Windows Server Security Configuration tips

In the case of server hacking yesterday, I also have some responsibilities, because I am too lazy to set server security. Some settings can be completed in just a few minutes, but they are just lazy, as a result, if the server is maliciously damaged, it takes more time to recover data. Therefore, the server security settings lay a solid foundation in the early stage, reducing unnecessary losses in the time of crisis.

Next, I will summarize some tips and methods for server security settings based on my experiences and lessons.

　　I. Operating System Installation

The operating system I mentioned here uses Windows 2000 as an example. a later version of Windows also has similar functions.

When formatting a hard disk, it must be formatted as NTFS. Do not use the FAT32 type.

Disk C is the operating System disk, disk D is commonly used software, and disk e is the website. After formatting is complete, the disk permission is set immediately. disk C is the default, and disk D is set to Administrator and System with full control. Other users Delete the disk, if there is only one website on the edisk, the Administrator and System are set to have full control, and Everyone is read. If a code segment on the website must be written, in this case, modify the permissions of the folder where the file is located.

The minimum service principle must be followed during system installation. Useless services are not selected to achieve minimum system installation. During IIS installation, only the most basic and necessary functions are installed, do not install unnecessary dangerous services, such as FrontPage 2000 Server Extensions, Internet Service Manager (HTML), FTP services, documents, and Indexing Services.

　　Ii. Network Security Configuration

The most basic network security is port settings. In "Local Connection Properties", click "Internet Protocol (TCP/IP)", and click "advanced ", click "option"-"TCP/IP filtering ". Only open the port required by the website service. The configuration interface is shown in.

After the following settings are made, domain name resolution will not be available from your server, so the Internet is accessible, but external access is normal. This configuration is mainly used to prevent general DDOS attacks.

　　Iii. Security template settings

Run MMC, add an independent management unit "Security Configuration and analysis", and import the template basicsv. inf or securedc. inf, and then click "Configure computer now", the system will automatically configure "Account Policy", "Local Policy", "System Service" and other information, one step in place, however, these configurations may cause some software to fail or errors.

　　Iv. WEB Server Settings

Take IIS as an example. Do not use the WEB directory installed by IIS by default. Instead, create a new directory on the E disk. In IIS manager, right-click host> Properties> WWW Service Edit> Home Directory configuration> application ing. Only asp and asa are retained, and all others are deleted.

　　V. ASP Security

In the IIS system, most Trojans are written in ASP. Therefore, the security of ASP components is very important.

In fact, most ASP Trojans can be directly disabled by calling the Shell. Application, WScript. Shell, WScript. Network, FSO, and Adodb. Stream components.

Use this command to delete the WScript. Shell component: regsvr32 WSHom. ocx/u

Use this command to delete the WScript. Network component: regsvr32 wshom. ocx/u

Shell. Application can disable the use of shell32.dll by Guest users to prevent calls to this component. Run the following command: cacls C: \ WINNT \ system32 \ shell32.dll/e/d guests.

The command that bans the guestsuser from executing Cmd.exe is: cacls C: \ WINNT \ system32 \ Cmd.exe/e/d guests

Disabling the FSO component is troublesome. If the website itself does not need this component, use the RegSrv32 scrrun. dll/u command to disable it. If the website also needs to use FSO, please refer to this article.

In addition, using the URLScan Tool provided by Microsoft to filter illegal URL access can also play a preventive role. Of course, daily backup is also a good habit.