I saw a good article on WinMag. Although I know, I still have to search, and I will look slowly: d.
Safety fortress for Windows Server 2003
If you want to reprint this or if you have any questions, please contact me: 52pcdiy@21cn.com or QQ: 75864251
If you have configured Windows NT Server or Windows 2000 Server, you may find that these Microsoft's products are not the safest. Although Microsoft provides a lot of security mechanisms, you still need you to achieve them. However, when Microsoft released Windows Server 2003, changed the past philosophical system. The new idea is that the server should be safe. This is indeed a good idea, but Microsoft is not complete enough. Although the default Windows 2003 installation is absolutely safe than the province's Windows NT or Windows 2000 installed, it still has some shortcomings. Let me teach you how to make Windows Server 2003 safer. Step 1: Modify the administrator account and create a trap account: Modify the built-in user account for many years, Microsoft has always emphasized the best renaming the Administrator account and disable the guest account to achieve higher security. In Windows Server 2003, the guest account is disabled by default, but the renaming administrator account is still necessary, because hackers often start from the Administrator account. The method is to open the Local Security Settings dialog box, select "Local Policy" → "Security Option", there is a "account: Rename System Administrator Account" in the right pane, double-click to open it, give administrator Reset a plain username, of course, please do not use the name of the admin, change it equal to not change, try to disguise it into ordinary users, such as change: guestone. Then create a trap account "restricted users" named Administrator, set it to the lowest, what can't be done, and add a super complex password that exceeds 10 digits. This allows those Scripts S to be busy for a while, and they can discover their intrusion attempts. Or do a hand feet on its login scripts. Oh, enough! Second Delete Danger Windows2003 after the default sharing exists, the system will create some hidden shares, and you can check them to Net Share under CMD. There are a lot of articles on IPC intrusion on the Internet, I believe that everyone must be unfamiliar with it. So we have to ban or delete these sharing to ensure safety, the method is: first writing the batch file: @echo offnet share c $ / delnet Share D $ / DELNET Share E $ / DELNET Share F $ / DELNET SHARE Admin $ / DEL or above, you can modify it according to yourself. Saved as Delshare.bat, stored in the System32 / GroupPolicy / User / Scripts / Logon directory under the folder where the system is located. Then in the start menu → run GPEDIT.MSC, enter the Group Policy Editor. Click User Configuration → WINDOW Settings → Script (Login / Logout) → Login, click Add "in the" Login Properties "window, will appear" Add Script "dialog box, in the" Script Name "column of the window Enter DELSHARE.BAT (Figure 1), and then click the "OK" button. This allows the system to execute the script to delete the default share by the Group Policy Editor. Figure 1 Disable IPC Connection IPC is an abbreviation of Internet Process Connection, which is a remote network connection. It is the Windows NT / 2000 / XP / 2003-specific function, in fact, establishing a communication connection between two computer processes, and some network communication programs are set up on the IPC.
