WINDOWS2003 Server Security Configuration detailed article _win server

This is different from the previous two demo, this demo basically retains the system default to those permissions group unchanged, keep the original flavor, so as not to cancel improper cause inexplicable error.
After seeing this demo, the previous "Ultra detailed Web server permissions settings, accurate to each folder" and "super Detailed Web server permissions settings, Event Viewer completely without error" no longer need to look at. This is better than the original. The operating system is a ghost mirror of the Rain forest Wind, The patch is up to 11.2th, up to date.
Whether the Power Users group is canceled does not matter
The concrete operation looks the demonstration
Permissions settings for the root directory under Windows:
C:\WINDOWS\Application compatibility Scripts do not need to make any modifications, including all of its subdirectories
C:\WINDOWS\AppPatch AcWebSvc.dll already has the Users group permissions, other files plus the Users group permissions
C:\WINDOWS\Connection Wizard to cancel Users group permissions
C:\WINDOWS\Debug the Users group is not changed by default
C:\WINDOWS\Debug\UserMode default does not modify the permissions to write files, cancel the Users group permissions, give special permission to see the demo
C:\WINDOWS\Debug\WPD do not cancel Authenticated Users group permissions can write to a file, create a directory.
C:\WINDOWS\Driver Cache cancels the Users group permissions and gives the Users group permissions to all files under the I386 folder
C:\WINDOWS\Help Remove Users group permissions
C:\WINDOWS\Help\iisHelp\common Remove Users group permissions
C:\WINDOWS\IIS Temporary compressed files are not modified by default
C:\WINDOWS\ime do not make any changes, including all subdirectories below it
C:\WINDOWS\inf do not make any changes, including all subdirectories below it
C:\WINDOWS\Installer Remove Everyone group permissions, and the files under the directory plus the Everyone group Read and run permissions
C:\WINDOWS\java Remove the Users group permissions and add the Users group permissions to all files under the subdirectory
C:\WINDOWS\MAGICSET default unchanged
C:\WINDOWS\Media default unchanged
C:\WINDOWS\Microsoft.NET do not make any changes, including all subdirectories below it
C:\WINDOWS\msagent Remove the Users group permissions and add the Users group permissions to all files under the subdirectory
C:\WINDOWS\msapps do not make any changes, including all subdirectories below it
C:\WINDOWS\mui Remove Users group permissions
C:\WINDOWS\PCHEALTH default does not change
C:\WINDOWS\PCHEALTH\ERRORREP\QHEADLES Remove permissions for Everyone group
C:\WINDOWS\PCHEALTH\ERRORREP\QSIGNOFF Remove permissions for Everyone group
C:\WINDOWS\PCHealth\UploadLB Delete the Everyone group's permissions, other subordinate directories do not care, no user group and Everyone group permissions
C:\WINDOWS\PCHEALTH\HELPCTR Delete the Everyone group's permissions, other subordinate directories do not have to, no user group and Everyone group permissions (this does not follow the search in the demo of those files, do not need to add the Users group permissions on the line)
C:\WINDOWS\PIF default does not change
C:\WINDOWS\PolicyBackup default, all files under Subdirectories Plus Users group permissions
C:\WINDOWS\Prefetch default does not change
C:\WINDOWS\provisioning default, all files under Subdirectories Plus Users group permissions
C:\WINDOWS\pss default, all files under Subdirectories Plus Users group permissions
C:\WINDOWS\RegisteredPackages default, all files under Subdirectories Plus Users group permissions
C:\WINDOWS\Registration\CRMLog default will have Write permission, cancel permissions on the Users group
C:\WINDOWS\Registration the Everyone group permissions. Add Network SERVICE to the file under the subdirectory plus everyone can read permissions,
C:\WINDOWS\repair Remove Users group permissions
C:\WINDOWS\Resources Remove Users group permissions
The C:\WINDOWS\security Users group is not changed by default, and its database and logs directories are not changed by default. Cancel the Templates directory Users group permissions, add the Users group to the file
C:\WINDOWS\ServicePackFiles do not make any changes, including all subdirectories below it
C:\WINDOWS\SoftwareDistribution do not make any changes, including all subdirectories below it
C:\WINDOWS\srchasst do not make any changes, including all subdirectories below it
C:\WINDOWS\system Keep the default
C:\WINDOWS\TAPI Remove the Users group permissions, the Tsec.ini permission is not changed
C:\WINDOWS\twain_32 the Users group permissions to the files in the directory plus the Users group
C:\WINDOWS\vnDrvBas do not make any changes, including all subdirectories below it
C:\WINDOWS\Web Cancel the Users group permissions to all files under it plus the Users group permissions
C:\WINDOWS\WinSxS Remove the Users group permissions, search for *.tlb,*.policy,*.cat,*.manifest,*.dll, add Everyone group and users permissions to these files
Permissions to the directory with full control of the network service
C:\WINDOWS\system32\wbem This directory has an important role to play. If you do not give the Users group permissions, opening some of the application software will be very slow. And sometimes a bunch of errors are reported in the Event Viewer. Causes some programs to not function correctly. But in order not to allow Webshell to browse the directory that the system belongs to, give the WBEM directory all the *.dll files Users group and Everyone group permissions.
