WINDOWS2003 Network server Security Tips

One, installation of Windows Server2003

1, the installation system needs a minimum of two partitions, the partition format is in NTFS format

2, in the case of disconnecting the network installed 2003 system

3. Install IIS to install only the necessary IIS components (disable unneeded FTP and SMTP services, for example). By default, the IIS service is not installed, select Application Server in the Add/Remove Win component, then click Details, double-click Internet Information Services (IIS), tick the following options:

Internet Information Service Manager;

public files;

Background Intelligent Transfer Service (BITS) server Extensions;

World Wide Web services.

If you're using a FrontPage-extended Web site, check again: FrontPage 2002 Server Extensions

4. Install the MSSQL and other required software and update it.

5. Use the MBSA (Microsoft Baseline Security Analyzer) tool provided by Microsoft to analyze the security configuration of your computer and identify the missing patches and updates. Download Address: See links at the end of the page

Ii. setting up and managing accounts

1, the system administrator account is best to build less, change the default Administrator account name (Administrator) and description, the password is best to use the number of small letters plus the number of the upper file key combination, the length is preferably not less than 14 bits.

2, create a new trap account named Administrator, set the minimum permissions for it, and then randomly enter the combination of the best not less than 20-bit password

3, disable the Guest account and change the name and description, and then enter a complex password, of course, now also has a delguest tool, perhaps you can also use it to delete the Guest account, but I did not try.

4. Enter Gpedit.msc carriage return in the run, open the Group Policy Editor, select the Computer Configuration-windows Settings-security Settings-account policy-account lockout policy, set the account to "three times invalid login", "Lock shen, 0 minutes", "Reset lock count is set to 30 minutes".

5. Set "Do not show last user name" to Enabled in security settings-Local Policies-security options

6. In security settings-Local Policies-user rights assignment, only the Internet Guest account is retained in the access this computer from the network, and the IIS process account is started. If you are using ASP, you also want to keep the ASPNET account.

7. Create a user account, run the system, and use the runas command if you want to run the privileged command.

Third, Network Service security management

1. Prohibit the default sharing of C $, d$, admin$ class

Open the registry, Hkey_local_machine/system/currentcontrolset/services/lanmanserver/parameters, and create a new DWORD value in the right window, The name is set to AutoShareServer value set to 0

2. Unbind the NetBIOS from the TCP/IP protocol

Right-click My Network Places-Properties-right-click Local Area Connection-Properties-double-click Internet Protocol-Advanced-wins-Disable NetBIOS on TCP/IP

3. Close the service you don't need, here are the recommended options

Computer Browser: Maintaining network computer updates, disabling

Distributed File System: LAN manages shared files and does not need to be disabled

Distributed linktracking client: For LAN update connection information, no need to disable

Error Reporting Service: Prohibit sending bug reports

Microsoft serch: Provides fast word search without the need to disable

Ntlmsecuritysupportprovide:telnet Services and Microsoft Serch, no need to disable

Printspooler: If no printer can be disabled

Remote Registry: Prohibit remotely modifying the registry

Remote Desktop help Session Manager: Prohibit remoting

Iv. Open the appropriate audit policy

Enter Gpedit.msc carriage return in run, open Group Policy Editor, select Computer Configuration-windows Settings-security Settings-Audit policy When you create an audit project, it is important to note that if you audit too many projects, the more events are generated, the more difficult it is to find serious events and, of course, if the audit is too small, it will affect your discovery of serious Events, you need to make a choice between the two according to the situation.

The recommended items to audit are:

Logon event failed successfully

Account Logon event failed successfully

System Event failed successfully

Policy Change failed successfully

Object access failed

Directory Service access failed

Privilege use failed

V. Other safety-related settings

1. Hide Important files/directories

You can modify the registry implementation to completely hide: "hkey_local_machine/software/microsoft/windows/current-version/explorer/advanced/folder/hi-dden/ ShowAll ", right-click" CheckedValue ", select Modify, change the value from 1 to 0

2. Start the Internet Connection Firewall that comes with your system, and tick the Web server in the set up service options.

3. Prevent SYN Flood attack

Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters

New DWORD value, named SynAttackProtect, with a value of 2

4. Disable response to ICMP routing notification messages

Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters/interfaces/interface

New DWORD value, named PerformRouterDiscovery value of 0

5. Attacks against ICMP Redirect messages

Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters

Set the Enableicmpredirects value to 0

6. IGMP protocol not supported

Hkey_local_machine/system/currentcontrolset/services/tcpip/parameters

New DWORD value, named IGMPLevel value of 0

7. Disable DCOM:

Enter Dcomcnfg.exe in the run. Carriage return, click Component Services under Console root. Open the Computers sub-folder.

For the local computer, right-click My Computer, and then select Properties. Select the Default Properties tab.

