Xfocus Windows Internet Server Security Configuration

Differences between Windows 2003 and later versions

1) Windows Server 2003, Standard Edition (Standard Edition)

It also supports dual-circuit processors and 4 GB memory for core products of small and medium enterprises. In addition to all functions of Windows Server 2003 web edition, it also supports Certificate Services, UDDI services, fax services, IAS Internet authentication services, removable storage, RIS, smart cards, Terminal Services, WMS and services for Macintosh.

Supports file and printer sharing. Provides secure network connections.

2) Windows Server 2003, Enterprise Edition (Enterprise Edition)

This product is defined as a new high-end product that supports a maximum of 8 processors, 32 GB memory, and 28 node clusters. It is an extended version of Windows Server 2003 Standard Edition and adds metadirectory services support, Terminal Service Session Directory, cluster, and hot add (hot-add) memory and NUMA non-uniform memory access and access technology. This version also adds a version that supports 64-bit computing.

The full-featured operating system supports up to 8 processors. Provides enterprise-level functions such as 8-node clusters, supporting 32 GB memory. Supports the Intel itanium processor. The 64-bit computer version will be available, which can support 8 64-bit processors and 64 GB memory.

3) Windows Server 2003, datacenter edition (Data Center)

As in the past, this is a product that has always represented the highest performance of Microsoft products. Its Market targets have always been positioned on the highest-end applications, with extremely reliable stability and scalability. It supports 8-32 processors, 64 GB memory, 2-8 node clusters. Compared with Windows Server 2003 Enterprise Edition, Windows Server 2003 datacenter edition adds a set of Windows datacenter program packages. This product also supports another 64-bit version.

The most powerful and powerful server operating system provided by Microsoft so far. Supports 32 processors and 64 GB memory. 8-Point Cluster and Server Load balancer are provided at the same time. Provides a 64-bit processor platform that supports amazing 64-channel processors and GB of memory.

4) Windows Server 2003, web edition (web edition)

This version is specially optimized for Web Services. It supports dual-processor and 2 GB memory. This product supports both ASP. net, DFS Distributed File System, EFS file encryption system, iis6.0, smart image, ICF Internet firewall, IPv6, Mircrosoft. net Framework, NLB network load balancing, PKI, print services for UNIX, RDP, remote OS installation (non-RIS service), result set of rsop policy, Shadow Copy restore), VPN, and WMI command line mode. The only difference between Windows Server 2003 web edition and other versions is that it can only act as a member server in the ad domain, rather than a DC Domain Controller.

You can deploy various web applications and XML page services. IIS 6.0. Quick and easy development of various platforms based on XML and ASP. NET service projects.
5) Windows Server 64-bit edition (64-bit version)

This version is specially developed for 64-bit processor anteng itanium.
There are two versions:

Windows Server 2003 Enterprise Server
64-bit edition.

Windows Server 2003 datacenter Server
64-bit edition.
Practice

The following is an example of a standard VM.
System: Windows2003
Service: [IIS] [SERV-U] [IMail] [SQL Server 2000] [PHP] [MySQL]
Description: The most services are bound for demonstration. You can perform screening and subtraction based on the actual situation.

1. Windows Local Security Policy port restrictions
A. For our example, we need to activate the following ports:
External> Local 80
-> Local 20
-> Local 21
-> Some ports used by the local PASV
-> Local 25
-> Local 110
-> Local 3389
Then, open the ports of SQL Server and MySQL according to the actual situation.
-> Local 1433
-> Local 3306
B. Then open the ports to be opened from the inside out.
Based on the actual situation, do not open the following two rules if no email service is required
Local> outside 53 TCP, UDP
Local> external 25
According to the specific situation. If you do not need to access the webpage on the server, try not to open the following port
Local> external 80
C. In addition to explicit blocking, this is the key to security rules.
-> All local protocols are blocked.