*.dll
Users;everyone
I'm going to suspend. You can check it out when you're done.
c:\windows\#$$#%^$^@!#$%$^s#@\#$#$%$#@@@$%!! Wera (I use the Temp folder path) Temp has modified the default path and name because it must be written. Prevents Webshell from being written to this directory. After modifying the path, reboot takes effect.
At this point, the system disk any directory is not browsable, only a writable C:\WINDOWS\temp, and modified the default path and name into c:\windows\#$$#%^$^@!#$%$^s#@\#$#$%$#@@@$%!! Wera
This configuration should be relatively safe.
I go first to install several popular website program, pause first. Several commonly used Web site programs are completely normal under such permission settings. SQL2000 database has not been installed, can not test the easy 2006SQL version. Must be normal. We can try.
Service settings:
1. Set Win2K screen protection, with pcanywhere, sometimes when the offline forgot to lock the computer, if someone cracked your pcanywhere password, you can directly enter your computer, if you set the screensaver, when you do not use after a few minutes automatically lock the computer, This prevents the possibility of using Pcanyhwerer to enter your computer directly, and is a barrier to preventing internal personnel from destroying the server.
2. Turn off the disc and disk AutoPlay function, set in Group Policy. This prevents intruders from editing malicious autorun.inf so that you can run his Trojan as an administrator to achieve the goal of elevation of authority. You can view the default shares in net share. Because the server service is not open, it is equivalent to shutting down the default share, preferably disabling the server service. www.cnzz.cc
Attach the command to delete the default share:
NET share C $/del
NET share d$/del
NET share e$/del
NET share f$/del
NET share ipc$/del
NET share admin$/del
3. Turn off unwanted ports and services, delete unwanted protocols and services in a network connection, install only basic Internet Protocol (TCP/IP), and install additional QoS Packet Scheduler because of the bandwidth flow service. In Advanced TCP/IP Settings--"NetBIOS settings" disables NetBIOS on TCP/IP.
Modify the 3389 remote connection port (can also be easily modified with tools)
Modify your registry.
Start--run--regedit
Expand hkey_local_machine/system/currentcontrolset/control/Sequentially
TERMINAL server/wds/rdpwd/tds/tcp
PortNumber to the port number you want to use in the right key value. Note The use of decimal (example 1989)
Hkey_local_machine/system/currentcontrolset/control/terminal server/
winstations/rdp-tcp/
PortNumber to the port number you want to use in the right key value. Note The use of decimal (example 1989)
Note: Don't forget to WINDOWS2003 the firewall with the + 10000 port
The modification is complete. Reboot the server. setting takes effect.
There is no change here, you can decide whether or not to modify. Permissions set up, personal feeling change does not matter
4. Disable Guest Account
Disable the Guest account in a computer-managed user. For insurance purposes, it's a good idea to add a complex password to the guest. You can open Notepad, enter a string of long strings containing special characters, numbers, letters, and then handcuff it as the Guest user's password. I copied a piece of text here.
If you are prompted when setting a password: The Workstation service does not start first go to the local security policy to start password complexity in the password policy is disabled and can be modified
5. Create a trap user
That is, create a local user named "Administrator", set it to the minimum, do nothing, and add a super complex password of over 10 bits. This would allow those hacker to be busy for a while to discover their invasion attempts.
