Windows Server 2008 R2 Server system Security Defense Hardening method _win Server

First. Change the terminal default port number

Steps:

1. Run regedit 2. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds \rdpwd\tds \tcp], see Portnamber value? The default value is 3389, modified to the desired port, such as 12345 3. [Hkey_local_machine\system\currentcontro1set\control\tenninal server\winstations\ RDP\TCP], Modify the value of PortNumber (default is 3389) to Port 12345 (custom).

4. Set up IPSec editing rules in the firewall after the modification, restart the computer, the remote login at the time of the use of port 12345 can be.

Second. NTFS Permissions settings

Attention:

1, 2008r2 default folder and file owner is TrustedInstaller, this user also has all control rights. 2, the same as the registry of the same, the owner of the TrustedInstaller. 3, if you want to modify file permissions should first set the Administrators group administrators as the owner, and then set additional permissions. 4, if you want to delete or rename the registry, also need to set the Administrator group as the owner, but also should be to the subkey,

Delete a subkey before deleting the current item or deleting the item

Steps:

1.C disk only to Administrators and system permissions, other permissions do not give, other disks can also be set (Web directory permissions depending on the circumstances)
2. The system permissions given here do not necessarily need to be given, just because some third-party applications are started in the form of a service and need to be added to this user, otherwise it will not start.

Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run (if you are using IIS, refer to the DLL files under Windows).

3.c:/user/only gives administrators and system permissions

Third. Delete Default share

Steps:

1. Open dos,net Share view default share
2. New Text Document Input command

NET share C $/del net share d$/del//If E disk can be added the default share name is C $, d$, etc.
NET share ipc$/del net share admin$/del Save as Sharedelte.bat

3. Run Gpedit.msc, expand windous Settings-script (start \ Shutdown)-start)-Right Key properties-add Sharedelte.bat

Similarly, you can edit other rules

fourth. IPSec Policy
Take the remote terminal for example 1. Control Panel--windows Firewall-Advanced Settings-inbound rules-new rule-Port-specific port TCP (for example, 3389)-Allows connection 2. When you are done, right-click the rule scope--local IP address--Any IP address-- Remote IP address--The following IP address--Add manager IP empathy other ports can use this feature to mask specific segments (such as Port 80)

Other please refer to Win2003 security optimization

Security consolidation Supplement for Windows 2008 R2 servers

Recently hosted a 2U server to the engine room, installed the Windows 2008 system, intended to use IIS to do Web server, so need to put useless ports, services shut down, reduce risk.

I found that the network is now a valuable thing is too little, many people are reproduced to reprint, learn without thinking, without a little nutrition. Or summarize it yourself, there are probably the following steps:

1. How to turn off IPv6?

This point in the domestic and foreign websites basically have a consensus, are based on the following two steps. It is said that the local return route has not been closed after execution. But after the shutdown I found that some of the ports are still listening to IPv4 and IPv6 ports, especially the 135 port, has IPv4 closed, IPv6 unexpectedly still open. It's unbelievable.

Turn off network Connections-> local connection-> Properties->internet Protocol version 6 (TCP/IPV6)

And then modify the registry: Hkey_local_machine\system\currentcontrolset\services\tcpip6\parameters, add a DWORD entry, Name: disabledcomponents, Value: FFFFFFFF (16-bit 8 f)

Restart the server to close IPv6

2. How do I close 135 ports?

This broken port is RPC service port, before a lot of problems, now seemingly no loopholes, but still have a lingering fear ah, want to shut this off:

Start-> run->dcomcnfg-> Component Services-> computer-> My Computer-> properties-> default properties-> turn off "Enable distributed COM on this computer"-> default protocol-> removal " Connection-oriented TCP/IP "

But the feeling did the above operation also can see 135 in Listen state, also can try this.

Execute in cmd: netsh rpc add 127.0.0.0, so that port 135 only listens for 127.0.0.1.

3. How do I close 445 ports?

Port 445 is a service port that NetBIOS uses to resolve machine names within a LAN, and the general server does not need to be open to the LAN for any shares, so it can be turned off.

Modify registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters, then more a DWORD: smbdeviceenabled, Value: 0

4. Turn off the NetBIOS service (139 port off)

Network connection-> Local Area Connection-> Properties->internet protocol version 4-> Properties-> Advanced->wins-> Disable NetBIOS on TCP/IP

5. Close LLMNR (5355 port off)

What is LLMNR? Local link Multicast name resolution, also called Multicast DNS, is used to resolve names on local network segments, but it still occupies 5355 of ports.

Use Group Policy shutdown, run->gpedit.msc-> Computer Configuration-> Administrative Templates-> Network->dns client-> turn off Multicast name resolution-> Enable

There is another way, I did not try, if there is no Group Policy management can try, modify the registry Hkey_local_machine\software\policies\microsof\windows NT\DNSClient, create a new DWORD entry, Name: enablemulticast, Value: 0

6. Shut down Windows Remote Management Service (47001 port off)

Windows Remote Management Service, used in conjunction with IIS management hardware, generally not used, but open 47001 port is very uncomfortable, close the method is very simple, disable this service.

7. Turn off UDP 500,udp 4500 ports

These two ports let me search for a half-day, although know should be related to VPN, but do not know which service is occupied. Finally found, in fact, Ike and AuthIP IPsec keying modules services in the mischief. If your server does not run an IKE-authenticated VPN service, you can shut down. (I'm using PPTP to connect to VPN, turn IPSec and ike off)

8. Delete File and printer Sharing

The network connection-> The local connection-> attribute and hooks out everything except "Internet Protocol version 4".

9. Turn off file and printer sharing

Stop the "server" service directly and set it to disabled, restart and then right-click on a disk selection property, "sharing" This page does not exist.