2. User Account
A. Rename the Administrator. In this example, change it to root.
B. Cancel all user attributes except administrator root
Remote Control-> enable remote control and
Terminal service configuration file-> allow login to Terminal Server
C. Change the name of guest to administrator and change the password.
D. In addition to the administrator root, iuser, IWAM, and ASPnet, disable all other users, including SQL debug and terminal user.

3. directory permission
Change the permissions of all drive letters to only
All permissions for the Administrators group
All system Permissions
Inherit All Sub-directories and sub-files of drive C from the Administrator (group or user) and system permissions of drive C.
Then make the following changes:
C:/Documents and Settings/all users open the default three permissions for reading and running the list of file directories
C:/Documents and Settings/Add the read and run permissions of the users user group to avoid loaduserprofile failure.
C:/program files/common files open the default everyone permission to read and run the list file directory to read three permissions can increase the access database access permissions of ASP Asp.net
C:/The following operations in Windows may cause the ghost operation to fail. The system can successfully perform the ghost operation, but it will automatically restart after it is started.
C:/Windows/open the default three permissions for reading and running the list file directory of everyone
C:/Windows/temp open everyone for modification, reading and running, listing file directories, reading and writing Permissions
C:/Windows/Microsoft. NET/framework/v1.1.4322/Temporary ASP. NET files
Note that the following directories are not authorized by iis_wpg and service users:
C:/Windows/help/IISHelp/common
C:/Windows/system32/inetsrv/asp compiled templates
C:/Windows/IIS temporary compressed files

Now webshell cannot write files in the system directory.
You can also use stricter permissions.
In Windows, Set permissions for directories.
However, it is complicated and the effect is not obvious.

4. IIS
Under IIS 6, the ISAPI type corresponding to the file type in the application extension has removed dangerous script types such as idq and print,
In IIS 5, we need to delete all types except ASP and ASA.
Install URLScan
In [DenyExtensions]
Add the following content
. Cer
. CDX
. MDB
. Bat
. Cmd
. Com
. HTW
. Ida
. Idq
. Htr
. Idc
. Shtm
. Shtml
. Stm
. Printer
In this way, intruders cannot download the. mdb database. This method is more thorough than some other methods that add special characters to the file header.
Because even if the file header is added with special characters, it can still be constructed by encoding.

5. web directory permissions
As a virtual host, there will be many independent customers
It is safer to create a Windows user for each customer.
Then, in the site of the IIS response
Bind the anonymous user executed by IIS to this user
And direct it to the directory
Permission changed
All permissions for Administrators
All system Permissions
Select advanced for a user (or iuser) created separately-> open all permissions except full control, traverse folders/run programs, and obtain three permissions of ownership.

If there are not many sites on the server and there are forums
We can upload directories for each Forum
Remove the execution permission of this user.
Only read and write permissions
In this way, intruders upload webshells even if they bypass the Forum file type detection.
It cannot run.

6. ms SQL Server2000
Log on to the query analyzer using a system account
Run the following script
Use master
Exec sp_dropextendedproc 'xp _ export shell'
Exec sp_dropextendedproc 'xp _ dirtree'
Exec sp_dropextendedproc 'xp _ enumgroups'
Exec sp_dropextendedproc 'xp _ fixeddrives'
Exec sp_dropextendedproc 'xp _ loginconfig'
Exec sp_dropextendedproc 'xp _ enumerrorlogs'
Exec sp_dropextendedproc 'xp _ getfiledetails'
Exec sp_dropextendedproc 'SP _ oacreate'
Exec sp_dropextendedproc 'SP _ oadestroy'
Exec sp_dropextendedproc 'SP _ oageterrorinfo'
Exec sp_dropextendedproc 'SP _ oagetproperties'
Exec sp_dropextendedproc 'SP _ oamethod'
Exec sp_dropextendedproc 'SP _ oasetproperties'
Exec sp_dropextendedproc 'SP _ oastop'
Exec sp_dropextendedproc 'xp _ regaddmultistring'
Exec sp_dropextendedproc 'xp _ regdeletekey'
Exec sp_dropextendedproc 'xp _ regdeletevalue'
Exec sp_dropextendedproc 'xp _ regenumvalues'
Exec sp_dropextendedproc 'xp _ regread'
Exec sp_dropextendedproc 'xp _ regremovemultistring'
Exec sp_dropextendedproc 'xp _ regwrite'
Drop procedure sp_makewebtask
Go
Delete all dangerous extensions.