6. Local Security policy settings
Start Menu-> Administration Tools-> Local Security Policy
A, local policy--> audit policy
Audit policy Change failed successfully
Audit logon event failed successfully
Audit object access failed
Audit process Tracking No audit
Audit directory service access failed
Audit privilege usage failed
Audit system Event failed successfully
Audit account logon event failed successfully
Audit account Management failed successfully
B, local policy--> user Rights Assignment
Shutdown system: Only Administrators group, all other delete.
Allow login via Terminal Services: Only join Administrators,remote Desktop Users group, all others deleted
Run gpedit.msc Computer Configuration > Administrative Templates > System show Shutdown Event Tracker change to Disabled
The user manages, establishes another standby administrator account, prevents the special situation to occur. Servers with Terminal Services and SQL Services installed disable TsInternetUser, SQLDebugger these two accounts
C, Local policy--> security options
Interactive login: Do not display last user name enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares to enable
Network access: Enable for network authentication store credentials is not allowed
Network access: All shares that can be accessed anonymously are deleted
Network access: Anonymous access to all of the lives deleted
Network access: Remote access to the registry path all deleted
Network access: Remotely accessible registry paths and subpath Delete all
Account: Rename guest account rename an account
Accounts: Renaming a system administrator account renaming an account
7. Prohibit the generation of dump file
Dump files are a useful resource for finding problems when the system crashes and blue screens. However, it can also provide hackers with some sensitive
Information such as the password for some applications. Control Panel > System Properties > Advanced > Startup and failback to change write debug information to none.
Close Dr. Dr.Watson of China
Enter "DrWtsn32" in Start-run, or start-Program-attachment-System Tools-System Information-tools-DR Watson, pull up the system
Dr. Watson Dr.Watson, only the "Dump all thread context" option is retained, otherwise the hard drive will be read for a long time if the program goes wrong, and account for
Use a lot of space. If this is the case before, find the User.dmp file and save dozens of MB of space after the deletion ...
Running drwtsn32-i at the command line can directly shut down the Chinese doctor, the average user is no use
8. Disable unnecessary service start-run-services.msc
Tcp/ipnetbios Helper provides support for NetBIOS and NetBIOS name resolution on clients on the TCP/IP service so that users can share
file, print, and log on to the network
Server supports this computer to share file, print, and named pipes across the network
Computer Browser maintains the latest list of computers on the network and provides this list
Task Scheduler allows a program to run at a specified time
NET SEND and Alarm service messages between the Messenger transport client and the server
Distributed file System: LAN management shared files, no need to disable
Distributed linktracking client: For LAN update connection information, no need to disable
Error Reporting Service: Prohibit sending errors report
Microsoft serch: Provides fast word search, it is recommended that disable * * * can not be used to move *.msc files after the boot system will be an error. No effect after disabling
Ntlmsecuritysupportprovide:telnet Service and Microsoft Serch, no need to disable
Printspooler: If there are no printers to disable
Remote Registry: Disable the registry from being modified remotely
Remote Desktop help session Manager: No distance assistance
Remote NET command does not list user group if Workstation is closed
These are disabled in services that are started by default on the Windows Server 2003 system, and the default disabled service does not start if it is not specifically needed.
Look at what I have opened some services, you can refer to settings. If the service should not be disabled, there may be some error in the Event Viewer.
9. Set IP filter, only open the port you want to use, so that you can prevent other people's Trojan connection, because any one network program to and your server communication, must pass the port. To view the port on which this machine is opened is the Netstat-na command, where we have opened the 1989 1433 (SQL Server), 5631 (pcanywhere) and IP6 ports, so that the general backdoor will not be able to connect to this machine after the setup, Note that you have to reboot to be effective.
Each port with a common service:
IIS 80
FTP 21 is enabled to require an FTP client to close psav to connect
SMTP 25
POP3 110
MS SQL 1433
Mysql 3306
PcAnywhere 5631
Windows Remote client 3389
10. Modify the relevant registry, personal feeling that this effect is not big. Not to modify, for reference only:
A, prevent SYN flood attack
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value, named SynAttackProtect, with a value of 2
New EnablePMTUDiscovery REG_DWORD 0
New NoNameReleaseOnDemand REG_DWORD 1
New EnableDeadGWDetect REG_DWORD 0
New KeepAliveTime REG_DWORD 300,000
New PerformRouterDiscovery REG_DWORD 0
New Enableicmpredirects REG_DWORD 03. Prohibit responding to ICMP routed advertisement messages
Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters\interfaces\interface
Creates a new DWORD value with the name PerformRouterDiscovery value of 0
B, to prevent the attack of ICMP redirect message
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Set the Enableicmpredirects value to 0
C, IGMP protocol not supported
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
Creates a new DWORD value with the name IGMPLevel value of 0
D, prohibit the IPC NULL connection:
Cracker can use the net using command to establish an empty connection, and then intrusion, and net View,nbtstat these are based on the null connection, the prohibition of NULL connection is good.
