Windows2008 Server General settings and basic security policies

I. Systems and PROCEDURES

1. Screen protection and power supply

Desktop right-click--〉 Personalization--〉 Screen Saver
Screen Saver Select None
Change power settings Select High Performance
Choose to turn off the monitor time off display select never save changes


2. Install IIS

Administrative Tools--〉 Server Manager--〉 add server roles--〉 tick Web server (IIS)

Tick the following role services
Asp
CGI (in connection with PHP)
ISAPI extensions
ISAPI filters
Include files on server side (to support SSI shtml)

You can also add later
Server Manager--〉 role--〉web Server (IIS)--〉 role Service Click Add Role Services

http://qingguo408.blog.163.com/blog/static/15662855201121893825604/
If you need to install SQL2005, the following role services must be checked

1. Common HTTP Features
Static content
Default Document
Directory browsing
HTTP redirection

2. Application Development
asp
. NER extension
ISAPI Extensions
ISAPI Filters

3. Security
Windows Authentication

4. Management Tools IIS6 Management compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility


Set the log, output cache directory


Add a default document
Index.asp index.php Default.asp, etc.

Enable Parent Path
AspEnable Parent PathFalse to True

Increase IIS support for MIME file types
MIME type
. RMVB Application/vnd.rn-realmedia
. isoApplication/octet-stream
. rarApplication/octet-stream
.7zApplication/octet-stream
. mkvApplication/octet-stream


File Upload size limit solution for Win2008 or IIS7

By default, the upload limit for IIS7 is 200K. When the upload file is less than 30M, you can set it by the following methods:
Find the ASP settings in IIS7, and in the "Limit properties" of ASP, the last line of "Maximum request principal limit", modify the value to be what you want, such as 2G (2000000000, Unit B).

When the upload file requires more than 30M, continue with the following modifications:

1. Stop IIS7
2. Locate the "C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml" file.
This file is read-only and cannot be modified with administrator privileges. To modify the permissions of a file first, then remove the read-only attribute.

1) Right-click File---Properties--security, select Target user, tap Advanced, modify file owner;
2) After you click Edit, you can modify the permissions of the current user and add Write permission. At this point, the permission setting is OK.
3) Remove the read-only attribute from the file.

Open the file with Notepad, find "", and Change "30000000" to the value you want (such as 2000000000) to save.
Add a read-only property to the "C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml" file.

Start IIS7. I upload 120M video files through. However, win2008 can only upload files that are less than 2G. Pay attention to this.


3. Configure PHP

Http://www.cnblogs.com/kaite/archive/2012/03/10/2389489.html
Unzip the PHP installation package in a directory, C:\php
Copy a copy of the php.ini-development and rename it to PHP.ini.
To configure the php.ini file, search for the following configuration and modify the appropriate configuration values:

Extension_dir = "C:\php\ext"
; Date.timezone = changed to Date.timezone = Asia/shanghai

If you do not change the above Date.timezone may open the webpage will prompt 500 error

Component
Extension=php_mbstring.dll
Extension=php_gd2.dll
Extension=php_mysql.dll
Extension=php_mysqli.dll phpMyAdmin Use

PHP 5.3 or later using fastcgi mode, configuring IIS 7 requires adding a handler mapping in IIS
Handler Mappings--〉 Add a module handler:

*.php
Fastcgimodule
C:\php\php-cgi.exe
php_vis_fastcgi

Add index.php as default document in default document

PHP directory Users read run permissions

PHP test
<?php
Phpinfo ();
?>

A new version of the version of Windows PHP, in the event of an error, the detailed error information will be automatically stored in the Windows system Temp Temp directory, the file name is: Php-errors.log. In the Windows2003 system, the path is generally: C:\WINDOWS\Temp\php-errors.log. Open this file with Notepad and you'll see a detailed PHP error record.