7. Modify cmd. EXE and net. Exe Permissions
Modify the permissions of the two files to a specific administrator. For example, in this example, modify the permissions of the two files as follows:
Cmd.exe root user all Permissions
Net.exe root user ownership
This prevents unauthorized access.
You can also use the comlog program provided in the example.
Rename com.exe_com.exe and replace the COM file. In this way, all command line commands executed can be recorded.

To prevent unauthorized users from modifying permissions through the command line, execute "cmd.exe net.exe net1.exe ping.exe netstat.exe ftp.exe tftp.exe telnet.exe regedit.exe at.exe attrib.exe cacls.exe format.exe permission ".

8. Backup
Use ntbackup software. Back up system status.
Use reg.exe to back up key system data
For example, Reg export HKLM/software/odbc e:/backup/system/ODBC. Reg/y
To back up the ODBC OF THE SYSTEM

9. Anti-Virus
Here we will introduce the Chinese enterprise version of McAfee 8i
This version can be updated in a timely manner for many malicious codes and Trojans in China.
For example, the top 2006 of Haiyang is detected.
Besides, it can remove the mime-encoded virus files in the queues used by SMTP software such as IMail.
Many people prefer to install the Norton Enterprise Edition, while Norton Enterprise Edition does not respond to webshell.
In addition, mime-encoded files cannot be antivirus.
In McAfee.
We can also add rules to prevent creating and modifying exe. DLL files in the Windows directory.
We add the anti-virus program for the web directory to the software.
Run once a day
And enable real-time monitoring.
Note: installing anti-virus software affects ASP execution because The jscript. dll and VBScript. dll components are disabled.
Run regsvr32 jscript. dll in DOS mode, and remove the restriction on regsvr32 VBScript. dll.

10. Disable useless services
We usually disable the following services:
Computer Browser
Help and Support
Messenger
Print Spooler
Remote Registry
TCP/IP NetBIOS Helper
If the server does not require domain control, we can also disable it.
Workstation disables probe to detect processes and user information

Disable Remote Registry Service"

Security risks: If a hacker connects to our computer and the computer enables remote registry, the hacker can remotely set services in the registry, therefore, remote registry services require special protection.

Solution: Disable the Remote Registry Startup Mode. However, after hackers intrude into our computers, they can still convert the service from "disabled" to "automatically started" through simple operations ". Therefore, it is necessary to delete the service.

Find the RemoteRegistry item under "hkey_local _ machinesystemcurrentcontrolset Services" in the registry, right-click the item and select "delete" (figure 1). After deleting the item, the service cannot be started.

11. Remove dangerous components
If the server does not require FSO
Regsvr32/u c:/Windows/system32/scrrun. dll
Logout component
Regsvr32/u c:/Windows/system32/wshom. ocx
Regsvr32/u c:/Windows/system32/wshext. dll
Regsvr32/u c:/Windows/system32/shell32.dll
If possible, delete these components.

Use Regedit to perform the following operations in the registry:
Set/hkey_classes_root
Wscript. Network
Wscript. network.1
Wscript. Shell
Wscript. shell.1
Shell. Application
Shell. application.1
Rename or delete a key value
Remove the strings contained in CLSID from these key values.
For example
{13709620-c279-11ce-a49e-444553540000}
{72c24dd5-d70a-438b-8a42-98108b88afb8}
Find the key values named after these strings under/hkey_classes_root/clsid.
Delete all
Modify the Registry to make the system stronger