Local_machine\system\currentcontrolset\control\lsa-restrictanonymous change this value to "1".
E, change the TTL value
Cracker can approximate your operating system based on a ping-back TTL value, such as:
ttl=107 (WINNT);
TTL=108 (Win2000);
ttl=127 or 128 (Win9x);
ttl=240 or 241 (Linux);
ttl=252 (Solaris);
ttl=240 (Irix);
You can actually change it yourself: Hkey_local_machine\system\currentcontrolset\services\tcpip\parameters:defaultttl REG_DWORD 0-0xff ( 0-255 Decimal, default value 128) changed to a baffling number like 250
11. Renaming the system administrator account, I have changed to the central people's government. You can set other partitions or important directories on your hard disk to be accessible only to this user. This way even if the intruder has promoted himself to be a member of the Super Admins group. Nor can they access these places. Rename the Administrators group to something else so that even if the system has an overflow vulnerability, the Net.exe program under the system disk has been removed and it is almost impossible to join the Administrators group. What's more, Administrators group has been renamed, with that net localgroup Administrators Xxx/add, do not know the name of the Administrator group, will prompt the specified local group does not exist. This will not add up even if the net command is available.
Finally, set up a very complex password for your administrator account.
Set up a local user account, rename the Administrator and Guest account, prohibit unnecessary account, and preferably set up an admin standby account, just in case (hint: develop a habit of taking a look at local user account properties to prevent backdoor accounts)
12. Control Panel Settings:
Modify the *.cpl (Control Panel file) permission to be accessible only to administrators
Move all *.msc (Admin console files) to one of your fixed directories, and set access to this directory (only administrators can ask, for example, in the above 11, add this directory to the Central People's government only this user can access.) That's the way people get into your server. Another is to change the name or move the Net.exe. Search Net.exe;net1.exe only permissions that administrators can access
Set Arp.exe;attrib.exe;cmd.exe;format.com;ftp.exe;tftp.exe;net.exe;net1.exe;netstat.exe;ping.exe;regedit.exe; Regsvr32.exe;telnet.exe;xcopy.exe;at.exe permissions can be accessed only with administrator privileges (note that Net1.exe is the same as net) when searching for these files, be careful to select other advanced options to check for hidden files and folders.
13. Uninstall the Wscript.Shell object (it is strongly recommended to uninstall. Command line execution component. You can run related commands by uploading Cmd.exe to the site directory or directly to the server.
Run under cmd: regsvr32 wshom.ocx/u
Uninstall the FSO object (uninstall is not recommended). file Operation component. General Virtual Host service provider open, some ASP programs do not run properly after disabling
Run under cmd: regsvr32.exe scrrun.dll/u
Disable the Workstation service, if not disabled, ASP Network Horse can view the system users and services, know all your user names
14.IIS Site Settings:
1. Separate the IIS directory data from the system disk and save it in the dedicated disk space.
2. Enable Parent Path
3. Delete any unmapped mappings that are not required in IIS Manager (keep the necessary mappings such as ASP)
4. HTTP404 Object not found error page is redirected to a custom HTM file via URL in IIS
5, Web site permissions settings (recommended)
Read permission
Write not allowed
Script source access is not allowed
Directory browsing recommended shutdown
Log access recommended shutdown
Index Resource recommended shutdown
Perform recommended selection "script only"
After the above settings, the server is basically safe. Note Often update system security patches, pay attention to some of the latest vulnerabilities, and do the corresponding prevention. Well, if you follow the above Jack said to the server settings, your server security level at least 80 points, the general ASP horse and small hackers can be shut out, if you need further in-depth to do security configuration please contact Webmaster Safety net Jack help you.