Windows 2003 Server Security Configuration

There's a lot of security on the Windows Server http://www.aliyun.com/zixun/aggregation/19058.html ">2003" system, but a lot of it is not fully analyzed. And a lot of still configuration is not reasonable enough, and there are a lot of security risks, today I decided to carefully do the extreme BT 2003 server Security configuration, so that more network management friends peace of mind.

The servers we configure need to provide the following components: (ASP, ASPX, CGI, PHP, FSO, JMail, MYSQL, SMTP, POP3, FTP, 3389 Terminal Services, Remote Desktop Web Connection Management services, etc.), provided that the system is already installed, IIS , including FTP servers, mail servers, and so on, these specific configuration methods are no longer repeated, now we focus on the main description of the security configuration.

About regular security installation systems, setting up and managing accounts, shutting down redundant services, auditing policies, modifying terminal management ports, configuring MS, removing dangerous stored procedures, connecting with the least privileged public account, etc.

First of all, about the system of NTFS disk permissions settings, we may see more, but 2003 server some detail places to pay attention to, I see a lot of articles have not written completely.

C Disk only to administrators and system permissions, other permissions do not give, the other disk can also be set up here, the system authority given here does not necessarily need to give, just because some third-party applications are launched in the form of services, need to add this user, otherwise it will not start.

Windows directories should be added to the default permissions for users, otherwise applications such as ASP and ASPX will not run. Previously have friends to set INSTSRV and temp directory permissions, in fact, there is no such need.

In addition, it is important here in C:/Documents and settings/that the permissions in the following directory will not inherit from the previous settings, if only set the C disk to administrators permissions, and in all users/application The Everyone user has full control in the data directory, so the intrusion can jump to this directory, write script or file only, and then combine other vulnerabilities to elevate permissions, such as using Serv local overflow to elevate permissions, or systems missing patches, database weaknesses, Even the social engineering and so on n many methods, once not have the bull person to send a squall to say: "As long as gives me a webshell, I can get system", this also certainly is possible. In systems that are used as WEB/FTP servers, it is recommended that these directories be set up for deadlock. The table of contents for each of the other disks is set in this way, and none of the disks give adinistrators permissions.

In addition, you will: Net.exe,cmd.exe,tftp.exe,netstat.exe,regedit.exe,at.exe,attrib.exe,cacls.exe, these files are set to allow only administrators access.