The Windows Server security hardening scenario, which is primarily for Windows Server R2, is also applicable for other systems such as 2012.
1
Delete Unused accounts:
Use Win+r key to bring up run, enter compmgmt.msc-> Local Users and groups, delete unused account
Make sure the Guest account is disabled and modify the Administrator default username administrator to other.
2
Enhanced Password Policy:
Use the Win+r key to bring up the run, enter the Secpol.msc-> security settings
1. Password Policy, security policy
Passwords must meet complexity requirements: enable
Minimum password Length: 8 character (s)
Minimum password Age: 0 days
Maximum password Age: 90 days
Mandatory password history: a remember Password
To store a password with reversible encryption: disabled
2. Security options, Local Policies
Interactive logon: Do not display the last user name: Enabled
3
To turn off services that you do not need:
Use the Win+r key to bring up the run, enter services.msc. Disable the following services:
Application Layer Gateway Service
Background Intelligent Transfer Service
Computer Browser
DHCP Client
Diagnostic Policy Service
Distributed Transaction Coordinator
DNS Client
Distributed Link Tracking Client
Remote Registry
Print Spooler
Server
Shell Hardware Detection
TCP/IP NetBIOS Helper
Windows Remote Management
4
Turn off the NetBIOS service (turn off port 139):
Network connections, local Area Connection, properties->internet protocol version 4-> properties, advanced->wins-> disables NetBIOS on TCP/IP.
Description: Turning off this feature, all shared services features on your server will be turned off and others will not see your shared resources in Explorer. This also prevents the disclosure of information.
5
Turn off network file and Print sharing: Network connection--local Area Connection--check out everything except Internet Protocol version 4.
6
Close IPV6:
Close network connection, local area Connection, properties->internet Protocol version 6 (TCP/IPV6)
Then modify the registry: Hkey_local_machine\system\currentcontrolset\services\tcpip6\parameters, add a DWORD entry, Name: disabledcomponents, Value: FFFFFFFF (16 bits of 8 F)
7
Close the Microsoft network client (turn off port 445)
The 445 port is the service port that NetBIOS uses to resolve the machine name within the LAN, and the general server does not need to open any shares to the LAN, so it can be shut down.
Modify registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters, then one more DWORD entry: smbdeviceenabled, value: 0
8
LLMNR off (5355 ports off)
Use Group Policy to shut down, run->gpedit.msc-> Computer Configuration, Administrative Templates, network->dns client, turn off multicast name resolution, enable
9
Increase Network access Restrictions:
Use the Win+r key to bring up the run, enter the security options, local policy, secpol.msc-> security settings:
Network access: Do not allow anonymous enumeration of SAM accounts: Enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled
Network access: Apply the Everyone permission to anonymous users: Disabled
Account: A local account with a blank password allows only console logons: Enabled
10
Modify the 3389 remote access default port:
1. Settings in the firewall
1. Control Panel--windows Firewall--Advanced settings--inbound rules--new rule--port--specific port TCP (such as 13688)--Allow connection 2. After completing the above actions, right-click the rule scope-local IP address-Any IP address-remote IP address-- The following IP addresses-Add manager IP empathy other ports can use this feature to mask specific segments (such as 80 ports).
2. Run regedit 2. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds \rdpwd\tds \tcp] and [HKEY_LOCAL_MACHINE\ SYSTEM\CURRENTCONTROLSET\CONTROL\TERMINALSERVER\WINSTATIONS\RDP-TCP], see the Portnamber value? The default value is 3389, which can be modified to the desired port, for example 13688
3.[hkey_local_machine\system\currentcontro1set\control\tenninal server\winstations\ RDP\TCP], Modify the value of PortNumber (default is 3389) to Port 13688 (custom).
11
Give everyone down right:
Right-click system drive (Disk), properties, security, to see if each system drive root is set to everyone has all permissions
Remove everyone's permissions or cancel everyone's write permissions
12
Increase log Audit:
Use the Win+r key to bring up the run, enter the audit policy, the local policy, security settings, Secpol.msc
Recommended settings:
Audit policy change: Success
Audit logon events: Success, failure
Audit object access: Success
Audit process tracking: success, failure
Audit directory service access: Success, failure
Audit system events: success, failure
Audit account logon events: Success, failure
Audit account Management: Success, failure
13
Turn off ICMP
Open Windows Firewall in the server's Control Panel, click Advanced Settings, click Inbound Rules-find File and Printer Sharing (Echo Request-icmpv4-in), enable this rule to turn on ping, disable this rule IP will prevent other clients from pinging, It does not affect connections such as TCP, UDP, and so on.
650) this.width=650; "class=" Exp-image-default "alt=" Windows Server system Security Defense Hardening Method "Src=" Https://imgsa.baidu.com/exp/w=500/ Sign=a612b15a41fbfbeddc59367f48f1f78e/060828381f30e9244424bc5446086e061c95f7d7.jpg "/>
14
IIS is configured to not return verbose error messages:
The "mode" property of the edit web.config<customerrors> tag cannot be set to "OFF" so that the user can see the exception details. Directory browsing, ASP, CGI, and server-side include files are removed from the IIS role service.
This article is from the "unrestrained" blog, please be sure to keep this source http://techmc.blog.51cto.com/740121/1981423