I. Systems and PROCEDURES
1. Screen protection and power supply
Desktop right-click--〉 Personalization--〉 Screen Saver
Screen Saver Select None
Change power settings Select High Performance
Choose to turn off the monitor time off display select never save changes
2. Install IIS
Administrative Tools--〉 Server Manager--〉 add server roles--〉 tick Web server (IIS)
Tick the following role services
Asp
CGI (in connection with PHP)
ISAPI extensions
ISAPI filters
Include files on server side (to support SSI shtml)
You can also add later
Server Manager--〉 role--〉web Server (IIS)--〉 role Service Click Add Role Services
http://qingguo408.blog.163.com/blog/static/15662855201121893825604/
If you need to install SQL2005, the following role services must be checked
1. Common HTTP Features
Static content
Default Document
Directory browsing
HTTP redirection
2. Application Development
asp
. NER extension
ISAPI Extensions
ISAPI Filters
3. Security
Windows Authentication
4. Management Tools IIS6 Management compatibility
IIS 6 Metabase Compatibility
IIS 6 WMI Compatibility
Set the log, output cache directory
Add a default document
Index.asp index.php Default.asp, etc.
Enable Parent Path
AspEnable Parent PathFalse to True
Increase IIS support for MIME file types
MIME type
. RMVB Application/vnd.rn-realmedia
. isoApplication/octet-stream
. rarApplication/octet-stream
.7zApplication/octet-stream
. mkvApplication/octet-stream
File Upload size limit solution for Win2008 or IIS7
By default, the upload limit for IIS7 is 200K. When the upload file is less than 30M, you can set it by the following methods:
Find the ASP settings in IIS7, and in the "Limit properties" of ASP, the last line of "Maximum request principal limit", modify the value to be what you want, such as 2G (2000000000, Unit B).
When the upload file requires more than 30M, continue with the following modifications:
1. Stop IIS7
2. Locate the "C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml" file.
This file is read-only and cannot be modified with administrator privileges. To modify the permissions of a file first, then remove the read-only attribute.
1) Right-click File---Properties--security, select Target user, tap Advanced, modify file owner;
2) After you click Edit, you can modify the permissions of the current user and add Write permission. At this point, the permission setting is OK.
3) Remove the read-only attribute from the file.
Open the file with Notepad, find "", and Change "30000000" to the value you want (such as 2000000000) to save.
Add a read-only property to the "C:\Windows\System32\inetsrv\config\schema\IIS_schema.xml" file.
Start IIS7. I upload 120M video files through. However, win2008 can only upload files that are less than 2G. Pay attention to this.
3. Configure PHP
Http://www.cnblogs.com/kaite/archive/2012/03/10/2389489.html
Unzip the PHP installation package in a directory, C:\php
Copy a copy of the php.ini-development and rename it to PHP.ini.
To configure the php.ini file, search for the following configuration and modify the appropriate configuration values:
Extension_dir = "C:\php\ext"
; Date.timezone = changed to Date.timezone = Asia/shanghai
If you do not change the above Date.timezone may open the webpage will prompt 500 error
Component
Extension=php_mbstring.dll
Extension=php_gd2.dll
Extension=php_mysql.dll
Extension=php_mysqli.dll phpMyAdmin Use
PHP 5.3 or later using fastcgi mode, configuring IIS 7 requires adding a handler mapping in IIS
Handler Mappings--〉 Add a module handler:
*.php
Fastcgimodule
C:\php\php-cgi.exe
php_vis_fastcgi
Add index.php as default document in default document
PHP directory Users read run permissions
PHP test
<?php
Phpinfo ();
?>
A new version of the version of Windows PHP, in the event of an error, the detailed error information will be automatically stored in the Windows system Temp Temp directory, the file name is: Php-errors.log. In the Windows2003 system, the path is generally: C:\WINDOWS\Temp\php-errors.log. Open this file with Notepad and you'll see a detailed PHP error record.