HTTP Error 500.0–internal Server error
An unknown FastCGI error occurred

The key cause of this error is that the VC9 runtime is not installed as Visual C + + (installer automatically with Visual C + + 2008)

Microsoft Visual C + + Redistributable Package (x86):
Http://www.microsoft.com/downloads/details.aspx?FamilyID=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF&displaylang=zh-cn
Microsoft Visual C + + Redistributable Package (x64):
http://www.microsoft.com/downloads/zh-cn/resultsForProduct.aspx?displaylang=zh&ProductID= 23947d52-b2bc-4e88-8c51-e81dc2905b0d

If you install the VC9 runtime, the above error still occurs, mostly because the PHP installation directory does not cause the IIS_IUSRS user to read and execute permissions.


4. Mysql 5 Installation
Http://faq.comsenz.com/usersguide/discuz


Second, the system security Configuration

1. Directory Permissions

All partitions except the partition where the system is located give administrators and system Full control, and then separate directory permissions for subdirectories under it



2. Remote connection
My Computer Properties--〉 remote Settings--〉 remote--〉 only allow connections to computers running remote desktops with network hyper-authentication

Choose to allow connections from computers running any version of Remote Desktop (less secure). Note: Convenient for multiple versions of Windows Remote Management Server.


http://apps.hi.baidu.com/share/detail/16610280

Windows Server 2008 Remote Desktop Connection, compared with 2003, introduced Network Level authentication (nla,network levels authentication), XP SP3 does not support this network level authentication, Vista and Win7 support.

However, modifying the registry in the XP system will allow XP SP3 to support network Level authentication.

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

In the right window, double-click Security Pakeages, and add a "tspkg".

Hkey_local_machine\system\currentcontrolset\control\securityproviders

In the right window, double-click SecurityProviders, add Credssp.dll, and note that when you add this value, be sure to add a comma after the original value, and don't forget to empty the box (English state).

Then restart the XP system. Check again to find out that XP systems already support Network Level authentication


3. Modify the remote Access service port

Change the remote connection port method to convert 10 binary to 16 using the calculator that comes with Windows. Change port 3389 to 8208 and reboot takes effect!

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds\rdpwd\tds\tcp]
"PortNumber" =dword:0002010

[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp]
"PortNumber" =dword:00002010


1. In the start-run menu, enter Regedit, enter the Registry Editor, and follow the path below to enter the location to modify the port
2.hkey_local_machine\system\currentcontrolset\control\terminal server\winstations\rdp-tcp
3. Find the "PortNumber" on the right, display it in decimal mode, default is 3389, change to (for example) 6666 port
4.hkey_local_machine\system\currentcontrolset\control\terminal server\wds\rdpwd\tds\tcp
5. Find the "PortNumber" on the right, display in decimal mode, default is 3389, change to the same port as above
6. In the Control Panel--windows Firewall--Advanced settings--inbound rules--new rule
7. Select Port-Protocol and port--tcp/specific local port: same port as above
8. Next, select Allow connection
9. Next, select the public
10. Next, Name: Remote Desktop-New (tcp-in), Description: Inbound rules for Remote Desktop services to allow RDP traffic. [TCP ibid. port]
11. Remove Remote Desktop (tcp-in) rules
12. Restart your computer


4. Configure the Local Area Connection

Network--〉 Properties--〉 Manage network Connections--〉 Local Area Connection

Open the "Local Area Connection" interface, select "Properties", left click on "Microsoft Network Client", then "Uninstall", in the popup dialog box "yes" confirm uninstall. Click "File and Printer Sharing for Microsoft Network", then click "Uninstall" and select "Yes" in the popup dialog to confirm the uninstallation.


Unbind 139 port for NetBIOS and TCP/IP protocols

Open the Local Area Connection interface, select Properties, double-click Internet Protocol version (TCP/IPV4) in the pop-up Properties box, click Properties, click Advanced-WINS, select Disable NetBIOS on TCP/IP, and then click Confirm and close the local Area Connection properties.


Prohibit default sharing
Click "Start"-"Run", enter "Regedit", open Registry Editor, open the registry key "Hkey_local_machine\system\currentcontrolset\services\lanmanserver\ Parameters ", in the right window, create a new DWORD value with the name AutoShareServer and the value set to" 0 ".


