WINDOWS2003 Network server Security Introduction _windows2003

installation of Windows Server2003

1, the installation system requires at least two partitions, the partition format is formatted with NTFS

2. Install 2003 systems in the case of disconnected network

3, install IIS, install only the necessary IIS components (disable unwanted FTP and SMTP services, for example). By default, the IIS service is not installed, select Application Server in the Add/Remove Win component, click Details, double-click Internet Information Services (IIS), and select the following options:

Internet Information Services Manager;

Common Files;

Background Intelligent Transfer Service (BITS) server Extensions;

World Wide Web services.

If you use a FrontPage-extended Web site, check again: FrontPage 2002 Server Extensions

4, the installation of MSSQL and other software required and then update.

5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze your computer's secure configuration and identify missing patches and updates. Download Address: See the link at the end of the page

Ii. setting up and managing accounts

1, the system administrator account is best to build less, change the default Administrator account name (administrators) and description, the password is best to use the number of lowercase letters plus number of the upper file key combination, the length of the best not less than 14 bits.

2, create a new name for the administrator of the trap account, set the minimum permissions, and then casually enter the combination of the best not less than 20-bit password

3, disable the Guest account and change the name and description, and then enter a complex password, of course, now also has a delguest tool, perhaps you can also use it to delete the Guest account, but I did not try.

4, in the operation of the input gpedit.msc carriage return, open Group Policy Editor, select the Computer Configuration-windows Settings-security Settings-account strategy-account lockout policy, the account is set to "three landing invalid", "lock Shenyang?" 0 minutes ", the reset lock count is set to 30 minutes."

5, in the security settings-Local policy-security options, "Do not display the last user name" set to enable

6, in the security settings-Local policy-user rights assignment in the "Access this computer from the network" only keep the Internet Guest account, start the IIS process account. If you use ASP.net, keep the ASPNET account.

7, create a user account, run the system, if you want to run privileged commands using the runas command.

Third, Network Service security management

1, prohibit the default share of C $, d$, admin$ class

Open the registry, Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters, and create a new DWORD value in the right window. The name is set to the AutoShareServer value set to 0

2, the release of NetBIOS and TCP/IP protocol binding

Right-click Network Neighborhood-Properties-right-click Local Connection-Properties-double-click Internet Protocol-Advanced-wins-Disable NetBIOS on TCP/IP

3, turn off unwanted services, the following is the recommended option

Computer Browser: Maintaining network computer updates, disabling

Distributed file System: LAN management shared files, no need to disable

Distributed linktracking client: For LAN update connection information, no need to disable

Error Reporting Service: Prohibit sending errors report

Microsoft serch: Provides fast word search without the need to disable

Ntlmsecuritysupportprovide:telnet Service and Microsoft Serch, no need to disable

Printspooler: If there are no printers to disable

Remote Registry: Disable the registry from being modified remotely

Remote Desktop help session Manager: No distance assistance

　　Iv. Open the appropriate audit policy

Enter Gpedit.msc carriage return in the run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-Audit policy when creating an audit project, it should be noted that if there are too many items to be audited, the more events are generated, the more difficult it is to find a serious event. Of course, if the audit is too small, it will also affect your discovery of serious Events, you need to make a choice between the two depending on the situation.

The recommended items to audit are:

Logon event failed successfully

Account Logon event failed successfully

System Event failed successfully

Policy Change failed successfully

Object access failed

Directory Service access failed

Privilege usage failed

v. Other security-related settings

1. Hide Important files/directories

You can modify the registry to achieve complete concealment: "hkey_local_machine\software\microsoft\windows\current-version\explorer\advanced\folder\hi-dden\ ShowAll ", the mouse right click" CheckedValue ", select Modify, change the value from 1 to 0

2. Start the system with Internet Connection Firewall, check the Web server in the Setting service option.

3. Prevent SYN Flood attack

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

New DWORD value, named SynAttackProtect, with a value of 2

4. Prohibit responding to ICMP routing notification messages

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters \interfaces\interface

Creates a new DWORD value with the name PerformRouterDiscovery value of 0

5. Prevent ICMP redirect packets from attacking

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Set the Enableicmpredirects value to 0

6. IGMP protocol not supported

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters

Creates a new DWORD value with the name IGMPLevel value of 0

7. Disable DCOM:

Enter Dcomcnfg.exe in the run. Enter, click Component Services under Console root. Open the Computers subfolder.

For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab.

Clear the Enable distributed COM on this computer check box.