Clear the Enable distributed COM on this computer check box.

Note: 3-6 items I used the Server2000 setting and did not test whether it worked for 2003. But one thing is certain that I haven't found any other side effects for a period of time.

Vi. Configuring IIS Services:

1, do not use the default Web site, if used also to separate the IIS directory from the system disk.

2. Delete the Inetpub directory created by IIS by default (on the disk where the system is installed).

3, delete the virtual directory under the system disk, such as: _vti_bin, IISSamples, Scripts, IISHelp, IISAdmin, IISHelp, MSADC.

4. Remove unnecessary IIS extension mappings.

Right-click Default Web site → properties → home directory → configuration to open the application window and remove unnecessary application mappings. mainly for. sHTML,. shtm,. stm

5. Change the path of the IIS log

Right-click Default Web site → Properties-site-click Properties under Enable Logging

6. If you are using 2000 you can use IISLockdown to protect IIS, the version of ie6.0 that is running in 2003 is not required.

7. Using URLScan

URLScan is an ISAPI filter that parses incoming HTTP packets and can reject any suspicious traffic. Currently the latest version is 2.5, if it is 2000Server you need to install version 1.0 or 2.0 first. Download address See page not link

If there is no special requirement to use the URLScan default configuration.

But if you run the ASP on the server and you want to debug it, you need to open the%windir%/system32/inetsrv/urlscan

Urlscan.ini file in the folder, and then add the debug verb in the Userallowverbs section, note that this section is case-sensitive.

If your page is an. asp webpage you need to delete. asp-related content in DenyExtensions.

If your Web page uses non-ASCII code, you will need to set the value of Allowhighbitcharacters to 1 in the option section

After you make changes to the Urlscan.ini file, you need to restart the IIS service to take effect, and enter IISReset in the Quick Method run

If you have any problems after configuration, you can remove URLScan by adding/removing programs.

8. Use the WIS (WEB injection Scanner) tool to scan the entire Web site for SQL injection vulnerability.

Download Address: vb.net enthusiasts

VII. Configuring SQL Server

1, the System Administrators role best not more than two

2. If it is in this machine it is best to configure authentication as win login

3. Do not use SA account to configure a super complex password for it

4. Remove the following extended stored procedure format as:

Use master

Sp_dropextendedproc ' Extended stored procedure name '

xp_cmdshell: Is the best shortcut to enter the operating system, delete

To access the registry's stored procedures, delete

Xp_regaddmultistring Xp_regdeletekey Xp_regdeletevalue xp_regenumvalues

Xp_regread xp_regwrite xp_regremovemultistring

OLE automatic stored procedures, do not need to delete

sp_OACreate sp_OADestroy sp_OAGetErrorInfo sp_OAGetProperty

sp_OAMethod sp_OASetProperty sp_OAStop

5. Hide SQL Server, change the default 1433 port

Right-click Instance Selection Properties-General-Select the properties of the TCP/IP protocol in the network configuration, select Hide SQL Server instance, and change the default 1433 port.

Viii. If you only do the server, do not perform other operations, use IPSec

1. Administrative Tools-Local security policy-right-click IP Security Policy-Manage IP filter tables and filter actions-click on the Manage IP filter table option

Add-Name set to Web Filter-click Add-Enter Web server in Description-set source address to any IP address--set destination address to my IP address--protocol type set to TCP--IP protocol port The first entry is set to from any port, the second entry to this port 80--click Done-click OK.

2. Then under the Manage IP Filter table option, click

Add-Name set to all inbound filters-click Add-Enter all inbound filters in the description-set the source address to any IP address--Set the destination address to my IP address--The protocol type is set to any--click Next--Finish--click OK.

3. Under the Management Filter Action option, click Add-Next--Enter block in name--Next--Select block--next------Close Manage IP filter table and Filter Action window

4. Right-click IP Security Policy--Create IP Security Policy--next--Name Input packet Filter--Next--Cancel default activation response principle--next--complete

5. In the new IP Security Policy Properties window that opens, select Add-Next-do not specify tunnel-next-all network connections-next--Select new Web filter in IP Filter List--next--Choose license in filter action--next--Finish-- Select new block filter in IP Filter List-Next--Select block in filter action-next--Finish--OK

6, right-click on the new packet filter in the right window of IP Security policy, click Assign, do not need to restart, IPSec can take effect.

IX. recommendations

If you follow this article, it is recommended that you test the server for each change, and if you have a problem, you can undo the change immediately. If you change the number of items, only to find the problem, it is difficult to determine the question is which step.

X. Running the server records the current program and open ports

1, the current server process capture or record down, save it, convenient later check whether there is an unknown program.

2, the current open port capture or record down, save, convenient later check whether open the unknown port. Of course, if you can identify each process, and the port this step can be omitted.