1. To hide important files/directories, you can modify the Registry to completely hide them: HKEY_LOCAL_MACHINE/software/Microsoft/Windows/current-version/Explorer/advanced/folder/hi-dden/showall ", right-click "checkedvalue" and choose modify from 1 to 0.
2. Start the system's built-in Internet connection _ blank "> firewall, and select the web server in the set service options.
3. Prevent SYN flood attacks HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters
Create a DWORD Value named SynAttackProtect. The value is 2.
Enablepmtudiscovery REG_DWORD 0
NoNameReleaseOnDemand REG_DWORD 1
EnableDeadGWDetect REG_DWORD 0
KeepAliveTime REG_DWORD 300,000
Invalid mrouterdiscovery REG_DWORD 0
Enableicmpredirects REG_DWORD 0

4. Disable response to ICMP route notification packets
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters/interfaces/interface: Create a DWORD value. The value named "descrimrouterdiscovery" is 0.

5. Prevent ICMP redirection packet attacks
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters
Set enableicmpredirects to 0
6. IGMP protocol not supported
HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters
Create a DWORD Value named igmplevel 0
7. Modify the Terminal Service port
[HKEY_LOCAL_MACHINE/system/CurrentControlSet/control/Terminal Server/WDS/rdpwd/tDS/tcp]. Do you see the portnumber on the right? In decimal format, change it to the desired port number, for example, 7126, as long as it does not conflict with others.
The second step is HKEY_LOCAL_MACHINE/system/CurrentControlSet/control/Terminal Server/winstations/RDP-TCP. The method is the same as above. Remember to change the port number to the same as the above.

8. Disable null IPC connection:
Cracker can use the net use command to establish a null connection, and then invade into the database. Net view and NBTSTAT are all based on NULL connections. It is good to disable NULL connections. Open the registry and find LOCAL_MACHINE/system/CurrentControlSet/control/LSA-restrictanonymous. Change the value to "1.

9. Change the TTL value
Cracker can roughly judge your operating system based on the TTL value returned by Ping, such:
TTL = 107 (winnt );
TTL = 108 (Win2000 );
TTL = 127 or 128 (Win9x );
TTL = 240 or 241 (Linux );
TTL = 252 (Solaris );
TTL = 240 (IRIX );
In fact, you can change HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/TCPIP/parameters: defaultttl REG_DWORD 0-0xff (0-255 decimal, default value 128) to an inexplicable number such as 258, at least let the little cainiao get dizzy for a long time, and you may not have to give up the intrusion.

10. delete default share
Someone asked me how I shared all the disks when I started. After I changed it back, I restarted and shared it again. This is the default share set for 2 k management, you must modify the Registry to cancel it: HKEY_LOCAL_MACHINE/system/CurrentControlSet/services/LanmanServer/parameters: the AutoShareServer type is REG_DWORD and change the value to 0.

11. Do not create a null connection

By default, any user connects to the server through an empty connection, and then enumerates the account and guesses the password. We can modify the Registry to disable NULL connections:
Change the value of LOCAL_MACHINE/system/CurrentControlSet/control/LSA-restrictanonymous to "1.
12. Audit
Local Security Policy-> local policy-> Audit Policy
Open the following content
Audit policy changed successfully, failed
System Event Review successful, failed
Account Logon review successful, failed
Account Management review successful, failed
Local Security Policy-> local policy-> Security Options
Interactive login: The Last User Name is not displayed and enabled
Interactive login: Session lock does not display the Last User Name Enabled
Network Access: Restrict anonymous access to named pipes and share Enabled

13. Remove attachment upload restrictions
In Windows2003, IIS6 cannot upload attachments larger than kb by default and cannot download attachments larger than 4 MB.
Solution:
1. Disable the IIS Admin Service in the service.
2. Find the metabase. xml file under Windows/system32/inetsrv.
3. Open it in plain text mode. Find aspmaxrequestentityallowed and change it to the desired value (10 m or 10240000). The default value is 204800, that is, 200 K.
4. Save the disk and restart the IIS Admin Service.