HTTP Error 500.0–internal Server error
An unknown FastCGI error occurred
The key cause of this error is that the VC9 runtime is not installed as Visual C + + (installer automatically with Visual C + + 2008)
Microsoft Visual C + + Redistributable Package (x86):
Http://www.microsoft.com/downloads/details.aspx?FamilyID=9B2DA534-3E03-4391-8A4D-074B9F2BC1BF&displaylang=zh-cn
Microsoft Visual C + + Redistributable Package (x64):
http://www.microsoft.com/downloads/zh-cn/resultsForProduct.aspx?displaylang=zh&ProductID= 23947d52-b2bc-4e88-8c51-e81dc2905b0d
If you install the VC9 runtime, the above error still occurs, mostly because the PHP installation directory does not cause the IIS_IUSRS user to read and execute permissions.
4. Mysql 5 Installation
Http://faq.comsenz.com/usersguide/discuz
Second, the system security Configuration
1. Directory Permissions
All partitions except the partition where the system is located give administrators and system Full control, and then separate directory permissions for subdirectories under it
2. Remote connection
My Computer Properties--〉 remote Settings--〉 remote--〉 only allow connections to computers running remote desktops with network hyper-authentication
Choose to allow connections from computers running any version of Remote Desktop (less secure). Note: Convenient for multiple versions of Windows Remote Management Server.
http://apps.hi.baidu.com/share/detail/16610280
Windows Server 2008 Remote Desktop Connection, compared with 2003, introduced Network Level authentication (nla,network levels authentication), XP SP3 does not support this network level authentication, Vista and Win7 support.
However, modifying the registry in the XP system will allow XP SP3 to support network Level authentication.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
In the right window, double-click Security Pakeages, and add a "tspkg".
Hkey_local_machine\system\currentcontrolset\control\securityproviders
In the right window, double-click SecurityProviders, add Credssp.dll, and note that when you add this value, be sure to add a comma after the original value, and don't forget to empty the box (English state).
Then restart the XP system. Check again to find out that XP systems already support Network Level authentication
3. Modify the remote Access service port
Change the remote connection port method to convert 10 binary to 16 using the calculator that comes with Windows. Change port 3389 to 8208 and reboot takes effect!
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\wds\rdpwd\tds\tcp]
"PortNumber" =dword:0002010
[HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Terminal Server\winstations\rdp-tcp]
"PortNumber" =dword:00002010
1. In the start-run menu, enter Regedit, enter the Registry Editor, and follow the path below to enter the location to modify the port
2.hkey_local_machine\system\currentcontrolset\control\terminal server\winstations\rdp-tcp
3. Find the "PortNumber" on the right, display it in decimal mode, default is 3389, change to (for example) 6666 port
4.hkey_local_machine\system\currentcontrolset\control\terminal server\wds\rdpwd\tds\tcp
5. Find the "PortNumber" on the right, display in decimal mode, default is 3389, change to the same port as above
6. In the Control Panel--windows Firewall--Advanced settings--inbound rules--new rule
7. Select Port-Protocol and port--tcp/specific local port: same port as above
8. Next, select Allow connection
9. Next, select the public
10. Next, Name: Remote Desktop-New (tcp-in), Description: Inbound rules for Remote Desktop services to allow RDP traffic. [TCP ibid. port]
11. Remove Remote Desktop (tcp-in) rules
12. Restart your computer
4. Configure the Local Area Connection
Network--〉 Properties--〉 Manage network Connections--〉 Local Area Connection
Open the "Local Area Connection" interface, select "Properties", left click on "Microsoft Network Client", then "Uninstall", in the popup dialog box "yes" confirm uninstall. Click "File and Printer Sharing for Microsoft Network", then click "Uninstall" and select "Yes" in the popup dialog to confirm the uninstallation.
Unbind 139 port for NetBIOS and TCP/IP protocols
Open the Local Area Connection interface, select Properties, double-click Internet Protocol version (TCP/IPV4) in the pop-up Properties box, click Properties, click Advanced-WINS, select Disable NetBIOS on TCP/IP, and then click Confirm and close the local Area Connection properties.
Prohibit default sharing
Click "Start"-"Run", enter "Regedit", open Registry Editor, open the registry key "Hkey_local_machine\system\currentcontrolset\services\lanmanserver\ Parameters ", in the right window, create a new DWORD value with the name AutoShareServer and the value set to" 0 ".