Note: 3-6 items I am using the Server2000 settings, not tested for 2003 whether it works. But one thing is certain that I spent a period of time without finding the effects of other facets.

Vi. Configuring the IIS service:

1, do not use the default Web site, if used also to separate the IIS directory and the system disk.

2, delete the IIS default created Inetpub directory (on the installation system disk).

3, delete the virtual directory under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.

4, remove unnecessary IIS extension mappings.

Right-click the default Web site → properties → home directory → configuration, open the application window, and remove unnecessary application mappings. mainly for. sHTML,. shtm,. stm

5, change the path of the IIS log

Right-click the default Web site → Properties-web site-click Properties under Enable Logging

6. If you are using 2000, you can use IISLockdown to protect IIS, and the version of IE6.0 running in 2003 is not required.

7. Use URLScan

URLScan is an ISAPI filter that analyzes incoming HTTP packets and can reject any suspicious traffic. The latest version is 2.5, and if it is 2000Server you need to install the 1.0 or 2.0 version first. Download address no link to page

If there are no special requirements to use the URLScan default configuration on it.

But if you run the ASP.net program on the server and you want to debug it you need to open the%windir%\system32\inetsrv\urlscan

folder, and then add the debug verb in the Userallowverbs section, noting that this section is case-sensitive. \ urlscan.ini

If your page is an. asp page you need to delete the. asp-related content in DenyExtensions.

If your page uses non-ASCII code, you need to set the value of Allowhighbitcharacters to 1 in the option section

After making changes to the Urlscan.ini file, you will need to restart the IIS service to take effect, and enter IISReset in the fast method run

If you have any problems after configuration, you can remove URLScan by adding/removing programs.

8. Use WIS (WEB injection Scanner) tool to scan the entire website for SQL injection vulnerability.

Download Address: vb.net enthusiasts

Seven, configure SQL Server

1, the System Administrators role preferably not more than two

2, if it is in this machine is best to configure the authentication to win login

3, do not use the SA account, configure a super complex password for it

4, delete the following extended stored procedure format:

Use master

Sp_dropextendedproc ' Extended stored procedure name '

xp_cmdshell: Is the best way to get into the operating system, delete

Accessing the registry's stored procedures, deleting
　　
Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues

Xp_regread xp_regwrite xp_regremovemultistring

OLE automatic stored procedures that do not need to be deleted

sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty

sp_OAMethod sp_OASetProperty sp_OAStop

5, hide SQL Server, change the default 1433 port

Right-click the properties of the TCP/IP protocol in the instance selection properties-General-network configuration, choose to hide the SQL Server instance and change the default 1433 port.

Viii. If you are only doing servers and do nothing else, use IPSec

1. Administrative Tools-Local security policy-right-click IP Security Policy-Manage IP filter tables and filter actions-click under Manage IP filter table options

Add-Name to Web filter-click Add-Enter the Web server in the description-set the source address to any IP address-set the destination address to my IP address-the protocol type is set to the TCP--IP protocol port The first item is set to from any port, the second entry to this port 80--click Finish-click OK.

2, again in the management of IP filter table options under click

Add-Name set to all inbound filters-click Add-Enter all inbound filters in the description-set the source address to any IP address--Set the destination address to my IP address--the protocol type is arbitrary--click Next--Finish--click OK.

3, under the Management Filter action option Click Add--Next--name input block--next--Select block--next--finish--Close the Manage IP filter table and filter Actions window

4. Right-click IP Security Policy-Create IP Security Policy-next-Name Input packet Filter-next--Cancel the default activation response principle--next--complete

5, in the new IP Security Policy Properties window that opens, select Add--next--do not specify a tunnel--next--all network connections--next--In in the IP filter list, select the new Web Filter--Next--Select the license in the filter action--next--complete-- Select the new blocking filter in the IP filter List--Next--select block in the filter action--next--complete--OK

6. In the right window of the IP Security Policy, right-click the new packet filter, click Assign, do not need to reboot, IPSec can take effect.

IX. Recommendations

If you follow this article, it is recommended that you test the server for every change you make, and if you have a problem, you can undo the change immediately. And if the number of changed items, only to find out the problem, it is difficult to determine the question is where the step.

Ten, run the server record the current program and open the port

1, the current server to capture or record the process, save it to facilitate later check whether there are unknown procedures.

2, the current open to grasp the port map or record, save, easy to check whether the opening of the unknown port. Of course if you can distinguish each process, and the port this step can be omitted.