [TCP ditto Port]
(11) Delete Remote Desktop (tcp-in) rules
(12) Restart the computer

4. Configure Local Area Connection

Network--〉 Properties--〉 Manage network Connections--〉 Local Area Connection, open the "Local Area Connection" interface, select "Properties", left-click "Microsoft Network Client" and click "Uninstall", in the pop-up dialog box "Yes" to confirm the uninstall. Click "File and Printer sharing on Microsoft Network" and click "Uninstall" to confirm the uninstall by clicking "Yes" in the pop-up dialog box.

Unbind the NetBIOS and TCP/IP protocols 139 ports: Open the Local Area Connection interface, select Properties, double-click Internet Protocol version (TCP/IPV4) in the Pop-up Properties box, click Properties, and then click Advanced-WINS to select Disable NetBIOS on TCP/IP, click "Confirm" and close the local connection properties.

Prohibit default sharing: Click "Start"-"Run", enter "Regedit", open Registry Editor, open registry key "Hkey_local_machine\system\currentcontrolset\services\ LanmanServer\Parameters ", create a new DWORD value in the right window, with the name set to AutoShareServer and the value set to 0.

Close port 445: hkey_local_machine\system\currentcontrolset\services\netbt\parameters, the new Dword (32-bit) name is set to Smbdeviceenabled Value is set to "0"

5. Sharing and Discovery

Right-click Network attribute network and shared center sharing and discovery
Off, network sharing, file sharing, common file sharing, printer sharing, displaying all the files and folders I'm sharing, displaying all the shared network folders on this computer

6. Restrict Ping with firewall

Check on the Internet, ping is still often need to use

7, the firewall settings

Control Panel →windows firewall settings → change settings → exceptions, check ftp, HTTP, Remote Desktop Services core network

HTTPS is not available to check

3306:mysql
1433:mssql

8, disabling unwanted and dangerous services, the following list of services need to be disabled.

Control Panel Management Tool services

Distributed linktracking Client for LAN update connection information
Printspooler Print Service
Remote Registry remotely Modify registry
Server computers share files, print, and named pipes across a network
TCP/IP NetBIOS Helper provides
On the TCP/IP (NetBT) service
NetBIOS and on-network client
Support for NetBIOS name resolution
Workstation leak System User Name list associated with terminal Services Configuration
Computer Browser Maintain network computer updates are disabled by default
Net Logon domain Controller channel Management defaults have been manually
Remote Procedure call (RPC) Locator rpcns* remotely procedure calls (RPC) default has been manually
Remove Service SC Delete MYSQL

9, security settings--> Local policy--> security options

Enter Gpedit.msc carriage return in run, open Group Policy Editor, select Computer Configuration-->windows settings--> security Settings--> Local policy--> security options

Interactive login: Do not display the last username enabled
Network access: Do not allow anonymous enumeration of SAM accounts enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Credentials not allowed to store network authentication enabled
Network access: All shared content that can be accessed anonymously is deleted
Network access: All named pipe contents that can be accessed anonymously are deleted
Network access: Remote access to the contents of the registry path all deleted
Network access: Remotely accessible registry paths and child path contents all deleted
Account: Rename guest account Here you can change the Guest account number
Accounts: Renaming system administrator account you can change the administrator account here

10, security Settings--> account Strategy--> account lockout strategy

In the run, enter Gpedit.msc carriage return, open Group Policy Editor, select Computer Configuration-->windows set--> security settings--> account policy--> account lockout policy, set the account lockout threshold to "three login invalid", " Lockout time is 30 minutes "and the reset lock count is set to 30 minutes."

11. Local Security settings

Select Computer Configuration-->windows settings--> security Settings--> Local policy--> User Rights Assignment
Shutdown system: Only Administrators group, all other delete.
Deny landing via Terminal Services: Join Guests group, iusr_*****, iwam_*****, Network Service, SQLDebugger
Allow login via Terminal Services: Join Administrators, Remote Desktop Users group, all other delete

12, change the Administrator,guest account, a new one without any authority of the fake administrator account

management tools → Computer management → system tools → local Users and groups → users
Create a new administrator account as a trap account, set an extra long password, and remove all user groups
Description of change: Built-in account for managing computers (domains)

13. Password Policy

Select Computer Configuration-->windows set--> security settings--> password Policy
Startup password must meet complexity requirements
Minimum password length

14, disable DCOM ("shockwave" virus rpc/dcom vulnerability)

Run Dcomcnfg.exe. Console Root → Component Services → computer → Right-click my computer → properties → default properties tab → Clear the Enable distributed COM on this computer check box.

15. ASP Vulnerability

The main is to uninstall the Wscript.Shell and Shell.Application components to see if it is necessary to remove it.