Turn off port 445

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters

New Dword (32-bit) name is set to SmbdeviceenabledValue is set to "0"


5. Sharing and Discovery

Right-click Network Properties Network and Sharing CenterSharing and Discovery

Shut down
Network sharing
File sharing
Public file sharing
Printer Sharing

Show all the files and folders I'm sharing
Show all shared network folders on this computer


6. Use a firewall to restrict ping
Check it out on the internet, Ping still needs to be used frequently.


7, the firewall settings
Control Panel →windows firewall settings → change settings → exceptions, select FTP, HTTP, Remote Desktop Services core network
HTTPS can not be used to check
3306:mysql
1433:mssql


8. To disable unwanted and dangerous services, the following list of services needs to be disabled.

Control Panel Administration Tools Service

Distributed linktracking ClientFor LAN update connection information
PrintspoolerPrint Service
Remote RegistryRemotely modifying the Registry
Server computers are shared through file, print, and named Pipes on the network
TCP/IP NetBIOS HelperProvides support for NetBIOS on the TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network

WorkstationLeak system User Name list associated with terminal Services Configuration

Computer Browser Maintenance Network computer update is disabled by default
Net LogonDomain Controller channel Management default has been manually
Remote Procedure Call (RPC) LocatorRpcns* Remote Procedure Call (RPC) default has been manually

Delete Service
SC Delete MYSQL


9. Security settings--Local Policies--security options

Enter Gpedit.msc carriage return in the run, open the Group Policy Editor, select Computer Configuration-->windows Settings-security settings--Local Policies--security options


Interactive login: Do not display the last user name enabled
Network access: Do not allow anonymous enumeration of SAM accountsEnable already enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares enabled
Network access: Do not allow credentials to be stored for network authentication to be enabled
Network access: All shared content that can be accessed anonymously is deleted
Network access: Named pipe contents that can be accessed anonymously are all deleted
Network access: Remotely accessible registry path contents are all deleted
Network access: Remotely accessible registry paths and sub-path contents are all deleted
Account: Rename guest account Here you can change the Guest account
Account: Rename the system administrator account here you can change the Administrator account number


10. Security settings--account policy---account lockout policy
Enter Gpedit.msc carriage return in the run, open the Group Policy Editor, select Computer Configuration-->windows Settings-security Settings--account policy--account lockout policy, set the account lockout threshold to "three login invalid", " The lockout time is 30 minutes, and the reset lock count is set to 30 minutes.


11. Local Security settings
Select Computer Configuration-->windows Settings--Security settings--Local Policies--User rights Assignment
Shut down system: Only Administrators group, all other delete.
Deny login via Terminal Services: Join Guests group, iusr_*****, iwam_*****, NETWORK service, SQLDebugger
Allow login via Terminal Services: Join Administrators, Remote Desktop Users group, all other delete


12. Change Administrator,guest account and create a new fake administrator account without any rights.
management tools → Computer management → system tools → local Users and groups → users
Create a new administrator account as a trap account, set an extra long password, and remove all user groups
Change Description: A built-in account for administering a computer (domain)


13. Password Policy
Select Computer Configuration-->windows Settings--Security settings--Password policy
Startup password must meet complexity requirements
Minimum password length

14. Disable DCOM ("shockwave" virus rpc/dcom vulnerability)
Run Dcomcnfg.exe. Console root node → Component Services → computer → Right-click my computer → properties → default properties tab → Clear the Enable distributed COM on this computer check box.


15. ASP Vulnerability

The main is to uninstall Wscript.Shell and shell.application components, whether to delete see if necessary.

Regsvr32/u C:\WINDOWS\System32\wshom.ocx
Regsvr32/u C:\WINDOWS\system32\shell32.dll

Delete may not have enough permissions
Del C:\WINDOWS\System32\wshom.ocx
Del C:\WINDOWS\system32\shell32.dll

If you really want to use them, or you can change them to a name.

Wscript.Shell can call the system kernel to run DOS basic commands
You can change the registry to rename this component to prevent the damage of such Trojans.
Hkey_classes_root\wscript.shell\ and Hkey_classes_root\wscript.shell.1\
Renamed to a different name, such as: to Wscript.shell_changename or wscript.shell.1_changename
This component can be called normally using this when you call it later.
Also change the CLSID value
hkey_classes_root\wscript.shell\clsid\ Value of the project
hkey_classes_root\wscript.shell.1\clsid\ Value of the project
It can also be removed to prevent the harm of such Trojans.