To download attachments that exceed 4 MB in IIS 6.0, follow these steps:
1. Disable the IIS Admin Service in the service.
2. Find the metabase. xml file under Windows/system32/inetsrv.
3. Open it in plain text mode and find aspbufferinglimit to change it to the desired value (20 m or 20480000 ).
4. Save the disk and restart the IIS Admin Service.

14 prevent Serv-U permission escalation
In fact, after the shell component is deregistered, the possibility of the attacker to run the lifting tool is very small, but other script languages such as prel also have shell capabilities. It is better to set it to prevent such attacks.

Use ultraeditto open servudaemon.exe to search for ASCII: localadministrator, and modify it to the desired value of the same length. The process is the same as that of servuadmin.exe.

In addition, pay attention to setting the ACL for the folder where Serv-U is located. do not grant anonymous IIS users the permission to read the files. Otherwise, the files you modified will be stored, you can also analyze your Administrator name and password.

Subsequently installed
PHP 4.4.1
Download and decompress C:/PHP and add the environment variable phprc to C:/PHP. ini in the path of windows to indicate the location of PHP. ini,
Copy C:/PHP/dll/*. * to the C:/PHP Directory, remember to set upload_directory = "C:/Windows/Temp"
Session_directory = "C:/Windows/Temp" sets the maximum file size of upload to 10 MB.

Zend optimizer 2.6.2 version 3.0.1 has been released: http://downloads.zend.com/optimizer/
Eaccelerator accelerator Windows Version: http://www.arnot.info/eaccelerator/
Add

Extension = eaccelerator. dll
Eaccelerator. shm_size = "64" // The default value is 16 m. I changed it to 64 m.
Eaccelerator. cache_dir = "C:/Windows/Temp" // you need to create it manually to ensure that the permission is read/write.
Eaccelerator. Enable = "1 ″
Eaccelerator. optimizer = "1 ″
Eaccelerator. check_mtime = "1 ″
Eaccelerator. DEBUG = "0 ″
Eaccelerator. Filter = ""
Eaccelerator. shm_max = "0 ″
Eaccelerator. shm_ttl = "0 ″
Eaccelerator. shm_prune_period = "0 ″
Eaccelerator. shm_only = "0 ″
Eaccelerator. Compress = "1 ″
Eaccelerator. compress_level = "9 ″
Eaccelerator. admin. Name = "adminusername"
Eaccelerator. admin. Password = "password"

Download URL:
MySQL uses a stable version 4.0.27 to avoid Chinese Encoding Problems and obtain stable service performance.
Decompress the C:/MySQL database directory and store it in E:/MySQL/data.
Modify the C:/MySQL/my-large.cnf file to add basedir = C: // MySQL datadir = E: // MySQL/Data
During installation, select mysqld-opt.exe. This version provides high-speed running efficiency and features that are not specially needed and the name pipe function in windows, install mysqld-ope-install mysql40-defaults-file = C:/MySQL/my-large.cnf

PhpMyAdmin config. Inc. php

/*
* Generated configuration file
* Generated by: phpMyAdmin 2.8.2.1 setup script by Michal? IHA?
* Version: $ ID: setup. php, V 1.23.2.10.2.1 2006/08/01 14:01:37 lem9 exp $
* Date: Sun, 06 Aug 2006 09:57:32 GMT
*/

/* Servers configuration */
$ I = 0;

/* Server localhost (cookie) [1] */
$ I ++;
$ Cfg ['servers'] [$ I] ['host'] = 'localhost ';
$ Cfg ['servers'] [$ I] ['extension'] = 'mysql ';
$ Cfg ['servers'] [$ I] ['connect _ type'] = 'tcp ';
$ Cfg ['servers'] [$ I] ['compus'] = false;
$ Cfg ['servers'] [$ I] ['auth _ type'] = 'cooker ';

