Windows Server system Security Defense hardening method

Windows Server system Security Defense hardening method

• Update:

  2017-06-01 19:24

The Windows Server security hardening scenario, which is primarily for Windows Server R2, is also applicable for other systems such as 2012.

2. 1

   Delete Unused accounts:

   Use Win+r key to bring up run, enter compmgmt.msc-> Local Users and groups, delete unused account

   Make sure the Guest account is disabled and modify the Administrator default username administrator to other.

4. 2

   Enhanced Password Policy:

   Use the Win+r key to bring up the run, enter the Secpol.msc-> security settings

   1. Password Policy, security policy

   Passwords must meet complexity requirements: enable

   Minimum password Length: 8 character (s)

   Minimum password Age: 0 days

   Maximum password Age: 90 days

   Mandatory password history: a remember Password

   To store a password with reversible encryption: disabled

   2. Security options, Local Policies

   Interactive logon: Do not display the last user name: Enabled

6. 3

   To turn off services that you do not need:

   Use the Win+r key to bring up the run, enter services.msc. Disable the following services:

   Application Layer Gateway Service

   Background Intelligent Transfer Service

   Computer Browser

   DHCP Client

   Diagnostic Policy Service

   Distributed Transaction Coordinator

   DNS Client

   Distributed Link Tracking Client

   Remote Registry

   Print Spooler

   Server

   Shell Hardware Detection

   TCP/IP NetBIOS Helper

   Windows Remote Management

8. 4

   Turn off the NetBIOS service (turn off port 139):

   Network connections, local Area Connection, properties->internet protocol version 4-> properties, advanced->wins-> disables NetBIOS on TCP/IP.

   Description: Turning off this feature, all shared services features on your server will be turned off and others will not see your shared resources in Explorer. This also prevents the disclosure of information.

10. 5

    Turn off network file and Print sharing: Network connection--local Area Connection--check out everything except Internet Protocol version 4.

12. 6

    Close IPV6:

    Close network connection, local area Connection, properties->internet Protocol version 6 (TCP/IPV6)

    Then modify the registry: Hkey_local_machine\system\currentcontrolset\services\tcpip6\parameters, add a DWORD entry, Name: disabledcomponents, Value: FFFFFFFF (16 bits of 8 F)

14. 7

    Close the Microsoft network client (turn off port 445)

    The 445 port is the service port that NetBIOS uses to resolve the machine name within the LAN, and the general server does not need to open any shares to the LAN, so it can be shut down.

    Modify registry: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters, then one more DWORD entry: smbdeviceenabled, value: 0

16. 8

    LLMNR off (5355 ports off)

    Use Group Policy to shut down, run->gpedit.msc-> Computer Configuration, Administrative Templates, network->dns client, turn off multicast name resolution, enable

18. 9

    Increase Network access Restrictions:

    Use the Win+r key to bring up the run, enter the security options, local policy, secpol.msc-> security settings:

    Network access: Do not allow anonymous enumeration of SAM accounts: Enabled

    Network access: Do not allow anonymous enumeration of SAM accounts and shares: Enabled

    Network access: Apply the Everyone permission to anonymous users: Disabled

    Account: A local account with a blank password allows only console logons: Enabled

20. 10

    Modify the 3389 remote access default port:

    1. Settings in the firewall

    1. Control Panel--windows Firewall--Advanced settings--inbound rules--new rule--port--specific port TCP (such as 13688)--Allow connection 2. After completing the above actions, right-click the rule scope-local IP address-Any IP address-remote IP address-- The following IP addresses-Add manager IP empathy other ports can use this feature to mask specific segments (such as 80 ports).

    2. Run regedit 2. [HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds \rdpwd\tds \tcp] and [HKEY_LOCAL_MACHINE\ SYSTEM\CURRENTCONTROLSET\CONTROL\TERMINALSERVER\WINSTATIONS\RDP-TCP], see the Portnamber value? The default value is 3389, which can be modified to the desired port, for example 13688

    3.[hkey_local_machine\system\currentcontro1set\control\tenninal server\winstations\ RDP\TCP], Modify the value of PortNumber (default is 3389) to Port 13688 (custom).

22. 11

    Give everyone down right:

    Right-click system drive (Disk), properties, security, to see if each system drive root is set to everyone has all permissions

    Remove everyone's permissions or cancel everyone's write permissions

24. 12

    Increase log Audit:

    Use the Win+r key to bring up the run, enter the audit policy, the local policy, security settings, Secpol.msc

    Recommended settings:

    Audit policy change: Success

    Audit logon events: Success, failure

    Audit object access: Success

    Audit process tracking: success, failure

    Audit directory service access: Success, failure

    Audit system events: success, failure

    Audit account logon events: Success, failure

    Audit account Management: Success, failure

26. 13

    Turn off ICMP

    Open Windows Firewall in the server's Control Panel, click Advanced Settings, click Inbound Rules-find File and Printer Sharing (Echo Request-icmpv4-in), enable this rule to turn on ping, disable this rule IP will prevent other clients from pinging, It does not affect connections such as TCP, UDP, and so on.

    650) this.width=650; "class=" Exp-image-default "alt=" Windows Server system Security Defense Hardening Method "Src=" Https://imgsa.baidu.com/exp/w=500/ Sign=a612b15a41fbfbeddc59367f48f1f78e/060828381f30e9244424bc5446086e061c95f7d7.jpg "/>

28. 14

    IIS is configured to not return verbose error messages:

    The "mode" property of the edit web.config<customerrors> tag cannot be set to "OFF" so that the user can see the exception details. Directory browsing, ASP, CGI, and server-side include files are removed from the IIS role service.

This article is from the "unrestrained" blog, please be sure to keep this source http://techmc.blog.51cto.com/740121/1981423

Windows Server system Security Defense hardening method