Shell.Application can call the system kernel to run DOS basic commands
You can change the registry to rename this component to prevent the damage of such Trojans.
hkey_classes_root\shell.application\
And
Hkey_classes_root\shell.application.1\
Renamed to a different name, such as: to Shell.application_changename or shell.application.1_changename
This component can be called normally using this when you call it later.
Also change the CLSID value
hkey_classes_root\shell.application\clsid\ Value of the project
hkey_classes_root\shell.application\clsid\ Value of the project
It can also be removed to prevent the harm of such Trojans.

Prevents guest users from using Shell32.dll to prevent this component from being called.

2000 using the command: cacls c:\winnt\system32\shell32.dll/e/d Guests
2003 using the command: cacls c:\windows\system32\shell32.dll/e/d Guests

Prohibit the use of FileSystemObject components, FSO is a very high utilization of components, be careful to determine whether to uninstall. Renamed after the call will change the program, Set FSO = Server.CreateObject ("Scripting.FileSystemObject").

FileSystemObject can be used for general operation of the file, you can modify the registry, renaming this component, to prevent the harm of such trojan.
Hkey_classes_root\scripting.filesystemobject\
Renamed to another name, such as: Change to Filesystemobject_changename
This component can be called normally using this when you call it later.
Also change the CLSID value
hkey_classes_root\scripting.filesystemobject\clsid\ Value of the project
It can also be removed to prevent the harm of such Trojans.

2000 Unregister this component command: regsrv32/u C:\WINNT\SYSTEM\scrrun.dll
2003 Unregister this component command: regsrv32/u C:\WINDOWS\SYSTEM\scrrun.dll

How do I prohibit guest users from using Scrrun.dll to prevent this component from being called?
Use this command: cacls c:\winnt\system32\scrrun.dll/e/d Guests


15. Turn on UAC

Control Panel user account open or close user Account Control


16. Program Permissions

"Net.exe", "Net1.exe", "cmd.exe", "Tftp.exe", "Netstat.exe", "Regedit.exe", "At.exe", "Attrib.exe", "Cacls.exe", " Format.com "," C.exe "

Or completely prohibit the execution of the above command
gpedit.msc-〉 User Configuration-〉 Administrative Templates-〉 System
Enable block Access command prompt and also disable command prompt script processing
Enable block access to registry editing tools
Enable do not run the specified Windows application, add the following
At.exe attrib.exe c.exe cacls.exe cmd.exe format.com net.exe net1.exe Netstat.exe regedit.exe Tftp.exe

17, Serv-u Security issues

The installer tries to use the latest version, avoids the default installation directory, sets the permissions for the Serv-u directory, and sets a complex administrator password. Modify the banner information for the SERV-U, set the passive mode port range (4001-4003) do the relevant security settings in the local server settings: including check anonymous password, disable the over-the-time dispatch, intercept "FTP bounce" attack and FXP, For users who have connected more than 3 times within 30 seconds, intercept 10 minutes. The settings in the domain are: requires complex passwords, the directory uses only lowercase letters, and the advanced setting cancels the date that allows the file to be changed using the Mdtm command.

Change the startup user for Serv-u: Create a new user in the system, set a password for a complex point, and do not belong to any group. Give the user Full control of the SERVU installation directory. Set up an FTP root directory, you need to give this user the directory Full Control permissions, because all FTP users upload, delete, change the file is inherited the user's permissions, otherwise unable to manipulate the file. Also need to give this directory above the upper directory to the user's Read permission, otherwise will appear at the time of the connection 530 not logged in, the home directory does not exist. For example, in the test when the FTP root directory is d:soft, must give the D disk that the user Read permission, in order to safely cancel the other folder D drive inheritance rights. The general use of the default system boot does not have these problems, because the system generally has these permissions.

If FTP doesn't have to be used every day, turn it off, and open it again.