Windows Server 2003 system security Settings Guide

System setup on the Internet there is a word "minimal privilege service = maximum security". This sentence is basically an individual has read, but I do not seem to have seen a more detailed and comprehensive article, the following on my personal experience to make a teaching attempt!
&http://www.aliyun.com/zixun/aggregation/37954.html ">nbsp;
How is the minimum privilege implemented?

NTFS system permissions are set to use each hard drive root plus the Administrators user for all permissions before using (optionally join system user)

To delete another user, enter the system disk: permissions are as follows

C:\WINDOWS Administrators System User permissions Users default permissions are not modified

Other directories Remove everyone user, and remember the all Users\default user directory and its subdirectories under C:\Documents and settings.

such as C:\Documents and Settings\All Users\Application The Data directory default configuration retains everyone user rights

The permissions under the C:\WINDOWS directory must also be noted, such as C:\WINDOWS\PCHealth, C:\windows\Installer also retains the Everyone permissions

Delete the C:\WINDOWS\Web\printers directory, the existence of this directory will cause IIS to add a printers extension, overflow attack copyright Disclaimer: This site articles are from the network, this site all reproduced article comments do not represent the views of the site

The default IIS error pages are largely not used by many people. It is recommended to delete the C:\WINDOWS\Help\iisHelp directory!

Delete C:\WINDOWS\system32\inetsrv\iisadmpwd, which is used to manage IIS passwords, such as some 500 because of a password that is not synchronized.

Use OWA or Iisadmpwd to modify the sync password at the wrong time, but you can delete it here, the settings described below will eliminate the problem of password synchronization caused by system settings.

Open C:\Windows Search
netexe;cmdexe;tftpexe;netstatexe;regeditexe;atexe;attribexe;caclsexe;formatcom;
Regsvr32exe;xcopyexe;wscriptexe;cscriptexe;ftpexe;telnetexe;arpexe;edlinexe;
Pingexe;routeexe;fingerexe;posixexe;rshexe;atsvcexe;qbasicexe;runonceexe;syskeyexe

Modify permissions, delete all users only save administrators and system for all permissions

Close port 445

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netbt\Parameters.
The new DWORD value value named "smbdeviceenabled" data is the default value of "0".

Prohibit the establishment of an empty connection

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa
New DWORD value value named "RestrictAnonymous" Data value is "1" [2003 defaults to 1]

Prevent system from automatically starting server sharing

Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
New DWORD value named "AutoShareServer" data value is "0"

Prevent system from automatically starting administrative shares

Hkey_local_machine\system\currentcontrolset\services\lanmanserver\parameters
New DWORD value named "AutoShareWks" data value is "0"

Preventing small-scale DDoS attacks by modifying the registry

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
New DWORD value named "SynAttackProtect" Data value is "1"

Prohibit the generation of dump file

Dump files are a useful resource for finding problems when the system crashes and blue screens. However, it can also provide hackers with sensitive information such as the password of some applications. Control Panel > System Properties > Advanced > Startup and failback to change write debug information to none.

Close Doctor DrWatson

Enter "DrWtsn32" in the start-run, or start-Program-attachment-System Tools-System Information-tools Leukocyte Watson, bring up the system's Dr. Watson DrWatson, only "Dump all thread context" option, otherwise, once the program is wrong, the hard drive will read for a long time, and takes up a lot of space. If this is the case, look for the Userdmp file, which saves dozens of MB of space after deletion.