Practical techniques for Web-Dedicated server security (1)

Related Settings for IIS: Delete the default site's virtual directory, stop the default Web site, delete the corresponding file directory c:inetpub, configure the public settings for all sites, set the associated number of connections, bandwidth settings, and other settings such as performance settings. Configures application mappings, removes all unnecessary application extensions, and retains only asp,php,cgi,pl,aspx application extensions. For PHP and CGI, it is recommended to use ISAPI parsing and EXE parsing to have an impact on security and performance. User program debug Settings send a text error message to the customer. For the database, try to use the MDB suffix, do not need to change to ASP, you can set up an MDB extension mapping in IIS, this mapping using an unrelated DLL file such as C:winntsystem32inetsrvssinc.dll to prevent the database from being downloaded. Set the log Save directory for IIS, and adjust logging information. Set to send text error messages. Modify the 403 error page and turn it to another page to prevent some scanners from probing. In addition, to hide system information, to prevent the release of the system version information from Telnet to port 80 can modify IIS banner information, you can use Winhex manual modification or use related software such as banneredit modification. For the directory where the user site is located, here is a description of the user's FTP root directory corresponding to three files good, wwwroot,database,logfiles, respectively, storage site files, database backup and the site's log. If an intrusion event can set specific permissions on the directory where the user's site resides, the directory in which the picture resides is given permission only to the column directory, and the directory where the program resides does not require write access if the file is not required to generate the HTML. Because it is a virtual host of the usual script security can not be meticulous to the point, more only in the method user from the script to elevate permissions: ASP security settings: Set permissions and services, to prevent ASP Trojan also need to do the following work, in the CMD window run the following command: regsvr32/u c:\ Winnt\system32\wshom.ocx del C:\WINNT\System32\wshom.ocx regsvr32/u C:\WINNT\system32\shell32.dll del C:\WINNT\ System32\shell32.dll can be Wscript.Shell, shell.application, Wscript.Network component Uninstall, can effectively prevent ASP Trojan horse through WScript or shell.application execute commands and use Trojans to view some system sensitive information. Another method: Can cancel the above file of usERs the user's permissions, restarting IIS will take effect. This method is not recommended. In addition, for the FSO because the user program needs to use, the server can not log off the component, here only to mention the prevention of FSO, but do not need to open space in the virtual Business Server use, only suitable for manually opened the site. You can set up two groups of sites that require FSO and do not need FSO, and do not need to give permission to C:winntsystem32scrrun.dll files to the user group that requires the FSO. Restarting the server will take effect. For such settings combined with the above permission settings, you will find that the Haiyang Trojan has lost its role here! PHP security settings: The default installation of PHP requires the following points of attention: C:\winnt\php.ini only give users Read permission. The following settings are required in php.ini: safe_mode=on register_globals = off Allow_url_fopen = off display_errors = off MAGIC_QUOTES_GPC = on [default Yes on, but it needs to be checked again] open_basedir =web directory disable_functions =passthru,exec,shell_exec,system,phpinfo,get_cfg_var,popen,chmod Default setting Com.allow_dcom = True to false[before modification; MySQL security settings: If the MySQL database is enabled on the server, the MySQL database should be aware that the security settings are: Delete all default users in MySQL, Only the local root account is retained, and a complex password is added to the root user. Give ordinary users Updatedeletealertcreatedrop permissions, and limit to a specific database, especially to avoid ordinary customers have permissions on MySQL database operations. Check the Mysql.user table to remove unnecessary user Shutdown_priv,relo Ad_priv,process_priv and File_priv permissions that may leak more server information including non-MySQL information. You can set up a startup user for MySQL that only has permissions on the MySQL directory. Set permissions on the data database for the installation directory (this directory holds the MySQL database information). For the MySQL installation directory, add read, column directories, and execute permissions to users. Serv security issues: Install the latest version to avoid using the default installationRecord, set the permissions of the Serv directory, set up a complex administrator password. Modify the banner information of the Serv, set the passive mode port range (4001-4003) make the relevant security settings in the local server settings: including checking anonymous passwords, disabling the scheduling of the go-ahead, intercepting "FTP bounce" attacks and FXP, Intercept 10 minutes for users who have connected more than 3 times in 30 seconds. The settings in the domain are: complex passwords are required, directories only use lowercase letters, and the advanced setting cancels the date that allows the file to be changed using the Mdtm command. To change the startup user for Serv: Create a new user in the system, set a complex password, and not belong to any group. Give the user Full control of the SERVU installation directory. To create an FTP root directory, you need to give this user full control of the directory, because all FTP users upload, delete, change files are inherited from the user's permissions, otherwise unable to manipulate the file. Additionally, you need to give the user Read permission to the parent directory above the directory, otherwise it will appear 530 not logged in, home directory does not exist at the time of the connection. For example, when testing the FTP root directory for D:soft, must give the user D disk Read