Turn off port 445
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters
New Dword (32-bit) name is set to SmbdeviceenabledValue is set to "0"
5. Sharing and Discovery
Right-click Network Properties Network and Sharing CenterSharing and Discovery
Shut down
Network sharing
File sharing
Public file sharing
Printer Sharing
Show all the files and folders I'm sharing
Show all shared network folders on this computer
6. Use a firewall to restrict ping
Check it out on the internet, Ping still needs to be used frequently.
7, the firewall settings
Control Panel →windows firewall settings → change settings → exceptions, select FTP, HTTP, Remote Desktop Services core network
HTTPS can not be used to check
3306:mysql
1433:mssql
8. To disable unwanted and dangerous services, the following list of services needs to be disabled.
Control Panel Administration Tools Service
Distributed linktracking ClientFor LAN update connection information
PrintspoolerPrint Service
Remote RegistryRemotely modifying the Registry
Server computers are shared through file, print, and named Pipes on the network
TCP/IP NetBIOS HelperProvides support for NetBIOS on the TCP/IP (NetBT) service and NetBIOS name resolution for clients on the network
WorkstationLeak system User Name list associated with terminal Services Configuration
Computer Browser Maintenance Network computer update is disabled by default
Net LogonDomain Controller channel Management default has been manually
Remote Procedure Call (RPC) LocatorRpcns* Remote Procedure Call (RPC) default has been manually
Delete Service
SC Delete MYSQL
9. Security settings--Local Policies--security options
Enter Gpedit.msc carriage return in the run, open the Group Policy Editor, select Computer Configuration-->windows Settings-security settings--Local Policies--security options
Interactive login: Do not display the last user name enabled
Network access: Do not allow anonymous enumeration of SAM accountsEnable already enabled
Network access: Do not allow anonymous enumeration of SAM accounts and shares enabled
Network access: Do not allow credentials to be stored for network authentication to be enabled
Network access: All shared content that can be accessed anonymously is deleted
Network access: Named pipe contents that can be accessed anonymously are all deleted
Network access: Remotely accessible registry path contents are all deleted
Network access: Remotely accessible registry paths and sub-path contents are all deleted
Account: Rename guest account Here you can change the Guest account
Account: Rename the system administrator account here you can change the Administrator account number
10. Security settings--account policy---account lockout policy
Enter Gpedit.msc carriage return in the run, open the Group Policy Editor, select Computer Configuration-->windows Settings-security Settings--account policy--account lockout policy, set the account lockout threshold to "three login invalid", " The lockout time is 30 minutes, and the reset lock count is set to 30 minutes.
11. Local Security settings
Select Computer Configuration-->windows Settings--Security settings--Local Policies--User rights Assignment
Shut down system: Only Administrators group, all other delete.
Deny login via Terminal Services: Join Guests group, iusr_*****, iwam_*****, NETWORK service, SQLDebugger
Allow login via Terminal Services: Join Administrators, Remote Desktop Users group, all other delete
12. Change Administrator,guest account and create a new fake administrator account without any rights.
management tools → Computer management → system tools → local Users and groups → users
Create a new administrator account as a trap account, set an extra long password, and remove all user groups
Change Description: A built-in account for administering a computer (domain)
13. Password Policy
Select Computer Configuration-->windows Settings--Security settings--Password policy
Startup password must meet complexity requirements
Minimum password length
14. Disable DCOM ("shockwave" virus rpc/dcom vulnerability)
Run Dcomcnfg.exe. Console root node → Component Services → computer → Right-click my computer → properties → default properties tab → Clear the Enable distributed COM on this computer check box.
15. ASP Vulnerability
The main is to uninstall Wscript.Shell and shell.application components, whether to delete see if necessary.
Regsvr32/u C:\WINDOWS\System32\wshom.ocx
Regsvr32/u C:\WINDOWS\system32\shell32.dll
Delete may not have enough permissions
Del C:\WINDOWS\System32\wshom.ocx
Del C:\WINDOWS\system32\shell32.dll
If you really want to use them, or you can change them to a name.
Wscript.Shell can call the system kernel to run DOS basic commands
You can change the registry to rename this component to prevent the damage of such Trojans.
