Windows Server Security Configuration experience sharing

A lot of people now think that Microsoft has too many loopholes, Microsoft's system security is very poor, but through my various systems in the process of security configuration I summed up some experience, special to share with you, in fact, all kinds of systems have a lot of loopholes, but Microsoft's things with the most people, the general level is not very high, Does not make various security settings, so will let people have now online with nt/2000 service security is very poor feeling, in fact, nt/2000 server if you do a good job of the security settings, its security will never be worse than Nix system, if you follow the following I said to do, I can guarantee you 95% The above security, 100% I can not guarantee, of course, you must be in time to hit Microsoft's various large and small patches, oh, who, who took banana peel throw me, stand out!! Oh, less nonsense, turn to the point.





1. Primary article: nt/2000 system itself customized installation and related Settings


Web sites built with NT (2000) make up a large proportion of all Web sites, mainly because of its ease of use and manageability, so that the company does not have to invest a lot of money in the management of the server, this is better than the Nix system, do not have to ask a very professional administrator, do not have to pay a savings can be a high salary , oh, of course, Nix's administrator will not be unemployed, because of its open source and Windows system unmatched speed, so now almost all the large servers using the Nix system. But for small and medium-sized enterprises, Windows is enough, but NT security issues have been relatively prominent, so that some of the NT-based sites have a kind of treading on a thin ice feeling, here I give a security solution, for China's network security cause to make a contribution to it (Note: This program is mainly for the establishment of the Web site NT, 2000 Server security, for the local area network server is not appropriate. ）


First, customize your own nt/2000 SERVER


1. Version selection:


WIN2000 has a variety of language versions, for us, you can choose the English version or Simplified Chinese version, I strongly recommend: in the case of language does not become an obstacle, please use the English version. You know, Microsoft's products are famous for the bug &patch, the Chinese version of the bug far more than the English version, and the patch is usually late at least half a month (that is, the general Microsoft released a loophole after your machine will be in unprotected condition for half a month)


2. Component customization:


Win2000 installs some common components by default, but it is this default installation that is extremely dangerous. You should know exactly what services you need, and just install the services you really need, according to security principles, minimal service + minimal permissions = maximum security. The minimum component selection required for a typical Web server is to install only the COM Files,iis snap-in,www server component of IIS. If you do need to install additional components, be careful, especially: Indexing Service, FrontPage Server Extensions, Internet service


Manager (HTML) is a few of the dangerous services.


Two, install nt/2000 SERVER
correctly




either NT or 2000, the hard disk partitions are NTFS partitions;


Description:


(1) NTFS has more security control than fat partitioning, and can set different access permissions for different folders and enhance security.


(2) recommends that you install all the NTFS partitions at once, instead of installing them into a FAT partition and then converting to an NTFS partition, which installs the


SP5 and SP6 can lead to unsuccessful transformations and even system crashes.


(3) installation of NTFS partitions there is a potential danger, is that most anti-virus software does not provide for the floppy disk after the start of the NTFS partition virus, so once the system has been a vicious virus caused the system can not start normally, the consequences are more serious, therefore, and advised to do the usual anti-virus


work.


(4) Partitioning and Logical disk allocation


some friends for the sake of convenience, it is not good to divide the hard disk into a logical disk, all software is installed on C drive, it is very bad, it is recommended to establish a minimum of two partitions, a system partition, an application partition, because Microsoft's IIS often have leaks source/overflow vulnerabilities, If you put the system and IIS on the same drive, it can cause the system files to leak and even the intruder will get admin remotely. The recommended security configuration is to create three logical drives, the first larger than 2G, to install the system and important log files, the second to put IIS, the third to put FTP, so whether IIS or FTP out of the


Security vulnerabilities do not directly affect system directories and system files. You know, IIS and FTP are external services and are more prone to problems. The main purpose of separating IIS from FTP is to prevent intruders from uploading programs and running them from IIS.


(5) Installation sequence selection:


Win2000 in the installation of a few order is sure to note: First, when to access the network: Win2000 in the installation of a loophole, after you enter the administrator password, the system has established a admin share, but did not use the password you just entered to protect it , this situation continues until you start again, during which time, anyone can enter your machine through admin, and as soon as the installation completes, the various services will automatically run, while the server is covered with holes, very easy to access, therefore, fully installed and configured Win2000 Server, you must not connect the host to the network. Second, the installation of patches: patches should be installed after all applications installed, because the patch will often replace/modify some system files, if the first installation of the patch and then install the application may cause the patch can not play the due effect, such as


: IIS hotfix requires that every change to the configuration of IIS be installed


Three, security configuration nt/2000 SERVER


even if the correct installation of WIN2000 SERVER, the system still has a lot of vulnerabilities, but also need to be further detailed configuration.


1. Port:


Port is a computer and external network connected to the logical interface, but also the first screen of the computer, the port configuration is correct or not directly affect the security of the host, in general, only open the port you need to use will be more secure, the configuration is in the network card properties-tcp/ip-advanced-Options-tcp/ TCP/IP filtering is enabled for Win2000, but there is one bad feature for port filtering for ports: it can only specify which ports to open and which ports to shut down, which is more painful for users who need to open a large number of ports.


2. IIS:


IIS is the most vulnerable component of Microsoft, an average of two or three months will be a loophole, and Microsoft's IIS default installation is really not flattering, so the configuration of IIS is our focus, now everyone follow me: First of all, the C-disk that what Inetpub directory completely deleted, Build a inetpub in D (if you're not sure you can change a name with the default directory name, but remember) in IIS Manager, point the home directory to d:inetpub, and secondly, the virtual directories such as the default scripts that IIS is installed are deleted. If you need a directory of what permissions you can build yourself slowly, what permissions you need to open. (Pay special attention to write permissions and execute program permissions, no absolute necessity. Third, application configuration: Remove any unwanted mappings that are not necessary in IIS Manager, and must refer to Asp,asa and other file types that you really need to use, such as stml (using the server Side include), in fact 90% of the host has the above two mapping is enough, the rest of the map almost every one has a miserable story: HTW, HTR, IDQ, Ida ... Want to know these stories? Check out the previous vulnerability list.