Regsvr32/u C:\WINDOWS\System32\wshom.ocx
Regsvr32/u C:\WINDOWS\system32\shell32.dll

Deletion may not have enough permissions

Del C:\WINDOWS\System32\wshom.ocx
Del C:\WINDOWS\system32\shell32.dll

If you really want to use them, or you can change them by name.

Wscript.Shell can invoke the system kernel to run DOS basic commands

This can be prevented by modifying the registry to rename this component.

Hkey_classes_root\wscript.shell\ and Hkey_classes_root\wscript.shell.1\

Change to a different name, such as: Wscript.shell_changename or Wscript.shell.1_changename

You can call this component normally using this when you call it later.

Also change the CLSID value

Hkey_classes_root\wscript.shell\clsid\ the value of the project

Hkey_classes_root\wscript.shell.1\clsid\ the value of the project

It can also be deleted to prevent the harm of such Trojans.

Shell.Application can invoke the system kernel to run DOS basic commands

This can be prevented by modifying the registry to rename this component.

Hkey_classes_root\shell.application\ and hkey_classes_root\shell.application.1\ renamed to other names, such as: Change to Shell.application_ ChangeName or Shell.application.1_changename

You can call this component normally using this when you call it later.

Also change the CLSID value

Hkey_classes_root\shell.application\clsid\ the value of the project
Hkey_classes_root\shell.application\clsid\ the value of the project

It can also be deleted to prevent the harm of such Trojans.

Prevents the guest user from using Shell32.dll to prevent calls to this component.

2000 use command: cacls c:\winnt\system32\shell32.dll/e/d Guests
2003 use command: cacls c:\windows\system32\shell32.dll/e/d Guests

Prohibit the use of the FileSystemObject component, the FSO is a very high usage component, be careful to determine whether to uninstall. Renamed after the call will change the program, Set FSO = Server.CreateObject ("Scripting.FileSystemObject").

FileSystemObject can be normal operation of the file, you can modify the registry, the component renamed to prevent the harm of such Trojans.
Hkey_classes_root\scripting.filesystemobject\
Renamed to other names, such as: Change to Filesystemobject_changename
You can call this component normally using this when you call it later.
Also change the CLSID value to the value of the hkey_classes_root\scripting.filesystemobject\clsid\ item
It can also be deleted to prevent the harm of such Trojans.
2000 Unregister this component command: regsrv32/u C:\WINNT\SYSTEM\scrrun.dll
2003 Unregister this component command: regsrv32/u C:\WINDOWS\SYSTEM\scrrun.dll
How do I prevent the guest user from using Scrrun.dll to avoid calling this component?
Use this command: cacls c:\winnt\system32\scrrun.dll/e/d Guests

15, open UAC

Control Panel user account open or close user Account Control

16, program permissions

"Net.exe", "Net1.exe", "cmd.exe", "Tftp.exe", "Netstat.exe", "Regedit.exe", "At.exe", "Attrib.exe", "Cacls.exe", " Format.com "," C.exe "
Or completely prohibit the execution of the above order
gpedit.msc-〉 User Configuration-〉 management template-〉 System
Enable block Access command Prompt also deactivate command prompt script processing
Enable blocking access to the registry Editing tool
Enable do not run the specified Windows application, add the following
At.exe attrib.exe c.exe cacls.exe cmd.exe format.com net.exe net1.exe Netstat.exe regedit.exe Tftp.exe

17, Serv-u Security issues (personal recommendations are not particularly high requirements do not need to use Serv_u can be used FTP servers FileZilla Server )

The installer will use the latest version as far as possible, avoid using the default installation directory, set the permissions of the Serv-u directory, and set up a complex administrator password. Modify the banner information of the SERV-U, set the passive mode port range (4001-4003) make the relevant security settings in the local server settings: including checking anonymous passwords, disabling the scheduling of the go-ahead, intercepting "FTP bounce" attacks and FXP, Intercept 10 minutes for users who have connected more than 3 times in 30 seconds. The settings in the domain are: complex passwords are required, directories only use lowercase letters, and the advanced setting cancels the date that allows the file to be changed using the Mdtm command.

To change the startup user for Serv-u: Create a new user in the system, set a complex password, and not belong to any group. Give the user Full control of the SERVU installation directory. To create an FTP root directory, you need to give this user full control of the directory, because all FTP users upload, delete, change files are inherited from the user's permissions, otherwise unable to manipulate the file. Additionally, you need to give the user Read permission to the parent directory above the directory, otherwise it will appear 530 not logged in, home directory does not exist at the time of the connection. For example, when testing the FTP root directory for D:soft, must give the user D disk Read permission, in order to safely cancel other folders in D disk inherited permissions. The general use of the default system startup does not have these problems, because system generally has these permissions. If the FTP does not have to use every day, it is better to turn off the bar, to be used again to open.

