Prevention is better than mend

Intermediary transaction http://www.aliyun.com/zixun/aggregation/6858.html ">seo diagnose Taobao guest cloud host technology Hall

Yesterday the client's website was hung by horses, I also have some responsibility, because usually lazy to the server security settings, some settings in fact, can be set up in a few minutes, can be lazy, the result should the server is malicious damage, it will take more time to recover the data, so the server security settings early lay a good foundation, A lot of unnecessary losses will be lost in times of distress.

I will combine my experience and lessons to summarize some of the tips and methods of server security settings.

Installation of operating system

The operating system I'm talking about here is an example of Windows 2000, and a similar feature is available for newer windows.

When you format a hard disk, you must format it as NTFS and never use the FAT32 type.

C Disk for operating system disk, D disk put commonly used software, e disk Web site, format completed immediately set disk permissions, C disk default, D disk security settings for the administrator and System Full Control, other users delete, E disk put the site, if only a site, Set administrator and System Full control, everyone read, if a piece of code on the site must complete a write operation, then separate the folder permissions for that file to make changes.

System installation process must be in line with the principle of minimum service, useless services are not selected, to achieve the minimum system installation, in the process of installing IIS, only the most basic necessary functions, those unnecessary dangerous services do not install, such as: FrontPage 2000 Server Extensions, Internet Services Manager (HTML), FTP services, documentation, Indexing Service, and so on.

II. Network Security Configuration

Network security is the most basic port settings, in the local connection properties, point Internet Protocol (TCP/IP), point "advanced", and then click "Options"-"TCP/IP Filtering." To open only the port that the Web service needs to use, configure the interface as shown below.

The following settings, from your server will not be able to use domain name resolution, so the Internet, but external access is normal. This setting is designed primarily to prevent DDoS attacks on a general scale.

Iii. Security template settings

Run MMC, add standalone snap-in "Security Configuration and Analysis", import templates Basicsv.inf or Securedc.inf, and then click "Configure Computer Now", and the system automatically configures account policies, local policies, system services, and so on, step, However, these configurations may cause some software to fail or run wrong.

Iv. Web server settings

In IIS, for example, never use the Web directory that IIS defaults to install, and you need to create a new directory in E-disk. Then, in IIS Manager, right-click the host-> Property->www service Edit-> Home directory configuration-> application mapping, leaving only ASP and ASA, all remaining deleted.

V. Security of ASP

On IIS systems, most Trojans are written by ASP, so the security of ASP components is very important.

ASP Trojan actually most by calling Shell.Application, Wscript.Shell, Wscript.Network, FSO, adodb.stream components to achieve its function, in addition to the FSO, most of the other can be directly disabled.

The Wscript.Shell component uses this command to remove: regsvr32 wshom.ocx/u

The Wscript.Network component uses this command to remove: regsvr32 wshom.ocx/u

Shell.Application can be used to prevent the use of Shell32.dll by the guest user against calling this component. Use command: cacls c:\winnt\system32\shell32.dll/e/d Guests

The command to prohibit guests users from executing cmd.exe is: cacls c:\winnt\system32\cmd.exe/e/d Guests

The FSO component is more cumbersome to disable, if the site itself does not need to use this component, then through the RegSrv32 scrrun.dll/u command to disable it. If the website itself needs to use the FSO, see this article.

In addition, the use of Microsoft-provided URLScan tool this filter illegal URL Access tool, can also play a certain preventive role. Of course, daily backup is also a good habit, everything is prevention, waiting to mend, and so the sheep are dead, and then make up for no avail!

A5 Recommended Server Generation services: http://safe.admin5.com A5 Web server Security Lectures QQ Group: 47069922