/* End of servers configuration */

$ Cfg ['blowfish _ secret'] = '44d5bcf6cf1d61. 100 ′;
$ Cfg ['textareacols'] = 40;
$ Cfg ['texteardone'] = 7;
$ Cfg ['longtextdoubletextarea '] = true;
$ Cfg ['textareaautoselect'] = true;
$ Cfg ['charediting'] = 'input ';
$ Cfg ['chartextareacols'] = 40;
$ Cfg ['chartextareardone'] = 2;
$ Cfg ['ctrlarrowsmoving '] = true;
$ Cfg ['defaultpropdisplay'] = 'horizontal ';
$ Cfg ['insertrows'] = 2;

$ Cfg ['showchgpassword'] = true;
?>

Install components:
Aspemail
Aspupload
Aspjpeg

2006 SP3 http://www.powereasy.net/Soft/PE_soft/192.html

Static URL rewrite
Discuz! The URL static function is restricted by the server environment where the forum is located. Before enabling this function, select the appropriate environment configuration method based on your Web server environment, the server configuration under IIS6 is as follows .. you can configure other servers (such as Apache and Zeus) based on the principle.

1. Download the IIS rewrite module: http://download.discuz.net/4.1.0/discuz_iis_rewrite.zip;

2. decompress the compressed package to any directory (for example, C:/Rewrite ). Choose "Control Panel"> "Administrative Tools"> "IIS Information Service Manager"> "website"> "your site"> "properties ". Click "add" in the "ISAPI filter" item, and enter the Filter Name in rewrite. the executable file is C:/Rewrite. dll;

3. Restart IIS to take effect.

After the above configuration, you can go to discuz! In the background of 4.1.0, the affected static functions are enabled as needed.

None: do not enable URL static function.

Discuz! Static archiver: When the archiver function is enabled in the Forum, all links in the archiver are in the form of *. html.

Static conversion of common pages: perform static URL conversion on common pages of the forum, such as Forumdisplay. php, viewthread. php, and viewpro. php.

Static conversion of archiver and common pages: static URL conversion for archiver and common pages of forums (such as Forumdisplay. php, viewthread. php, and viewpro. php.

Note:

You can use discuz in system settings! This feature has special requirements on the server environment. Independent host users need to add corresponding rewrite rules to the web server, therefore, server permissions are required. For VM users, you need to consult your space service provider about whether the space supports rewrite and whether the site directory is supported. the file parsing of htaccess takes effect only when the two conditions are met. After you turn on URL static, some common links in the Forum will become similar to discuz/forum-1-1.html, if your server environment is not supported or not configured, when you access these links, an error message "webpage cannot be displayed" appears, and the forum cannot be accessed normally. When access fails, go to the management background and disable the URL static function to restore the forum to normal.

The compressed package provided in this article also contains an httpd. ini file, which is the configuration file of the rewrite rule. The content is as follows (no modification is required ):

[Isapi_rewrite]
#3600 = 1 hour

Cacheclockrate 3600

Repeatlimit 32
# Protect httpd. ini and httpd. parse. Errors files
# From Accessing through HTTP
Rewriterule ^ (. *)/archiver/([a-z0-9/-] +/. html) $1/archiver/index/. php /? $2
Rewriterule ^ (. *)/Forum-([0-9] +)-([0-9] +)/. html $1/Forumdisplay/. php /? FID = $2 & page = $3
Rewriterule ^ (. *)/thread-([0-9] +)-([0-9] +)-([0-9] + )/. HTML $1/viewthread /. PHP /? Tid = $2 & extra = page/% 3d $4 & page = $3
Rewriterule ^ (. *)/profile-(username | UID)-(. +)/. html $1/viewpro/. php /? $2 = $3

Install probe, ajiang ASP probe, coonn ASP probe, Asp.net probe, iprober PHP Probe

MSDTC Error
System log prompt:
The Distributed Transaction Coordinator Service stops due to a 3221229584 service error.
Distributed Transaction Coordinator is the MSDTC Service.
The error is caused by MSDTC logs.
An error occurred while searching logs during startup.

Solution
System32/dtclog directory Renamed
Create a directory with the same name in the same location

CMD
Run
MSDTC-resetlog