Hkey_classes_root\wscript.shell\ and Hkey_classes_root\wscript.shell.1\
Renamed to a different name, such as: to Wscript.shell_changename or wscript.shell.1_changename
This component can be called normally using this when you call it later.
Also change the CLSID value
hkey_classes_root\wscript.shell\clsid\ Value of the project
hkey_classes_root\wscript.shell.1\clsid\ Value of the project
It can also be removed to prevent the harm of such Trojans.
Shell.Application can call the system kernel to run DOS basic commands
You can change the registry to rename this component to prevent the damage of such Trojans.
hkey_classes_root\shell.application\
And
Hkey_classes_root\shell.application.1\
Renamed to a different name, such as: to Shell.application_changename or shell.application.1_changename
This component can be called normally using this when you call it later.
Also change the CLSID value
hkey_classes_root\shell.application\clsid\ Value of the project
hkey_classes_root\shell.application\clsid\ Value of the project
It can also be removed to prevent the harm of such Trojans.
Prevents guest users from using Shell32.dll to prevent this component from being called.
2000 using the command: cacls c:\winnt\system32\shell32.dll/e/d Guests
2003 using the command: cacls c:\windows\system32\shell32.dll/e/d Guests
Prohibit the use of FileSystemObject components, FSO is a very high utilization of components, be careful to determine whether to uninstall. Renamed after the call will change the program, Set FSO = Server.CreateObject ("Scripting.FileSystemObject").
FileSystemObject can be used for general operation of the file, you can modify the registry, renaming this component, to prevent the harm of such trojan.
Hkey_classes_root\scripting.filesystemobject\
Renamed to another name, such as: Change to Filesystemobject_changename
This component can be called normally using this when you call it later.
Also change the CLSID value
hkey_classes_root\scripting.filesystemobject\clsid\ Value of the project
It can also be removed to prevent the harm of such Trojans.
2000 Unregister this component command: regsrv32/u C:\WINNT\SYSTEM\scrrun.dll
2003 Unregister this component command: regsrv32/u C:\WINDOWS\SYSTEM\scrrun.dll
How do I prohibit guest users from using Scrrun.dll to prevent this component from being called?
Use this command: cacls c:\winnt\system32\scrrun.dll/e/d Guests
15. Turn on UAC
Control Panel user account open or close user Account Control
16. Program Permissions
"Net.exe", "Net1.exe", "cmd.exe", "Tftp.exe", "Netstat.exe", "Regedit.exe", "At.exe", "Attrib.exe", "Cacls.exe", " Format.com "," C.exe "
Or completely prohibit the execution of the above command
gpedit.msc-〉 User Configuration-〉 Administrative Templates-〉 System
Enable block Access command prompt and also disable command prompt script processing
Enable block access to registry editing tools
Enable do not run the specified Windows application, add the following
At.exe attrib.exe c.exe cacls.exe cmd.exe format.com net.exe net1.exe Netstat.exe regedit.exe Tftp.exe
17, Serv-u Security issues
The installer tries to use the latest version, avoids the default installation directory, sets the permissions for the Serv-u directory, and sets a complex administrator password. Modify the banner information for the SERV-U, set the passive mode port range (4001-4003) do the relevant security settings in the local server settings: including check anonymous password, disable the over-the-time dispatch, intercept "FTP bounce" attack and FXP, For users who have connected more than 3 times within 30 seconds, intercept 10 minutes. The settings in the domain are: requires complex passwords, the directory uses only lowercase letters, and the advanced setting cancels the date that allows the file to be changed using the Mdtm command.
Change the startup user for Serv-u: Create a new user in the system, set a password for a complex point, and do not belong to any group. Give the user Full control of the SERVU installation directory. Set up an FTP root directory, you need to give this user the directory Full Control permissions, because all FTP users upload, delete, change the file is inherited the user's permissions, otherwise unable to manipulate the file. Also need to give this directory above the upper directory to the user's Read permission, otherwise will appear at the time of the connection 530 not logged in, the home directory does not exist. For example, in the test when the FTP root directory is d:soft, must give the D disk that the user Read permission, in order to safely cancel the other folder D drive inheritance rights. The general use of the default system boot does not have these problems, because the system generally has these permissions.
If FTP doesn't have to be used every day, turn it off, and open it again.