The following is another netizen's supplement: We can refer to the following

Windows WEB Server 2008 R2 Server simple security settings

1, the new system must first hit the known patches, but also in time to pay attention to Microsoft's Vulnerability report. Slightly.
2, all disk Fugen directory only to the system and Administrator permissions, other deletion.
3. Convert all disk formats to NTFS format.
Command: Convert c:/fs:ntfs C: On behalf of C disk, other disk analogy. WIN08 R2 C disk must be in NTFS format, otherwise you cannot install the system
4. Open the advanced firewall with Windows Web Server 2008 R2.
The default is turned on.
5, install the necessary anti-virus software such as McAfee, install an ARP firewall, Ann Day Arp seems good. Slightly.
6, Set screen screen protection.
7, turn off the disc and disk automatic playback function.
8, delete system default sharing.
Command: NET share C $/del This method will appear after the next boot, not completely. can also be made into a batch file, and then set the Power-on auto hold this batch processing. However, it is recommended that the following method be used to modify the registry directly.
Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters the new AutoShareServer below, the value is 0 ... Reboot, Test. has been permanently in force.
9. Rename administrator and Guest account, password must be complex. Guest user we can copy a piece of text as a password, you say this password who can break .... and only myself. ...
Rename the Administrator user group administrators.
10, create a trap user administrator, the least privilege.

The two-step rename is best done before installing IIS and SQL, so I'm not going to show you here.

11. Local Policy--> Audit policy
Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed
Audit process Tracking No audit
Audit directory service access failed
Audit privilege usage failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management failed successfully

12. Local Policy--> User Rights Assignment
Shutdown system: Only Administrators group, all other delete.

Administrative Templates > System displays Shutdown Event Tracker changed to Disabled. This looks like everyone.

13. Local Policy--> security options
Interactive login: Do not display the last username enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Credentials that do not allow storage of network authentication or. NET Passports Enabled
Network access: Remote access to the registry path all deleted
Network access: Remotely accessible registry paths and subpath Delete all
14, prohibit the production of dump file.
System Properties > Advanced > Startup and failback change write debug information to "None"
15, disable unnecessary services.
TCP/IP NetBIOS Helper
Server
Distributed Link Tracking Client
Print Spooler
Remote Registry
Workstation

16, site-side folder security property settings
Deletes the c:\ inetpub directory. No, no research. The least privilege ... Disable or remove the default site. I'm not removing it here. Stop. General to the Site Directory permissions are:
System Full Control
Administrator Full Control
Users Read
Iis_iusrs Reading and writing
Remove infrequently used mappings in IIS7 to create a site try it. Be sure to select the directory where the program is located, this is the www.postcha.com directory, if only select to the Wwwroot directory, the site will become a subdirectory or virtual directory installed, more trouble. So be sure to select the directory where the site files reside, and fill in the host header. Because we are testing on the virtual machine, so the Hosts file modified, analog domain name access. The real environment, do not need to modify the Hosts file, directly explain the domain name to the host on the line. Directory permissions are not sufficient, this next tutorial continues to explain. At the very least, our page is already normal.

17, disable IPV6. Look at the operation.

The WebLogic Web application is deployed under the Windows Server 2008 R2 operating system and tested after deployment, finding that the address of the test page is using the address of the tunnel adapter, not the static IP address, and that the network is not in the IPv6 access, Therefore, the decision to disable the IPv6 and tunnel adapters is as follows:
Disabling IPv6 is simple, go to Control Panel \ Network and internet\ Network and Sharing Center Click "Change Adapter Settings" on the right side of the panel to enter the network connection interface, select the connection you want to set, right-click the attribute, and cancel Internet protocol version 6 (TCP/IPV6) The previous selection box is OK.

To disable the tunnel adapter, you need to change the registry information as follows:
Start-> Run-> Input Regedit Enter Registry Editor
Navigate to:
[Hkey_local_machine\system\currentcontrolset\services\tcpip6\parameters]
Right-click Parameters and select New-> DWORD (32-bit) value
The named value is DisabledComponents, and then the value is FFFFFFFF (16 binary)
Effective after reboot
Disablecomponents Value Definition:
0, enable all IPV 6 components, default settings
0xFFFFFFFF, disable all IPV 6 components, except IPV 6 loopback interface
0x20, use IPv 4 instead of IPv 6 in the previous prefix policy
0x10, disable native IPv 6 interface
0x01, disable all tunneling IPv 6 Interfaces
0x11, disable all IPv 6 interfaces except for the IPV 6 loopback interface

Over! Reboot the server.

Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.