For example, IPC is like a road that is paved, we can use this "road" to access the remote host. By default, IPC is shared, that is, Microsoft has paved us, so this IPC-based intrusion is often referred to as IPC invasion. Establishing an IPC connection does not require any hacker tools, you can type the corresponding command in the command line, but there is a prerequisite, that is, you need to know the username and password of the remote host. After opening the CMD, enter the following command to connect: NET USE // IP / IPC $ "Password" / user: "usernqme". We can disable the IPC connection by modifying the registry. Open the Registry Editor. Find the RESTRICTANONYMOUS sub key in hkey_local_machine / system / currentcontrolset / control / lsa to disable the IPC connection to 1. The third step is to reset the remote accessible registry path to set the remote accessible registry path to the empty, which can effectively prevent hackers from reading the computer's system information and other information through the scanner via a remote registry. Open Group Policy Editor, then select Computer Configuration → "Windows Settings" → "Security Options" → Network Access: Remote Access Registry Path "and" Network Access: Remote Access Registry ", will set Remotely accessible registry path and sub-path content set to empty. This can effectively prevent hackers from reading system information and other information on the computer via a remote registry through a remote registry. (Figure 2) Figure 2 Step 4: Close Unexpected port everyone knows, 139 port is the port used by NetBIOS, in the previous Windows version, as long as you do not install the file and print shared protocols installed, you can close 139 port. In Windows Server 2003, just do it. If you want to completely close the 139 port, the method is as follows: Mouse right click on "Network Neighbors", select "Properties", go to "Network, and Dial-up", right-click "local connection", select "Properties", open " Local Connection Properties page, then remove "√" (as shown in Figure 3) in the "Microsoft Network File and Print Sharing", then select "Internet Protocol (TCP / IP)", click Properties → "Advanced" → "WINS", select "NetBIOS on TCP / IP" (as shown in Figure 3), that is, he is told! This can also effectively prevent SMBCrack tools from cracking and utilizing web pages to get our NT hash. Figure 3 If your machine is also installed IIS, you'd better set the port filtering. The method is as follows: Select the NIC attribute, then double-click "Internet Protocol (TCP / IP)", click the Advanced button in the window, will enter the Advanced TCP / IP Settings window, next to select the Options tab The "TCP / IP Filter" item, click the "Properties" button to come to the "TCP / IP Filter" window, "√" in front of the "Enable TCP / IP Filter (All Adapters)" (Figure 4), then configure it as needed. Figure 4, if you only plan to browse the web, only open the TCP port 80, so you can select "Allow" above "TCP Port", and then click Add button, enter 80 and then click "OK" I.e. If there are other needs, you can make a method.
The above is the preliminary security settings below to talk about other aspects: (1) Re-supporting the ASP script In order to minimize system security hidden dangers, the Windows Server 2003 operating system is not supported by ASP scripts in the default state; But now many web services are mostly implemented through the ASP script. To this end, we must need to rest support the ASP scripts in the premise of security and security. The specific implementation method is: 1. In the system's start menu, click the Administrative Tools "/" Internet Information Service Manager "command; 2. In the INTERNET Information Service Properties setting window, use the mouse to select the left "Web Server Extensions" option in the side area; 3. On the area to the right side of the option, you can double-click the "Actives Server Pages" option with the mouse, and then click the "Allow" button at the "Task Bar" setting item. A lower, II6 in the system can re-support the ASP script. (2) Adding a site to the "Trust Zone" Windows Server 2003 operating system uses a security plugin to provide users with enhanced security service features, using this feature that you can customize the security of the website access. In the default, the Windows Server 2003 operating system automatically enables enhanced security service features and sets all the security levels of all accessible Internet sites to "High". For frequently accessed websites, you can add it to a trusted site area, and if you have access it again, the system will not pop up the security prompt box. Adding a site to the specific practice of "Trust Zone" is: 1. In the browser's address box, enter the site address you need to access, click Enter key, will automatically open a secure prompt warning window; 2. If you don't want to browse When this site, you can click the "Close" button; if you want to browse, you can click the Add button; 3. In the "Trustful Site" setting window that is later opened, you will find the site address currently accessed. Already appeared in the trust zone text box; 4. Continue to click the "Add" button to add the site to the website trust area; the browser will skip the security check when the site will be re-accessed next time. Open the web page of the site directly. (3) Controlling the system service as needed is an application type running in the system background, which is similar to the UNIX background program. The service provides a core operating system feature such as web services, event logging, file services, help, and support, print, encryption, and error reports. Manage services on local or remote computers through service management units. So not all default services are what we need. We don't need to deactivate, disable, to release system resources. If you want to know more about the system, you can view the "My Computer" → Control Panel "→ Services", each service has a complete description, or uses Windows 2003 Help and Support, check the relevant information. Special Note: Service Account Windows Server 2003 Minimizes the needs of service accounts to some extent. Even so, some third-party applications still adhere to the traditional service account. If possible, try to use the local account instead of the domain account as the service account, because if someone physically obtains the server's access, he may dump the server's LSA secret and disclose the password. If you use a domain password, any computer in the forest can get domain access rights by this password. And if you use a local account, the password can only be used on the local computer and will not give a domain. System Services A basic principle tells us that the more code running on the system, the greater the possibility of containing vulnerabilities.