permission, in order to safely cancel other folders in D disk inherited permissions. The general use of the default system startup does not have these problems, because system generally has these permissions. The security settings for the database server open only 1433 and 5631 ports for dedicated MSSQL database servers, as described above, to set up TCP/IP filtering and policy. For MSSQL, first you need to set a strong password for the SA, use mixed authentication, strengthen the logging of the database log, and audit the "success and failure" of the database login events. Remove unwanted and dangerous ole automatic stored procedures (which can cause some of the features in Enterprise Manager to not be used) These processes include the following: sp_OACreate sp_OADestroy sp_oageterrorinfo sp_oagetproperty sp_OAMethod sp_OASetProperty Remove unwanted registry access procedures including: Xp_regaddmultistring xp_regdeletekey xp_regdeletevalue xp_regenumvalues xp_regread Xp_ Regremovemultistring xp_regwrite Remove other system stored procedures, if you think there is a threat, of course, be careful to drop these processes, can be tested on the test machine, to ensure that the normal system can complete the work, thisProcedures include: xp_cmdshell xp_dirtree xp_dropwebtask sp_addsrvrolemember xp_makewebtask xp_runwebtask xp_subdirs sp _addextendedproc Select the properties of the TCP/IP protocol in the instance properties. Selecting a hidden SQL Server instance prevents detection of port 1434 and modifies the 1433 port used by default. Remove the Guest account from the database to exclude unauthorized users. Exceptions are the master and tempdb databases because they are required for their Guest account. Also note that you set the permissions for each database user, and that these users only give some permissions to the database in which they reside. Do not use the SA user to connect to any database in your program. The network has recommended that you use the protocol encryption, do not do so, otherwise you can only reload the MSSQL. Intrusion detection and data backup intrusion detection work as the day-to-day management of the server, intrusion detection is a very important work, in the normal detection process, mainly contains routine server security routine inspection and intrusion intrusion inspection, which is divided into the intrusion in the security check and before and after the invasion security. The security of the system follows the principle of cask, the barrel principle refers to: a wooden bucket consists of many pieces of wood, if the composition of the wooden barrels of the length of the wood, then the maximum capacity of the bucket does not depend on the length of the plank, but depending on the shortest piece of wood. Applying to security means that the security of the system depends on the most vulnerable parts of the system, and these places are the focus of everyday security testing. Daily security testing is mainly for the security of the system, the work is mainly carried out in accordance with the following steps: 1. View Server Status: Open Process Manager, view server performance, and observe CPU and memory usage. See if there are any exceptions, such as CPU and memory usage. 2. Check the current process situation switch task Manager to the process to find out if there are any suspicious applications or background processes running. When you view a process with the process manager, there is a taskmgr, which is the process manager itself. If you are running a Windows Update, there is a wuauclt.exe process. For a unsure process or a process that doesn't know which application is on the server, you can search the process name on the network to determine the process Knowledge Base: http://www.dofile.com/. Usually the back door if there is a process, generally take a similar to the system process name, such as Svch0st.exe, at this time to carefully distinguish [usually confusing means is variable letter O for the number 0, variable letter L for the number 1] 3. Check system account to turn on Computer Management,Expand Local user and group options, view group options, see if a new account is added to the Administrators group, and check for a cloned account. 4. View current port opening use Activeport to view current port connections, especially with externally connected ports to see if there are unauthorized ports communicating with the outside world. If so, close the port immediately and record the corresponding program for the port, and then transfer the program to another directory for later analysis. Turn on Computer Management = = "Software Environment = =" Running task [here you can see hidden processes that are not visible in the process manager], see the currently running program, if there is an unknown program, record the location of the program, open Task Manager to end the process, For the daemon using the backdoor and other programs can try to end the process tree, such as still unable to end, search the registry in the name of the program, delete the key values, switch to safe mode to delete the relevant program files. 5. Check that the system service is running services.msc, check the service in the started state, see if there is a new unknown service and determine the purpose of the service. For a service that is not clear, open the properties of the service, see what the executable file corresponds to the service, and if you are sure that the file is a normal file within the system, you can leave it at a glance. See if there are any other normal open service dependencies on the service, and if so, can be roughly spared. If you cannot determine if the execution file is a normal system file and there are no other normal open services dependencies on the service, you can temporarily stop the service and test that the various applications are normal. For some backdoor because of the use of the Hook system API technology, added service items in the Service Manager is not visible, you need to open the registry hkey_local_machinesystemcurrentcontrolsetservices items to find, By looking at the name of each service, the corresponding execution file to determine whether it is a backdoor, trojan program, etc. 6. View the related log run eventvwr.msc, and roughly check the related log records in the system. Right-click Properties on the corresponding log record while viewing, set a log filter in filter, select only errors, warnings, and view the source and description of the log. For errors that occur if a solution can be found in the common troubleshooting of the server, the problem is handled in accordance with this method, and if there is no solution, the problem is recorded, and the event source, ID number and specific description information are recorded in detail to find out the solution to the problem. 7. Check system files mainly check the system disk EXE and DLL files, recommended that the system after installation with Dir *.exe/s >1.txt all the exe file list to save, and then each time to check the command to generate a list of the time, with FC compare two files, the sameCheck the DLL file for related checks. Note that the original list will be rebuilt once the patch is patched or the software is installed. Check if the related system files are replaced or if the system is installed a Trojan door and other malicious programs. If necessary, run an antivirus program to scan the system disk once. 8. Check that the security policy changes the properties that open the local area connection, see if the "TCP/IP protocol" is checked in general, turn on the TCP/IP protocol settings, click Advanced = = options, see if IP Security is a set IP policy, view "TCP/IP" The filter allowed port has not been changed. Open the Administrative Tools = Local Security policy to see if the IP Security policy currently in use has changed. 9. Check directory permissions focus on whether the system directory and important application permissions have been changed. The directory you want to view is c:;c:winnt; C:winntsystem32;c:winntsystem32inetsrv;c:winntsystem32inetsrvdata;c:documents and Settings, and then check the Serv installation directory, See if the permissions for these directories have been changed. Check that some important files under System32 have changed permissions, including files such as Cmd,net,ftp,tftp,cacls. 10. Check the startup key to check the current boot from program. You can use Areporter to check for a startup program. When an intrusion response is found, the following conditions are dealt with when the system has been compromised, the system has not been damaged or is temporarily unaware of the damage, the following inspection steps are reviewed and the measures are considered as appropriate. When the system is compromised, the following measures should be taken immediately: the manner in which the treatment is seriously determined, whether by remote processing or through field processing. If the situation is seriously recommended for field treatment. If the use of field processing, in the discovery of the first time the invasion of the engine room to shut down the server, the processing staff rushed to the room when the network disconnect, and then enter the system for inspection. If the use of remote processing, such as serious first time to stop all application services, change the IP policy to only allow remote management port to connect and then restart the server, reboot and then remotely connect to the processing, restart before restarting with Areporter check the boot from the program. Then proceed to the security check. The following processing measures for the user site was invaded but did not endanger the system, if the user requirements to enhance the security of their own site, you can strengthen the security of the user site as follows: The site root directory----only to the administrator Read permissions, permission inheritance down. wwwroot------Read and Write permissions to Web users. Advanced inside has delete subfolders and file permissions LogfilES------Write permission to system. The database------Read and Write permissions to Web users. Superior inside did not delete subfolders and file permissions if further modification is required, the characteristics of the user site for ordinary file storage directory such as HTML, JS, picture folder only to read permissions, ASP and other script files to give the permissions on the table above. Also view the security log of the user's site, identify the cause of the vulnerability, and assist the user with patch vulnerabilities. Data backup and data recovery data backup work roughly as follows: 1. Back up system data once a month. 2. Back up the system two weeks after the backup of the application data, mainly including IIS, serv, databases and other data. 3. Ensure the security of backup data and classify the data backups. As a result of basically all backup methods, the retention period for the data can only retain the second backup and the last backup data two copies. Data recovery work: 1. When the system crashes or encounters other unrecoverable system normal conditions, make a backup of some of the change events that occurred after the last system backup, such as the application, security policy, and so on, and then restore the changes after the system is restored. 2. Applications, and so on, with the most recent backup data recovery related content. Server performance Optimization 1 server performance Optimization system performance optimization system space: Delete the system backup files, delete drive backup, remove the unused input method, delete the system's Help files, uninstall the infrequently used components. Minimize the C-disk file. Performance optimization: Remove redundant boot autorun programs, reduce pre-read, reduce progress bar wait time; Let the system automatically shut down programs that stop responding; disable error reporting, but notify when a critical error occurs; Turn off automatic Updates to manually update computers; Enable hardware and DirectX acceleration; disable shutdown Event tracking , disable the Configure Server Wizard, reduce the boot disk scan wait time, transfer processor scheduling and memory usage to the application, adjust virtual memory, memory optimization, modify the CPU level two cache, and modify the disk cache. 1 2 Next page >> content navigation to force (0 votes) to tempt (0 Votes) nonsense (0 Votes) Professional (0 Votes) The title party (0 Votes) passing (0 Votes) The original text: Web dedicated server security settings of the actual combat skills (1) Back to network security home